AWS Partner Network (APN) Blog
Enhanced Ransomware Protection with Air-Gapped Veritas Alta Recovery Vault on AWS
By Miles Scott, Sr. Partner Solutions Architect – AWS
By Mo Hasan, Global Technical Alliances Manager – Veritas
Veritas |
Business and technology leaders are being challenged to improve security and resilience in the face of rising information security threats. The Sophos 2022 State of Ransomware report signals that ransomware events were 29% more frequent than in 2020, and indicates increases in the average time and cost to recover from ransomware.
To help improve cyber resiliency in the United States, the National Institute of Standards and Technology (NIST) has developed a framework to help businesses evaluate and improve their own capabilities. Widely recognized as best practice, NISTIR 8374 outlines key strategies for businesses to identify, protect, detect, respond, and recover from ransomware events.
Alta Recovery Vault is a Veritas managed storage-as-a-service offering for backups that helps reduce the risk of ransomware events. Secure data isolation provides a virtual air gap that is essential in combating malware.
Running on Amazon Web Services (AWS), Alta Recovery Vault enables customers to realize cloud storage benefits such as data immutability, encryption in transit and at rest, rapid recovery, data durability, and reduced total cost of ownership (TCO).
In this post, we will discuss how Alta Recovery Vault offers an additional line of defense for Veritas customers to protect, detect, and recover from ransomware.
Veritas Technologies is an AWS Storage Competency Partner that helps enterprises address information management challenges including backup and recovery, resiliency, disaster recovery, and information governance.
Architecture Overview
Veritas’ Alta Recovery Vault provides a ransomware-resilient storage vault that is fully provisioned, automated, managed by Veritas, and is built in line with the AWS Well-Architected Framework.
Some of the central components in the NIST ransomware framework involve network segmentation, data immutability, controlling remote access, and offsite/offline backups. Alta Recovery Vault helps companies meet all of those components by providing a next-generation storage solution powered by AWS.
Figure 1 – Alta Recovery Vault.
Alta Recovery Vault stores and manages data on Amazon Simple Storage Service (Amazon S3), which is designed to provide 99.9999999% (11x9s) durability and 99.99% (4x9s) availability. This helps facilitate availability for critical backup data, stored in recovery vault.
Beyond the high levels of durability and availability that Amazon S3 provides, the NIST framework specifically recommends that “backups should be secured to ensure they cannot become corrupted by the ransomware or deleted by the attacker,” (PR.IP-4).
Alta Recovery Vault helps mitigate the risk of ransomware impacting backups by creating a Write Once Read Many (WORM) storage environment, enabling both immutability and indelibility. This is accomplished through integration with Amazon S3 Object Lock, which is applied at the S3 bucket level and imposes retention periods on individual objects to prevent their premature deletion or alteration.
Alta Recovery Vault takes advantage of Amazon S3 Object Lock’s governance mode, which requires roles with specific credentials to be used to remove data before the Object Lock retention expires. This allows flexibility for the intentional deletion of objects, when legal or business reasons require it, while also protecting customers from unintentional or unauthorized data deletion.
The credentials provided to customers to perform backups to Alta Recovery Vault are not authorized to remove the retention locks set by Amazon S3 Object Lock, meaning all requests to prematurely delete data must be individually requested by the customer and performed by Veritas. Prior to making any changes, Veritas will verify with two individuals within the customer organization that have the authority to make such a request.
Another benefit of the Alta Recovery Vault architecture, specifically recommended by the NIST framework (NISTIR 8474 PR.AC-5), is network segmentation. Alta Recovery Vault is built on AWS which provides micro-segmentation for network traffic. Traffic to and from the solution can be limited to specific IP addresses during the configuration, and this limits unauthorized users from externally accessing backup images stored in Alta Recovery Vault.
Because Alta Recovery Vault is deployed and managed by Veritas, unauthorized users cannot gain access to or destroy backup data simply by compromising internal administrator credentials. This is another way Alta Recovery Vault helps meet the requirements of the framework (NISTIR 8474 PR.AC-4), as inadvertent access to credentials has been a common way unauthorized users can move through an organization’s network.
Veritas’ NetBackup solution has maintained robust security controls including granular role-based access control (RBAC) and software-based encryption options for years. With Alta Recovery Vault on AWS, data at rest is encrypted by default.
Alta Recovery Vault provides an easy to understand, all-in pricing model. Access to the solution is provided via contracts that are either one or three years in length. The contracts are based on the total amount of data stored in AWS, which translates to substantial savings when considering Veritas’ efficiency in storing deduplicated and compressed data.
This all-in pricing includes the cost of the backend deduplicated storage, API charges, and data egress charges; all combined into a predictable monthly bill.
Configuring Alta Recovery Vault
Getting started with the Alta Recovery Vault service is simple. After subscribing via AWS Marketplace, customers are sent a provisioning form from Veritas. Customers are able to select immutability options, storage performance classes, and the length of the subscription.
Once the form is complete, the Veritas provisioning team can leverage an automated provisioning process to configure the software-as-a-service (SaaS) environment, and securely provide access credentials to the customer.
Finally, the customer can configure the Recovery Vault storage in NetBackup and begin to leverage the enhanced vault for backup data. For detailed information on the configuration process, check out the Alta Recovery Vault Deployment Guide.
Recovery of Systems to AWS
A critical aspect of any backup solution is the ability to recover quickly after an event. Alta Recovery Vault empowers customers to recover data directly into AWS, eliminating the time it takes to rebuild or repurchase on-premises infrastructure.
By providing direct access to customer cloud accounts and on-premises data centers, Alta Recovery Vault can serve as a global repository to store and depend on for critical backup images.
Conclusion
With the growing threat of ransomware, protecting critical data is rapidly becoming the focus of companies and industries. Implementing an optimized and resilient storage solution for backups based on NIST recommendations is mission critical for enterprise and public sector customers.
With Veritas’ NetBackup and Alta Recovery Vault on AWS, you can take comfort in knowing your data is safely out of the hands of cyber criminals.
For additional information on Alta Recovery Vault, including a 30-day trial, reach out to a Veritas Sales representative, or check out the AWS Marketplace listing.
Veritas – AWS Partner Spotlight
Veritas Technologies is an AWS Storage Competency Partner that helps enterprises address information management challenges including backup and recovery, resiliency, disaster recovery, and information governance.
Contact Veritas | Partner Overview | AWS Marketplace | Case Studies