The threat of ransomware has capitalized on the surge of remote connectivity, systems, and new users. Because of this, the attack surface of the typical enterprise is more vulnerable than ever to cyber threats. These threats can specifically target backups to remove the ability to recover systems and effectively force a ransom payment. This is most often accomplished by encrypting or deleting backup data. Alternatively, if an attacker finds that backup data is stored on an immutable platform like Rubrik, they can then look to indirectly delete data by reducing or eliminating retention from backup jobs. In this post, learn how Rubrik SLA Retention Lock prevents attackers, or even rogue administrators, from reducing or eliminating data retention.

As a reminder, Rubrik customers enjoy the operational benefits of our SLA Domain Policy in Rubrik Cloud Data Management (CDM). It uses a declarative method to translate data protection requirements in an intuitive workflow. You tell the system how you want your data protected, and Rubrik automates the rest. An SLA captures critical inputs such as recovery point objectives (RPO) and backup retention, replication, and archival. All of which are essential to meet data compliance and business goals. These collected inputs form a policy that can be widely applied to applications and data. 

An SLA is a powerful feature that uses its intelligent design to automate low-level tasks. For this reason, Rubrik recommends securing CDM according to our security best practices. It covers important topics such as using the principle of least privilege and Rubrik multi-factor authentication (MFA). These techniques and features prevent unauthorized access or actions within the system.

Prevent SLA Policy Tampering

SLA Retention Lock is a key compliance feature in the Rubrik Zero Trust Data Security™ framework. When applied to an SLA, it prevents undesirable modifications such as:

  • The removal of protected objects

  • Reduction in data retention

  • Redirection of archival destinations

  • Deletion of the SLA Domain Policy

The above rules apply to all accounts including administrative and privileged accounts. For example, a disgruntled employee with privileged access cannot modify a locked SLA in a way that results in backup data loss. Also, SLA archival targets cannot be modified, preventing the redirection of data outside of company control.

SLA Retention Lock facilitates compliance with certain regulations. For example, when CDM is properly configured with Retention Locked SLA Domains, it meets the five requirements related to recording and non-rewritable/non-erasable storage of electronic records, as specified in SEC Rule 17a-4(f) and FINRA 4511(c).

Secure Authorization

Rubrik requires a completed security authorization process before the feature is enabled. The Rubrik Support Management staff work with the customer to complete this process. The customer appoints at least two company officials authorized to approve SLA modifications. These individuals go through a vetting process that ends with signed authorization letters.

Rubrik support must be contacted if there needs to be a modification to an SLA with Retention Lock enabled. Specifically, any SLA modification that would violate any of the above-stated rules. Rubrik Support will then engage with Rubrik Support Management staff to begin an authorized change request. This change request goes through approved contacts to the appointed company officials. After the change request is signed and ratified, Rubrik Support can proceed with the requested SLA modifications.

See Retention Lock in Action

Now let’s hop into the interface to see how to enable SLA Retention Lock. Then we will take a look at what would happen if an attacker attempted to make undesirable changes to a locked SLA. Either by reducing the data retention of backups in the cluster and archive, or the archive target itself:
 


Ransomware continues to escalate IT risk in all organizations, from data compliance regulations to halting critical applications. With SLA Retention Lock, Rubrik customers have a valuable tool to mitigate these risks. It helps ensure that both backup data and protection policies are not tampered with by known or unknown threats.

Looking for more strategies on how to mitigate the threat of ransomware? The Rubrik Data Security Summit is now on-demand! Hear from cybersecurity leaders like Chris Krebs, former Director of CISA, Nicole Perlroth, cybersecurity reporter for the New York Times, and many more. Check out all of the sessions from the Data Security Summit on-demand here.