Eran Brown, INFINIDAT EMEA CTO, outlines how, whilst data breaches are a key concern for businesses under GDPR, the loss of data from a ransomware attack is also a fundamental concern and is punishable under the regulation for non-compliance.
He discusses how businesses can rapidly detect if a ransomware attack is in progress through monitoring storage usage and how the business’s storage arrays can actually stop the attack in its tracks (and stop it from spreading) automatically if the right monitoring is put in place.
Since the General Data Protection Regulation (GDPR) enforcement date was set at the end of May 2018, discussions about the risk of data breaches are abundant. A data breach is of course a high-risk scenario for any business keeping private data on its customers and the well publicised breach cases of late have made breach prevention a critical priority.
The focus on data breaches, while warranted, has overshadowed another critical requirement in GDPR, which in some ways is diametrically opposite: data loss. So, what’s the difference? A data breach is when an unauthorised third party gains access to private data that only the organisation was supposed to access.
Data loss is when the organisation itself can no longer access its customers’ private data. In recent years, the most common cause of data loss has been caused by malicious ransomware attacks with prominent names like WannaCry, Petya (and then ‘NotPetya’) and CryptoLocker. In 2017, ransomware attacks were the most common malware attacks with over 70% in some sectors (e.g. healthcare).
With data loss proving to be a daily threat to organisations, a robust strategy for mitigating the threat of ransomware attacks is a necessity.
Challenge 1 – Detecting a ransomware attack
Modern ransomware attacks stay hidden for a long time in order to encrypt as much data as is possible, before being detected. When it hits a critical threshold, it locks the user out and asks for cryptocurrency.
This behaviour is very efficient but is also the Achilles’ heel of this attack vector. Since changes accumulate over time, they can be detected if there is a mechanism that tracks changes and this mechanism comes for free with any modern storage solution: snapshots.
In the event of a ransomware attack snapshots (which usually consume a minimal percentage of a dataset’s size) will start to inflate by consuming capacity. If an organisation’s storage array provides any sort of monitoring and alarms for capacity consumption, the organisation can easily detect this rise in capacity and react long before the attackers lock the users out.
Challenge 2- Responding rapidly to a ransomware attack
If, for example, the silent ransomware attack was able to encrypt 100 terabytes (TB) of data over a week, the backups from that week are also compromised and can’t be used to recover the data. In this situation the administrators are forced to recover 100TB over the network from a backup target, which will take hours without any guarantee that the recovery doesn’t contain corrupted files.
However, a snapshot’s size will immediately suggest whether it contains encrypted data.
If an organisation using snapshots can access these, test the data inside them and immediately recover the right snapshot, it reduces recovery times from days to minutes.
Challenge 3 – Preventing storage capacity explosion
One risk which isn’t typically mentioned in the context of a ransomware attack is that the additional capacity consumed over its ‘silent’ time can take existing storage arrays from their average capacity of 80% to 100%, hence crashing applications.
Quite simply, a bigger storage array means more free space to allow administrators time to identify and respond to the ransomware attack. However, a bigger array also means more consolidation and hence requires higher level of reliability. The dual controller architecture originally designed in the 1990s for a few terabytes can’t provide this new level of reliability required for the petabyte-age.
The solution lies in the storage array. While the hardware in a storage array is shared between consumers, it also offers capacity pools that allow for a way of separating critical applications from one another. In this way, capacity pools allow the business to guarantee that capacity explosion in one area, which is corrupted with ransomware, can’t bring down applications in other pools. This is similar to how organisations segment their network to minimise the risk of attackers moving between hosts.
On top of this segmentation that protects at the pool level, storage arrays with the ability for massive scale provide protection on the system level, as free capacity is centralised instead of spread between many smaller arrays. This extends the duration administrators can detect and react to a ransomware attack.
Additional benefits capacity pools provide to protect against ransomware attacks:
- Capacity guarantees: Separating pre-allocated (guaranteed) capacity from non-committed, shared capacity that is only consumed on-demand
- Warning: Real-time monitoring of its capacity to alert administrators of the threat
- Automatic response: When a pool is full, the system will respond based on the growth policy set for that specific pool. Policies may prevent the pool from:
- Growing automatically – usually applies to non-critical apps
- Allowing it to grow but only within certain limits for – usually applies to more important apps only
- Allow the pool to grow as much as is needed – mission critical apps that shouldn’t be allowed to crash even if they grow very rapidly
Protection from ransomware attacks (and data loss in general) requires a multi-faceted approach: Snapshots offer both detection and speedy recovery from these attacks. Capacity pools offer the separation required to safeguard mission critical apps as well as dynamic capacity management that prevents the need to pre-provision capacity.