October 14, 2022 By Mark Seaborn 3 min read

Protecting data against myriad cyberattacks can be a daunting task for administrators in today’s environment, and a growing concern is the increase in ransomware attacks against enterprises. These attacks can cost companies substantial amounts of money, should attackers successfully penetrate enterprise defenses and manage to encrypt the enterprise’s critical business data.

Many defense strategies against ransomware attempt to protect data using isolation technologies, which shuttle copies of data backups to unreachable segments of the network. Similar methods — such as physical air gapping — force the data owner to keep copies of backup data on storage media that can be removed from the network and stored offline. Some data security companies offer appliances that block ingress traffic and only support egress traffic APIs to pull backups of data out of the isolated appliance. These examples are all add-on technologies that increases the complexity of the enterprise’s data infrastructure. However, there are some simple ways to protect data against ransomware.

Object versioning with IBM Cloud Object Storage

The IBM Cloud Object Storage (COS) service offers a much simpler approach to thwarting ransomware with its native support of object versioning. This approach is applicable to any enterprise using object storage for application backends, NFS gateways or many other use cases (such as cloud object storage for short- and long-term backup storage).

The idea behind using versioning as a method of mitigation simply relies on good security practices, with Role-Based Access Control (RBAC) policies for separation of duty and expiry to control data usage creep and offline protection of administrative credentials.

How versioning protects

The concept for the strategy is straightforward. First, enable versioning on storage buckets to prevent ransomware from encrypting existing objects in the object store. Once versioning is enabled, any application (such as an NFS gateway) that uses the object store as its back-end data storage will only write new versions of objects to the object store, instead of replacing the existing object with a newly encrypted one.

During a ransomware attack, file systems attacked by the ransomware that are mounted through NFS gateways will still seem to have fallen prey to the attack, but in fact, ransomware is only able to add an encrypted version of the files atop the clear versions of the file in the file history tree. The unencrypted files are still on the object store. Administrators simply need to remove the encrypted version of the object. This will restore business processes to normal operations.

For this and many other examples, a clear benefit of IBM’s versioning implementation is that it does not add complexity to existing workflows. The NFS gateway is unaware that the object store is creating new versions of objects. The gateway will continue putting objects to the bucket as normal. IBM Cloud Object Storage will retain versions of the objects in buckets according to user policies. Policies can be set on the bucket to expire versions of the objects based on several conditions, including the number of days to retain old versions of objects.

These policies can help administrators keep the bucket’s data usage from growing out of control due to file updates creating new versions of the files during normal operations. The policies can be set such that enough time is given to recognize and mitigate the attack before any real data is lost.

The importance of separation of duty

The second important aspect to this ransomware protection strategy is to separate the credentials that give permission for critical bucket operations (object administrator credentials) and the credentials that give permission to read and write objects to the bucket (object user credentials). The administrator’s credentials should be locked away in an offline storage device, while the user’s credentials can be given to personnel or automated processes that implement business workflows. This ransomware protection strategy can be implemented with standard roles in IBM’s cloud storage accounts.

Armed with this strategy, administrators can create an environment where even when successfully attacked by ransomware, the enterprise’s data is easily recovered without having to give into ransomware demands to unlock the data. This approach also mitigates the situation where the adversary never intended to turn over the keys to the data, even after the ransom was paid.

Started protecting your data with IBM Cloud Object Storage

Versioning can be enabled on the IBM Cloud Object Storage buckets using the IBM Cloud console, the REST API or the SDK. For help enabling versioning on buckets, see Versioning Objects in the IBM help pages. Versioning can also help with other data protection, such as data deletion (see Protecting Against Deletion).

You can also check out our guide to defining IAM Roles to create the separation of duty needed for ransomware protection.

Was this article helpful?
YesNo

More from Cybersecurity

Data protection strategy: Key components and best practices

8 min read - Virtually every organization recognizes the power of data to enhance customer and employee experiences and drive better business decisions. Yet, as data becomes more valuable, it's also becoming harder to protect. Companies continue to create more attack surfaces with hybrid models, scattering critical data across cloud, third-party and on-premises locations, while threat actors constantly devise new and creative ways to exploit vulnerabilities. In response, many organizations are focusing more on data protection, only to find a lack of formal guidelines and…

What you need to know about the CCPA draft rules on AI and automated decision-making technology

9 min read - In November 2023, the California Privacy Protection Agency (CPPA) released a set of draft regulations on the use of artificial intelligence (AI) and automated decision-making technology (ADMT). The proposed rules are still in development, but organizations may want to pay close attention to their evolution. Because the state is home to many of the world's biggest technology companies, any AI regulations that California adopts could have an impact far beyond its borders.  Furthermore, a California appeals court recently ruled that…

IBM named a Leader in Gartner Magic Quadrant for SIEM, for the 14th consecutive time

3 min read - Security operations is getting more complex and inefficient with too many tools, too much data and simply too much to do. According to a study done by IBM, SOC team members are only able to handle half of the alerts that they should be reviewing in a typical workday. This potentially leads to missing the important alerts that are critical to an organization's security. Thus, choosing the right SIEM solution can be transformative for security teams, helping them manage alerts…

IBM Newsletters

Get our newsletters and topic updates that deliver the latest thought leadership and insights on emerging trends.
Subscribe now More newsletters