Increase ransomware protection with SnapLock logical air gaps

Ransomware attacks have never been more prevalent than they are right now. It’s not a matter of if your organization gets attacked but when. Even the most robust ransomware detection solutions can’t stop 100% of all critical files from being encrypted. That’s why having a solid backup and recovery strategy is key to surviving a ransomware attack. However, not just any backup will do. A growing trend is for attackers to destroy the backup copies and, in some cases, even encrypt them. That’s why many in the cybersecurity industry recommend using “air gap” backups as part of an overall cyber resiliency strategy.

Today’s sophisticated ransomware attacks not only encrypt primary data, they also target secondary backup data. When those attacks are successful, organizations are left with no way to recover. To address this new threat, it’s vitally important to isolate your backup data from production data (air gapping).

Tape backup is a traditional air gap or offline backup method. But tape backup adds operational complexity. It requires a separate tape backup infrastructure—systems to house and manage the tape cartridges. To completely air gap tape, it’s necessary to remove tape from the tape library and store it offsite. However, tape is a volatile medium that can degrade over time, so it’s not ideal for long-term retention.

There are alternatives to tape that use either disk or the cloud to air gap secondary backup targets. Once the backup is complete, the communication is severed. However, when the data is accessed to create that offsite backup copy, that active communication window creates an opportunity for bad actors to access the secondary backup data and encrypt or delete it.

To eliminate this opportunity and solve the complexity of tape or disk air gapping, logical air gapping can be achieved with immutable NetApp® ONTAP® Snapshot™ copies.

A Snapshot copy is an efficient, point-in-time, read-only copy of your data.   The copy represents exactly what your data looked like at the moment that it was taken, whether it was hours, days, weeks, months, or even years ago. Because Snapshot copies are read only, they can’t be infected by ransomware. To recover from a ransomware attack, you can simply restore from a copy that was taken before the attack occurred. 

For both tape and disk backup, recovery time depends on network, disk, and tape speed.  Generally, recovery takes as long as or longer than the time it took to complete a full backup. Extended recovery time can lead to a significant increase in the overall cost of a ransomware attack, sometimes by as much as 10 times, according to a recent report by Sophos.

Restoring from a Snapshot copy is nearly instantaneous—the ONTAP file system simply updates the active file system pointers to reference the original blocks. Terabytes of data can be restored in seconds because there’s no need for the file system to move the data.   

One more thing: How do you protect your Snapshot copies from being deleted by administrators? NetApp has you covered with the ultimate solution in logical air gapping of your backups—SnapLock® compliance software. 

Snapshot copies can be deleted in several ways: By an administrator through human error, a disgruntled employee, or a bad actor using stolen credentials. NetApp SnapLock protects Snapshot copies by enabling a truly immutable logical air-gapped backup that cannot be deleted. SnapLock is a feature of NetApp ONTAP, a write once, read many (WORM) compliance solution that prevents changes to files once they are written and committed to WORM state. 

NetApp released the SnapLock feature more than 10 years ago to address the requirements of data compliance, such as HIPAA, Sarbanes-Oxley, and other regulatory data rules. You can also vault primary Snapshot copies to SnapLock volumes so that the copies can be committed to WORM, preventing deletion. There are two SnapLock license versions: SnapLock Compliance (SLC) and SnapLock Enterprise (SLE). For ransomware protection, NetApp recommends SLC, because you can set a specific retention period during which Snapshot copies are locked and cannot be deleted, even by ONTAP administrators or NetApp support.

To learn more about SnapLock see Technical Report TR-4526, “Compliant WORM storage using NetApp SnapLock.”

Air gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media offsite and/or severing connectivity, bad actors have no access to the data. This protects the data but can lead to slower recovery times.  With SnapLock, physical separation is not required. SnapLock protects your vaulted Snapshot point-in-time, read-only copies, resulting in logically air gapped data that is quickly accessible, safe from deletion, and immutable. 

Einstein’s relativistic physics is underpinned by the four-dimensional concept of the space-time continuum where space is three dimensions and time adds another dimension. SnapLock uses the fourth dimension of time to create logical air gapping. Welcome to the future of data availability and protection.