Getting started with Safeguarded Copy function

Use this information to get started with the Safeguarded Copy function to protect your critical data from hackers and cyberattacks.

The Safeguarded Copy function, available with IBM Spectrum Virtualize software 8.4.2, is supported on the following products.
Note: A FlashCopy license is included with IBM Spectrum Virtualize software for the FlashSystem 9200, FlashSystem 9100, FlashSystem 7200, and FlashSystem 5200 systems. Other supported products require the purchase of the additional FlashCopy license to use the Safeguarded Copy function.
  • FlashSystem 9200
  • FlashSystem 9100
  • FlashSystem 7200
  • FlashSystem 5200
  • IBM SAN Volume Controller with FlashCopy license
  • Storwize® V7000 Gen3 with FlashCopy license
  • FlashSystem 5100 with FlashCopy license
  • Storwize V5100 with FlashCopy license

The Safeguarded Copy function isolates backup copies from production data, so if a cyberattack occurs, you can quickly recover and restore data from Safeguarded copies.

IBM Copy Services Manager uses a Safeguarded policy to configure FlashCopy mapping and consistency groups automatically to create backup copies. ​When Safeguarded backups are created, IBM Copy Services Manager uses the retention time for the Safeguarded backups based on the settings in the Safeguarded policy. After copies expire, the IBM Spectrum Virtualize software deletes the expired copies from the Safeguarded backup location.

To learn more about concepts and objects that are related to the Safeguarded Copy function, see the Overview topics on the Safeguarded Copy function.

Prerequisites

Before you can configure the Safeguarded Copy function on your system, ensure you meet the following prerequisites:
IBM Copy Services Manager Requirements
Ensure that the following requirements are met for IBM Copy Services Manager:
  1. If you do not have an existing IBM Copy Services Manager license, purchase the IBM® Copy Manager for IBM Spectrum® Virtualize license, which includes IBM Copy Services Manager version 6.3.0.1. This license option is available through iERP/AAS, Passport Advantage®, or your IBM Sales team.
  2. If you currently have an existing license for IBM Copy Services Manager, download IBM Copy Services Manager version 6.3.0.1 at Latest Downloads for IBM Copy Services Manager.
    Note: If you are using an existing license, ensure that the licensed capacity is adequate for use of the Safeguarded Copy function. If you need more capacity for Safeguarded Copy function, contact you IBM sales representative to update your licensed capacity for IBM Copy Services Manager.
  3. After you download IBM Copy Services Manager, complete the instructions for your installation. IBM Copy Services Manager supports several installation options on different environments. For more information, see Installing IBM Copy Services Manager.
  4. During installation, license files can be imported for IBM Copy Services Manager. If the license was not imported during the installation, you need to apply the license to the installation. For more information, see Applying license files after installation.
System Requirements
All systems must be running the 8.4.2 or later release.
For existing systems, ensure that you have completed capacity planning for Safeguarded Copy function.

Configuring Safeguarded Copy function

Complete the following tasks to configure Safeguarded Copy function:
Create Administrator user for IBM Copy Services Manager
Create a user with the Administrator role for IBM Copy Services Manager. Before you can establish the system as a connection endpoint in IBM Copy Services Manager, you need to configure a user with the Administrator role on the IBM Spectrum Virtualize system. For auditing, it is recommended that you create a new Administrator user to configure the Safeguarded Copy function. Users with this role are limited in how they can manage and interact with Safeguarded Copy operations. The IBM Copy Services Manager uses this role to create FlashCopy® mappings between the source volumes and the Safeguarded backups on the system.

For more information, see Creating an Administrator user for IBM Copy Services Manager.

Create a connection to the system on IBM Copy Services Manager
In the IBM Copy Services Manager interface, create a connection to the system.

For more information, see Creating a connection to the system in IBM Copy Services Manager.

Specify IBM Copy Services Manager as the external scheduling application
In the IBM Spectrum Virtualize management GUI, add the URL for the IBM Copy Services Manager as your external scheduling application.

For more information, see Setting the IBM Copy Services Manager as scheduling application.

Create Safeguarded backup locations
A Safeguarded backup location is a child pool in each parent pool where the source volumes are located. The Safeguarded backup location stores Safeguarded backup copies after the Safeguarded policy is assigned to the volume group.

For more information, see Creating Safeguarded backup locations.

Create volume groups and add source volumes
Volumes that require Safeguarded backups must be in a volume group. A volume group is a set of related volumes that can be managed and configured collectively.Volume groups allow volumes, even volumes in different parent pools, to be managed as a consistent set of volumes for copy operations.

For more information, see Creating volume groups and assigning source volumes.

Assign Safeguarded policies to volume groups
A Safeguarded policy is a set of rules that controls the creation, retention, and expiration of Safeguarded backups of source volumes. The management GUI supports displaying both predefined and user-defined Safeguarded policies. However, the management GUI does not support creating user-defined Safeguarded policies, but you can use the mksafeguardedpolicy command to create user-defined policies.

For more information, see Assigning a Safeguarded policy.

After the Safeguarded policy is assigned to the volume group, IBM Copy Services Manager automates the creation of Safeguarded backups based on the policy. IBM Copy Services Manager queries the system every 5 minutes to process existing Safeguarded policies. The start time that is defined in the Safeguarded policy must factor in the possible 5-minute delay. When IBM Copy Services Manager detects a new Safeguarded policy for a volume group, it creates the session and scheduled task to create and manage the Safeguarded backups. To view Safeguarded backups in IBM Copy Services Manager interface, select Sessions. The session name is based on the name of the volume group.

Testing, recovering, and restoring Safeguarded backups

If a cyberattack occurs, a Safeguarded source volume can be compromised for an indefinite amount of time until the breach is detected. In this situation, the most recent Safeguarded backups are not useful for restoring data on the production volume. Effective testing includes identifying versions of Safeguarded backups that can be used to restore the compromised data. Follow the guidelines and direction of your business continuity plan and your recovery point objectives to determine the frequency of testing your configuration.

Testing and recovering a Safeguarded backup
As part of your organization's security processes, regular testing and recovering of Safeguarded backups is required to properly handle cyberattacks and data breaches. The IBM Copy Services Manager provides automation for testing Safeguarded backups with the Recover Backup action. For more information, see Recovering a Safeguarded backup.
Restoring a Safeguarded backup
If a cyberattack occurs and your backup is thoroughly tested, you can restore the data from the tested Safeguarded backup with the Restore Backup action in IBM Copy Services Manager. For more information, see Recovering a Safeguarded backup.