Safeguarded Copy function
Safeguarded Copy function supports the ability to create cyber-resilient point-in-time copies of volumes that cannot be changed or deleted through user errors, malicious actions, or ransomware attacks. The system integrates with IBM Copy Services Manager to provide automated backup copies and data recovery.
- The Safeguarded Copy function with Safeguarded policy is available with IBM Spectrum Virtualize software 8.4.2 or later version.
The Safeguarded Copy function isolates backup copies from production data, so if a cyberattack occurs, you can quickly recover and restore data from Safeguarded copies.
- The Safeguarded Copy function is available with software 8.4.2 or later, and is not supported for the IBM® FlashSystem 5015, IBM FlashSystem 5035, FlashSystem 5010, FlashSystem 5030, Storwize® V5010E, Storwize V5030E, Storwize V7000 Gen2, and Storwize V7000 Gen2+ models.
- Separation of duties
- Provides more security capabilities to prevent nonprivileged users
from compromising production data. Operations related to Safeguarded backups are restricted to only
a subset of users with specific roles on the system.
- Administrator
- Users with the Administrator role can provision and configure Safeguarded copies and related objects, such as volume groups and Safeguarded backup locations. They can also configure and assign Safeguarded policies to volume groups. However, these users cannot remove or change existing , or Safeguarded backups or Safeguarded backup locations. For auditing, it is recommended that you create a new Administrator user to configure the Safeguarded Copy function. Users with this role are limited in how they can manage and interact with Safeguarded Copy operations.
- Security Administrator
- Users with the Security administrator role can manage users and security on the entire system and can remove and change Safeguarded backups and Safeguarded backup locations.
- Superuser
- Users with superuser privileges can configure all objects and complete maintenance tasks on the system. These users can remove and change both Safeguarded backups and Safeguarded policies. For more security, this account can be disabled on the system; however, it can be reenabled for remote support assistance or maintenance tasks.
- Protected Copies
- Safeguarded copies cannot be mapped directly to hosts to prevent any application from changing these copies.
- Automation
The system supports IBM Copy Services Manager as an external scheduling application. IBM Copy Services Manager coordinates and automates Safeguarded Copy function across multiple systems.
External scheduling applications use a Safeguarded policy to configure FlashCopy mapping and consistency groups automatically to create backup copies. When Safeguarded backups are created, external scheduling applications use the retention time for the Safeguarded backups based on the settings in the Safeguarded policy, which are created on the system and passed to external scheduling applications to create the backups based on the values in the policy. After copies expire, the IBM Spectrum Virtualize software deletes the expired copies from the Safeguarded backup location.
IBM Copy Services Manager queries the system every 5 minutes to process existing Safeguarded policies. The start time that is defined in the Safeguarded policy must factor in the possible 5-minute delay. When IBM Copy Services Manager detects a new Safeguarded policy for a volume group, it creates the session and scheduled task to create and manage the Safeguarded backups.