Safeguarded Copy function

Safeguarded Copy function supports the ability to create cyber-resilient point-in-time copies of volumes that cannot be changed or deleted through user errors, malicious actions, or ransomware attacks.

The Safeguarded Copy function isolates backup copies from production data, so if a cyberattack occurs, you can quickly recover data from Safeguarded copies.

The Safeguarded Copy function supports the following key characteristics that create cyber-resilient copies of your important data.
Separation of duties
Provides more security capabilities to prevent nonprivileged users from compromising production data. Operations related to Safeguarded backups are restricted to only a subset of users with specific roles on the system.
Users with the Administrator role can provision and configure Safeguarded copies and related objects, such as volume groups. However, these users cannot remove or change existing Safeguarded snapshots. For auditing, it is recommended that you create a new Administrator user to configure the Safeguarded snapshots or Safeguarded Copy function. Users with this role are limited in how they can manage and interact with Safeguarded Copy operations.
Security Administrator
Users with the Security administrator role can manage users and security on the entire system and can remove and change Safeguarded backups and Safeguarded backup locations.
Users with superuser privileges can configure all objects and complete maintenance tasks on the system. These users can remove and change both Safeguarded backups and Safeguarded policies. For more security, this account can be disabled on the system; however, it can be reenabled for remote support assistance or maintenance tasks.
Restricted Security Administrator
Users with the security administrator role is changed to restricted security administrator when two person integrity (TPI) is enabled on the IBM Spectrum Virtualize. TPI requires two security administrators to work together to complete critical or risky tasks. For example, a restricted security administrator with an elevated role can remove Safeguarded snapshots.
Protected Copies
Safeguarded copies cannot be mapped directly to hosts to prevent any application from changing these copies.
The system supports Safeguarded snapshots, which use the snapshot function to create point-in-time copies of volume groups that are immutable can be scheduled with an internal scheduler. The system also supports IBM® Spectrum Copy Data Management and IBM Copy Services Manager as external scheduling applications.

The system also supports Safeguarded snapshots, which use the snapshot function to create point-in-time copies of volume groups that are immutable on the system by using an internal scheduler when you do not have external scheduling applications like IBM Copy Services Manager. For more information, see Snapshot function.

The system supports the following external scheduling applications: