Rubrik Zero Trust Data Security solutions deliver data security and operational resilience for enterprises. This means data is ready at all times so you can recover the data you need, and avoid paying a ransom. To ensure the best possible protection of data and be eligible for the Rubrik Ransomware Recovery Warranty, customers must adhere to these industry data security best practices, as well as deployment requirements outlined in Rubrik’s Security Hardening Best Practices Guide.
Data Health
Backups Meet SLA Policies
Your backups are the last, and best, line of defense against a cyberattack, and so it is vital that you can meet not only your recovery point objective (RPO), but also that you can hit your Recovery Time Objectives (RTO). As an example, the fact that you can recover to a point in time that sees you lose only seconds of data might mean nothing if it takes months to verify exactly when your systems were compromised, and then restore your systems to that point in time.
Rubrik SLA policies must be properly defined and applied against target workloads and datasets. Once policies are in place, regular monitoring must verify the completion of data backups. This monitoring is critical, as backup failures can result from an application, infrastructure, or services outages, performance bottlenecks, or other factors - directly impacting recoverability from an attack.
Alerts must also be configured and monitored through Rubrik or other systems integrated with Rubrik.
Enable SLA Retention Lock
Retention Lock ensures that data retention settings within an SLA policy cannot be reduced or removed. For example, a ransomware attacker might attempt to change the retention period from three years to just one day, which would cause the system to remove any data older than 24 hours. This malicious action would prevent any data older than 24 hours from being restored. To ensure recoverability, Retention Lock is vital for all workloads.
User Access
Multi-factor authentication for all user accounts
Multi-factor authentication (MFA) is key to preventing an attacker with compromised credentials from getting access to Rubrik. Rubrik offers both a native, time-based one-time password (TOTP) solution, as well as integration with third-party authentication providers through SAML 2.0. A Rubrik Administrator will be prompted on login to enable this TOTP integration to safeguard access to the Rubrik web and command-line interfaces.
SSH key-based with passphrase-protected keys for CLI authentication
The Rubrik Command-line interface (CLI) is an alternative way to manage the Rubrik system outside the web-based graphical user interface (GUI). The CLI can be used to automate tasks or to have a minimalist approach to administration. Nonetheless, the Rubrik CLI is just as powerful as the GUI, and, therefore, steps must be taken to secure this access.
Using SSH keys to authenticate provides better security than a basic username and password, which an adversary could sniff in a man-in-the-middle (MITM) attack. The SSH keys must be protected using passphrases to ensure that a rogue actor cannot simply steal those keys and use them to infiltrate the system. SSH with key-based authentication can be enforced by the Admin user in Rubrik Cloud Data Management (CDM) 6.0.1 onwards.
User roles are assigned with the least privileged access
Rubrik provides fine-grained role-based access control (RBAC). Administrators can assign the least privilege level that a user needs to perform their role. Rubrik ships with RBAC role templates and allows custom role templates to be created to meet your business needs. This limits exposure were a rogue actor to gain access to the system.
Users must have roles that are defined with the least privilege, in line with the CISA definition. For example, an application owner should be able to assign one of their component databases to an SLA domain. Still, they must not be able to overwrite files in a VM for which they are not responsible from an old snapshot.
Data Encryption
Data-at-rest and data-in-transit are always encrypted
Rubrik clusters have the option to use software-based encryption or self-encrypting disks for data-at-rest. One of these options must be enabled to ensure that data within the system is safe and encrypted. Data must also be encrypted during transmission via TLS certificates. Rubrik supports the import and export of TLS certificates signed by a Certificate Signing Request (CSR) or a key phrase, as well as wildcard certificates. Encrypting data-in-transit ensures that data cannot be copied or stolen during transmission.
Secure protocols for third-party systems
Rubrik has powerful integrations with many other platforms. Those integrations must communicate with Rubrik only via secure channels such as HTTPS, SSH, or API. Where applicable, signed TLS certificates must be used.
Application Access
Create IP allow lists that limit connections to customer-owned networks
Rubrik allows customers to restrict which IP networks can access the Rubrik Polaris interface. This ensures that users and devices outside the customer’s environment cannot log in to the Rubrik Polaris instance. Only specific trusted networks must be populated in the allow list. Access to Rubrik CDM must be restricted using a protected management network, limiting access only to those authorized to manage the environment.
SSL-certificate security for User Interface (UI) and APIs
As mentioned earlier, Rubrik supports TLS certificates to secure access to the system. Signed TLS certificates must be used to secure web-based interfaces over HTTPS to protect against attacks.
API Security
Secure service accounts
Rubrik allows for creating and managing service accounts to represent services and client applications that need to invoke Rubrik APIs. Using service accounts eliminates the need to rely on user accounts to access the Rubrik APIs and reduces the lateral movement capabilities of an attacker. Service accounts must be used for automation tools and integrations that only require API access, and each different application or use case must have a unique account.
Scoped API roles with the least privilege
Much like User roles, access via Rubrik APIs must be scoped to grant access only as necessary and implemented in the least privileged manner. In this way, risks are minimized if a role were to be compromised, either directly or via a software supply chain attack.
To learn more about industry Data Security best practices, developing a comprehensive cyber resilience plan, and more, view the Rubrik Data Security Summit on-demand.