There are dozens of use cases for object locking, but one that is getting a tremendous amount of attention these days is ransomware. Ransomware works by encrypting your files and holding you hostage for the encryption key. Until recently, backups were the forgotten part of the Ransomware workflow. Because they were “just backups” they were not well protected and as a result became the weak link. Weak links get exposed.
Ransomware is a pay-for-performance crime. If the hacker doesn’t cover their tracks they go to jail. If they fail, their effort is wasted and they are not paid for their time. That is why bad actors target companies that don’t have a clean recovery plan in place.
It has become far more sophisticated in recent years. Initially, hackers encrypted data immediately upon executing without regard to where it was. As the industry responded so did the hackers, injecting code that spread first, then encrypted. Today’s hackers have taken it to a whole other level. They penetrate, alert the hacker they are in, and then the hacker determines the optimal strategy for maximum leverage against their target. This often includes carefully determining how to disable/corrupt backups - both on and offline.
If the Twitter breech taught us anything it was that once the attacker is in, and you don’t know about it, you are really exposed.
This is why the Veeam/MinIO partnership is so important. With Veeam and MinIO, enterprises can construct a strategy that ensures a safe copy always exists.
MinIO provides the ability to store data in a manner where the data is unchangeable yet remains completely accessible at the performance levels our customer base has come to expect. This is a relatively involved set of capabilities that are best left to a more technical post but we will cover the high points here.
The MinIO Object Storage Server offers the following capabilities:
- Write Once Read Many - This ensures that once data is written it cannot be tampered with. MinIO has added to its capabilities in this area with the addition of features such as governance and legal hold policies. This is the state of the art in data protection. Because the data cannot be modified, it cannot be encrypted - keeping hackers at bay. Depending on the policy selected, even those with root access will not be able to make changes - protecting the data from rogue employees.
- Versioning capabilities that enable users to retain multiple variants of an object in the same bucket. Versioning provides a mechanism to preserve, retrieve, and restore every version of every object stored in a bucket.
- Secure channel construction / online authenticated encryption scheme (OAE) for server-side encryption featuring AES-256-GCM, ChaCha20-Poly1305 and AES-CBC. This covers data inflight and at rest and ensures data confidentiality as well as data integrity. No object storage vendor delivers this level of security - and we do it in a way that is effectively frictionless from a performance perspective.
- Active-Active Replication. With active-active replication each data center runs a completely independent MinIO cluster, with a global load balancer facing the client applications. The global LB can route requests to individual MinIO clusters in a round-robin fashion or other sophisticated approaches. The MinIO cluster within a DC uses erasure code for resilience - providing it with capacity to lose multiple drives / nodes before it becomes inaccessible. If evidence of tampering is found in one DC, the system can change over to the other DC until that issue is resolved.
Ransomware attacks skyrocketed 148% in March 2020 (according to VMware Carbon Black data) with financial services, healthcare and manufacturing being the hardest hit. Further, we have plenty of evidence that COVID-19 has created an environment that increases the likelihood of malicious cyber-attacks given current remote working protocols.
To learn how to enable MinIO and Veeam together - check out our documentation. The simplicity of the MinIO and Veeam implementation is such that every organization - large and small should be taking steps to secure their backups.