How to use IBM's Cloud Object Storage to protect against ransomware.
Protecting data against myriad cyberattacks can be a daunting task for administrators in today's environment, and a growing concern is the increase in ransomware attacks against enterprises. These attacks can cost companies substantial amounts of money, should attackers successfully penetrate enterprise defenses and manage to encrypt the enterprise’s critical business data.
Many defense strategies against ransomware attempt to protect data using isolation technologies, which shuttle copies of data backups to unreachable segments of the network. Similar methods — such as physical air gapping — force the data owner to keep copies of backup data on storage media that can be removed from the network and stored offline. Some data security companies offer appliances that block ingress traffic and only support egress traffic APIs to pull backups of data out of the isolated appliance. These examples are all add-on technologies that increases the complexity of the enterprise's data infrastructure. However, there are some simple ways to protect data against ransomware.
Object versioning with IBM Cloud Object Storage
The IBM Cloud Object Storage (COS) service offers a much simpler approach to thwarting ransomware with its native support of object versioning. This approach is applicable to any enterprises using object storage for application backends, NFS gateways or many other use cases (such as cloud object storage for short- and long-term backup storage).
The idea behind using versioning as a method of mitigation simply relies on good security practices, with Role-Based Access Control (RBAC) policies for separation of duty and expiry to control data usage creep and offline protection of administrative credentials.
How versioning protects
The concept for the strategy is straightforward. First, enable versioning on storage buckets to prevent ransomware from encrypting existing objects in the object store. Once versioning is enabled, any application (such as an NFS gateway) that uses the object store as its back-end data storage will only write new versions of objects to the object store, instead of replacing the existing object with a newly encrypted one.
During a ransomware attack, file systems attacked by the ransomware that are mounted through NFS gateways will still seem to have fallen prey to the attack, but in fact, ransomware is only able to add an encrypted version of the files atop the clear versions of the file in the file history tree. The unencrypted files are still on the object store. Administrators simply need to remove the encrypted version of the object. This will restore business processes to normal operations.
For this and many other examples, a clear benefit of IBM’s versioning implementation is that it does not add complexity to existing workflows. The NFS gateway is unaware that the object store is creating new versions of objects. The gateway will continue putting objects to the bucket as normal. IBM Cloud Object Storage will retain versions of the objects in buckets according to user policies. Policies can be set on the bucket to expire versions of the objects based on several conditions, including the number of days to retain old versions of objects.
These policies can help administrators keep the bucket’s data usage from growing out of control due to file updates creating new versions of the files during normal operations. The policies can be set such that enough time is given to recognize and mitigate the attack before any real data is lost.
The importance of separation of duty
The second important aspect to this ransomware protection strategy is to separate the credentials that give permission for critical bucket operations (object administrator credentials) and the credentials that give permissions to read and write objects to the bucket (object user credentials). The administrator’s credentials should be locked away in an offline storage device, while the user’s credentials can be given to personnel or automated processes that implement business workflows. This ransomware protection strategy can be implemented with standard roles in IBM’s cloud storage accounts.
Armed with this strategy, administrators can create an environment where even when successfully attacked by ransomware, the enterprise’s data is easily recovered without having to give into ransomware demands to unlock the data. This approach also mitigates the situation where the adversary never intended to turn over the keys to the data, even after the ransom was paid.
Started protecting your data with IBM Cloud Object Storage
Versioning can be enabled on the IBM Cloud Object Storage buckets using the IBM Cloud console, the REST API or the SDK. For help enabling versioning on buckets, see Versioning Objects in the IBM help pages. Versioning can also help with other data protection, such as data deletion (see Protecting Against Deletion).
You can also check out our guide to defining IAM Roles to create the separation of duty needed for ransomware protection.