Objects 3.0 : Protection against Ransomware.

Anirudha | Tue, 12/01/2020 - 09:30

Protection Against Ransomware

As data growth is exploding, protecting data becomes more critical than ever in today’s world. Enterprises are now focusing on protecting data against various attacks, whether its data theft vs malicious attacker vs protection against ransomware.

Data Protection against ransomware is a real threat and one of the real cause of concern for Enterprise workload. Nutanix Objects supports various functionality to secure user data, features like WORM on versioned and non-versioned buckets have further enhanced data security. 

With Objects 3.0, Nutanix has taken step further to strengthen data protection against ransomware with  Objects Lock feature. Object Lock enables applications to set up a Write Once Read Many (WORM) policy at a per file/object level granularity. This feature guards against unauthorized deletion or encryption of data rendering techniques widely deployed by ransomware attacks ineffective.

With the close partnership with Veeam, Objects 3.0 is also certified by Veeam under Objects with Immutability category. Refer https://www.veeam.com/ready.html for more details.

 

 

One of my colleagues Sambhram Sahoo   has written an excellent document on how Objects customers use this feature with Veeam to secure the data.

This document provides the steps involved in configuring Nutanix Objects and enabling Veeam Immutability features for the backed up data stored in Nutanix Object Storage. Data once backed up with immutability configuration, can’t be deleted by anyone (not even admin or any valid user)

 

Configuration on Nutanix Objects Cluster :

Step 1:

Create a user (say “veeam_user”) via “Add People” and generate a key pair.

 


 

 

Step 2:

Create a Bucket to be used for Veeam as an Object Store backup repository (Capacity Tier) which will be part of  Scale-Out Backup repository via “Create Bucket”

 

 

Now create a bucket say “veeam-bucket” with “versioning” enabled

 

To enable Veeam immutability feature, one MUST enable WORM with 0 days for the above created Bucket.

 

Step 3:

Configure WORM by selecting the subject  bucket 

 

Step 4:

Now share the “veeam-bucket” with user “veeam_user” for READ and WRITE.

 

This conclude the Nutanix Object Store side configuration

Now the bucket “veeam-bucket” is ready to be used for Veeam as a Backup Object Store repository with Immutability features.

Note: Alternatively the bucket “veeam_bucket” can be created by an external S3 client (Ex: s3cmd  etc. ) using the user veeam_user’s key pair. Once created, enable “versioning” and “WORM(0 days)” for the subject bucket via Nutanix Prism Central’s Object Store configuration. 


Configuration On Veeam Backup Server

Step 1:

Create Backup Repository On Veeam of type “Object Store” as shown below.

 

And “S3 Compatible”

 

Give the Backup Repository a name, say “Nutanix Object Store” and proceed..

 

Configure the “Service Point” as Nutanix Object Store’s client access IP or corresponding FQDN. Keep the region as default “us-east-1”

 

Select the bucket “veeam-bucket” that was created on Nutanix Object Store for the Veeam Backup. Create a folder say “veeam-folder” and attach to it .(Folder is the path under the bucket “veeam-bucket” to be used for backup storage). Also select immutability if needed with desired days for it.

 

Step 2:

Now create a Scale-Out Backup Repository using the above configured Object Store (Backup repository named “Nutanix Object Store”).

 

Select a Performance tier (previously created/configured) to be used for this SOBR

 

Select the “Nutanix Object Store” as the Scale-Out backup repository and if desired select “Copy Backups to Object Storage as soon as they are created”. This “Copy Backup to Object Storage..” option provides a replica (second copy) of the latest backup data on Capacity Tier (Object Store) should there be trouble with backup files and/or performance extent (Performance Tier).

 

Now Veeam is ready to backup and/or restore user VM using Nutanix Objects as its capacity tier with data immutability (Object Lock)

Veeam for its backup operation (with Scale-Out backup repository) create backup files on its performance tier and create a replica copy of it on Capacity Tier (if “Copy Backups to Object Storage as soon as they are created” selected). If the “Copy Backups..” option is not selected, Veeam moves backup data from performance tier to capacity tier as data ages out of the operational restore windows. Details on this can be found on Veeam reference doc.

https://helpcenter.veeam.com/docs/backup/vsphere/capacity_tier_copy.html?ver=100

Once Veeam  backed up its data (copying or moving) from performance tier to capacity tier (Nutanix Object Store) with immutability configured, any attempt to delete those data from Object Store disk during the immutability period, will be prevented as shown in the following screenshot.

So with the above steps, you can protect your Veeam backup contents from ransomware by using Nutanix Objects WORM capability.


Author : Sambhram Sahoo

Sambhram has close to 23 years of experience in Networking, Virtualization, Storage , cloud and S3 technologies. He has quite a lot of certifications across various domains on his name. He has been working on Nutanix Objects since Objects1.0, and takes care of System side of validation of the product.