Evolving Your Storage Strategy for GDPR Compliance and Ransomware Attacks

Since the General Data Protection Regulation (GDPR) enforcement date was set at the end of May 2018, discussions about the risk of data breaches are abundant. This is a high-risk scenario for any business storing private data and it requires a lot of attention (see my previous blog on this topic). The focus on data breaches, while warranted, has overshadowed another critical requirement in GDPR, which in some ways is diametrically opposite: data loss.

So, what’s the difference?

• A data breach is when an unauthorized third party gains access to private data that only the organization was supposed to access.
• A data loss is when the organization itself can no longer access its customers’ private data.

In recent years, the most common data loss cause has been ransomware attacks, with prominent ransomeware names like “WannaCry”, “Petya” (and then “NotPetya”) and “CryptoLock”. In 2017, ransomware attacks were the most common malware attacks, accounting for over 70 percent of the data losses in some industry sectors (e.g. healthcare).

With so many IT challenges to address, has your organization developed a robust strategy for ransomware attacks?

Challenge 1 - Detecting a ransomware attack

Modern ransomware attacks stay hidden for a long time in order to encrypt as much data as possible before being detected. When the level of encryption hits a critical threshold, it locks the user out and asks for crypto-currency as ransom to return the data unharmed. This behavior is very efficient but it is also the Achilles’ heel of this attack vector: since changes accumulate over time, they can be detected if there is a mechanism that tracks changes. This tracking mechanism comes for free with any modern storage solution - snapshots!

Snapshots, which usually consume a minimal percentage of a dataset’s size, will start to inflate due to the space inefficiency of encrypted data and consume more capacity. If your storage array provides any sort of monitoring and alarms for capacity consumption, the IT organization can easily detect this rise in capacity use and react long before the attackers lock the users out.

Challenge 2 - Respond rapidly to a ransomware attack

If the silent ransomware attack was able to encrypt 100 terabytes (TB) of data, perhaps over the course of a week, the snapshots from that week would also be compromised and couldn’t be used to recover the data. The administrators would be forced to recover 100TB over the network from a backup target, which would take hours, without any guarantee that the recovery doesn’t contain corrupted files.

However, a snapshot’s size will immediately suggest whether it contains encrypted data.

So, if an organization using snapshots can access these, test the data inside them and immediately recover the right snapshot, it reduces recovery times from days to minutes.

Challenge 3 - Preventing Storage Capacity Explosion

One risk which isn’t typically mentioned in the context of a ransomware attack is that the additional capacity consumed over its ‘silent’ time can take existing storage arrays from their average capacity of 80% to 100%, crashing applications.

A bigger storage array means more free space to allow administrators time to identify and respond to the ransomware attack. However, a bigger array also means more consolidation and requires a higher level of reliability. The dual controller architectures, originally designed in the 1990s for a few terabytes, can't provide this new level of reliability required for the petabyte-age

The InfiniBox solution to combat ransomware attacks

While the hardware in an InfiniBox is shared between consumers, InfiniBox offers capacity pools that allow customers a way of separating critical application data. In this way, InfiniBox’s capacity pools allow customers to guarantee that a capacity explosion in one area, which may be corrupted by ransomware, can’t bring down applications in another pool. This is similar to how customers segment their network to minimize the risk of attackers moving between hosts.

On top of this segmentation that protects application data at the pool level, InfiniBox's scale provides protection on the system level, as free capacity is centralized instead of spread between many smaller arrays. This extends the duration administrators can detect and react to a ransomware attack.

Additional benefits capacity pools provide to protect against ransomware attacks:

• Capacity guarantees: Separating pre-allocated (guaranteed) capacity from the non-committed, shared capacity that is only consumed on-demand.
• Warning: Real-time monitoring of capacity to alert administrators of a potential threat
• Automatic response: When a pool is full, the system will respond based on the growth policy set for that specific pool.
• Policies may prevent the pool from:
  • Growing automatically - usually applies to non-critical apps
  • Allowing it to grow but only within certain limits for - usually applies to more important apps only
  • Allow the pool to grow as much as is needed - mission critical apps that shouldn’t be allowed to crash even if they grow very rapidly

Protection from ransomware attacks, and data loss in general, requires a multi-faceted approach: Snapshots offer both detection and speedy recovery from these attacks, Capacity pools offer the separation required to safeguard mission-critical apps as well as dynamic capacity management that prevents the need to pre-provision capacity. If you’re still wrestling with GDPR or looking for new ways to combat constant ransomware threats, consider talking to INFINIDAT to understand how our storage solutions can protect your data and keep your business running without interruption.

About Eran Brown

Eran Brown is the EMEA CTO at INFINIDAT. Over the last 14 years Eran has architected data centre solutions in all layers — applications, virtualisation, networking and most of all storage.

His prior roles include Senior Product Management, systems engineering and consulting roles, working with companies in multiple verticals (financials, oil & gas, telecom, software and web) and helping them plan, design and deploy scalable infrastructure to support their business applications.