Safeguarded Copy function

Safeguarded Copy function supports the ability to create cyber-resilient point-in-time copies of volumes that cannot be changed or deleted through user errors, malicious actions, or ransomware attacks. The system integrates with IBM Copy Services Manager to provide automated backup copies and data recovery.

Note: The Safeguarded Copy function is available with IBM Spectrum Virtualize software 8.4.2, and is not supported for the FlashSystem 5000, Storwize® V5030E, Storwize V7000 Gen2, and Storwize V7000 Gen2+ models.

The system supports IBM Copy Services Manager as an external scheduling application. IBM Copy Services Manager coordinates and automates Safeguarded Copy function across multiple systems.

IBM Copy Services Manager uses a Safeguarded policy to configure FlashCopy mapping and consistency groups automatically to create backup copies. ​When Safeguarded backups are created, IBM Copy Services Manager uses the retention time for the Safeguarded backups based on the settings in the Safeguarded policy. After copies expire, the IBM Spectrum Virtualize software deletes the expired copies from the Safeguarded backup location.

IBM Copy Services Manager queries the system every 5 minutes to process existing Safeguarded policies. The start time that is defined in the Safeguarded policy must factor in the possible 5-minute delay. When IBM Copy Services Manager detects a new Safeguarded policy for a volume group, it creates the session and scheduled task to create and manage the Safeguarded backups.

The Safeguarded Copy function isolates backup copies from production data, so if a cyberattack occurs, you can quickly recover and restore data from Safeguarded copies.

The Safeguarded Copy function supports the following key characteristics that create cyber-resilient copies of your important data.
Separation of duties
Provides more security capabilities to prevent non-privileged users from compromising production data. Operations related to Safeguarded backups are restricted to only a subset of users with specific roles on the system.
Users with the Administrator role can provision and configure Safeguarded backups and related objects, such as volume groups and Safeguarded backup locations. They can also configure and assign Safeguarded policies to volume groups. However, these users cannot remove or change existing Safeguarded backups or Safeguarded backup locations. For auditing, it is recommended that you create a new Administrator user to configure the Safeguarded Copy function. Users with this role are limited in how they can manage and interact with Safeguarded Copy operations.
Security Administrator
Users with the Security administrator role can manage users and security on the entire system and can remove and change Safeguarded backups and Safeguarded backup locations.
Users with superuser privileges can configure all objects and complete maintenance tasks on the system. These users can remove and change both Safeguarded backups and Safeguarded policies. For more security, this account can be disabled on the system; however, it can be reenabled for remote support assistance or maintenance tasks.
Protected Copies
Provides capabilities to regularly create Safeguarded backups. Safeguarded backups cannot be mapped directly to hosts to prevent any application from changing these copies.
Manages Safeguarded backups as well as restoring and recovering data with the integration of IBM Copy Services Manager. IBM Copy Services Manager automates the creation of Safeguarded backups according to the schedule defined in a Safeguarded policy. IBM Copy Services Manager supports testing, restoring, and recovering operations with Safeguarded backups.

To use Safeguarded Copy function, you need to create a connection to the system in the IBM Copy Services Manager interface. After a connection is established, IBM Copy Services Manager automatically detects volume groups with Safeguarded policies and schedules the backups.

Safeguarded Copy function objects

Safeguarded Copy function objects

The following are the objects of a Safeguarded Copy function.

Safeguarded policy
A Safeguarded policy is a set of rules that controls the creation, retention, and expiration of Safeguarded backups of source volumes.
Safeguarded backup location

A Safeguarded backup location is a child pool in each parent pool where the source volumes are located. The Safeguarded backup location stores Safeguarded backup copies after the Safeguarded policy is assigned to the volume group.

Safeguarded volume group
A volume group is a set of related volumes that can be managed and configured collectively.A volume group is called a Safeguarded volume group after a volume group is created and assigned with a Safeguarded policy.
Safeguarded source volume
A Safeguarded source volume is added to a volume group. After a Safeguarded policy is assigned to the volume group, IBM Copy Services Manager uses this volume as the source copy for the Safeguarded backups. You can set a volume as a Safeguarded source volume while creating a volume in an existing Safeguarded volume group. You can also assign a volume to a Safeguarded volume group after creating a volume, or create a volume in a volume group and then assign Safeguarded policy to the volume group.
Safeguarded backup
A Safeguarded backup is a volume in a Safeguarded backup location. As part of the Safeguarded Copy function, you can add volumes to a volume group and assign a Safeguarded policy to that group. The IBM Copy Services Manager applies the policy to all the volumes in the group to create Safeguarded backups. Safeguarded backups are created in the same parent pool as the Safeguarded source volumes. A Safeguarded backup is the target of FlashCopy® mapping with Safeguarded source volumes as a source.

Safeguarded Copy function user roles

The following section explains exclusively all the responsibilities and roles that are given to the Safeguarded Copy function users.

System administrator

The system administrator can do the following actions on the Safeguarded Copy function objects:

  • Create a Safeguarded backup location.
  • Create a Safeguarded Policy with a backup and retention schedule.
  • Create a Safeguarded volume group.
  • Associate a Safeguarded policy to a volume group.
  • Assign volumes to the Safeguarded volume group.
  • Delete a Safeguarded source volume.
  • Delete a Safeguarded volume group.
  • Change a Safeguarded volume group policy.
  • An administrator cannot delete Safeguarded backups or mappings between backups and the source.
  • An administrator cannot delete a Safeguarded backup location that contains Safeguarded backup copies or is associated with Safeguarded sources.
IBM Copy Services Manager

IBM Copy Services Manager user can do the following actions on the Safeguarded Copy function objects:

  • Read the information from Safeguarded volume groups and Safeguarded policies.
  • Adjust and follow the CLI commands restrictions that are implemented on Safeguarded objects.
  • Create Safeguarded backup volume in the Safeguarded backup location for each Safeguarded source volume.
  • Reschedule the backup if the Safeguarded policy is changed with the associated volume group.
  • Create a FlashCopy mapping between the Safeguarded source and the target volume in the Safeguarded backup location.
  • Create or reuse an empty FlashCopy consistency group.
  • Add the FlashCopy mappings to the FlashCopy consistency group.
  • Remove the FlashCopy mappings from the FlashCopy consistency group.
  • Delete or save the FlashCopy consistency group for later reuse.
  • User cannot create the Safeguarded backup location in a parent pool.
  • A user cannot create a volume group.
  • A user cannot create a Safeguarded policy.
  • A user cannot associate a Safeguarded policy to a volume group.
  • A user cannot delete a Safeguarded source volume.
  • A user cannot change a Safeguarded policy.
  • A user cannot add or remove volumes in a Safeguarded volume group.
Security administrator

The security administrator can do the following actions on the Safeguarded Copy function objects:

  • Delete Safeguarded backups directly outside of the Safeguarded policy retention schedule if necessary.
  • Delete Safeguarded policy and retention schedule.
  • Delete Safeguarded volume group and Safeguarded source volumes.

Suspending Safeguarded Copy operation

If the source volumes are compromised during a cyberattack or during a disaster recovery scenario, the system supports suspending all Safeguarded Copy operations until the compromised data can be determined. During an attack, Safeguarded backups can contain malicious data or software. By suspending Safeguarded Copy functions, you can examine the existing uncompromised Safeguarded backups. The uncompromised Safeguarded backup can be used to restore or recover the backup of the data using IBM Copy Services Manager. Safeguarded Copy operation is suspended at the system level. When the Safeguarded Copy function is suspended, IBM Copy Services Manager does not create new backups in the Safeguarded backup location and prevents the expired backups from being removed. The safeguarded_copy_suspended parameter in the lssystem command displays the suspension status.

In addition to responding to a potential breach, suspending the Safeguarded Copy function can also be used as part of a disaster recovery response. However, suspending Safeguarded Copy function prevents any new backups being created which results in a lack of new backups that can be used for future recovery. Before suspending Safeguarded Copy function, contact your support representative to assistance. To resume backups, the Safeguarded Copy function must be turned back on.