It’s 4 a.m. and you get that call you hoped you’d never get. “Our systems are locked, and we can’t access anything. It looks like we’ve been hit by ransomware.” More than likely, your first questions are, “What about our backups? Can we recover?” Unfortunately for many, the answer is, “No. They got our backups, too.”
With ransomware threats becoming more sophisticated, attackers are now targeting backups, leaving many organizations without a clear recovery strategy. What steps can organizations take to reduce their risk and ensure that their backup data can serve as the last and best line of defense?
The answer starts with the data itself. If your backup data is being targeted, then your security must start at the point of data. This requires implementing an important security principle known as Zero Trust. When Zero Trust is applied to data management, all users, devices, and applications are presumed to be untrustworthy. All attempts to access data are considered possible threats. In other words, trust no one and verify everything. Even when authorized access is granted, Zero Trust mandates that users are given only the privileges necessary for their role and the specific task.
Rubrik Zero Trust Data Security™ is a proprietary architecture modeled after the NIST (National Institute of Standards and Technology) Zero Trust Implementation Model. The Rubrik architecture combines user and employee risk management, a secure data layer, compliance, and data intelligence capabilities to protect backup data and ensure organizations are prepared to recover from an attack without paying a ransom.
Figure 1: Rubrik Zero Trust Data Security
At the core of Rubrik Zero Trust Data Security is DataGuardian, a set of purpose-built technologies designed to protect backup data so that you have a reliable and resilient recovery point from which to restore applications and data. DataGuardian is proprietary to Rubrik and applies robust security capabilities across the control and the data plane.
Control Plane
API Gateway
DataGuardian includes an API Gateway that manages all internal and external data operations and enforces proper security controls against all data access attempts. The Rubrik platform is built with an API-first architecture. This means that any operation executed via the Rubrik UI can also be automated through platform APIs. All API communications are secured by role-based access controls and API security tokens.
External REST-based APIs support integration into the larger IT environment, helping to automate backup and recovery operations. The API Gateway also integrates with popular SIEM and SOAR tools to drive collaboration between IT operations and security operations teams to quickly scope attacks and accelerate the recovery of applications and data.
For internal system communications, the API Gateway uses low-level APIs in combination with Rubrik proprietary protocols. These low-level APIs are restricted to internal use only so external actors can never access Rubrik-managed data directly. Additionally, even internal data operations adhere to the Zero Trust principle of least privilege. The access granted is minimally sufficient to perform the approved data operation.
Policy Engine
Rubrik DataGuardian incorporates an advanced Policy Engine that manages two core aspects of the data platform. First, it protects application data by managing and applying SLA domain policies for target workloads and backup data. These policies are declarative and manage data throughout its lifecycle - from basic snapshot protection, through long-term retention, data archival, and data replication. The Policy Engine uses SLA policies to protect data, both in the data center and in the cloud.
Rubrik’s SLA domain policies are well-understood and have driven the company’s success in modernizing data protection for thousands of customers. Here is a blog explaining this part of the DataGuardian Policy Engine.
What is underappreciated is the Policy Engine’s ability to secure access based on an IT administrator’s organizational role. The Policy Engine can be thought of as a data firewall – controlling access to data based on the identity of the requestor, that individual’s authorized privileges, and the requested target.
Access control policies can be defined using predefined roles, such as read-only. IT teams can also define custom roles to granularly restrict access to specific protected objects and resources.
For example, the Policy Engine can enforce policies that limit access to individual VMs, databases, file sets, and folders – or entire object types, such as all vSphere VMs. And, because the Policy Engine is intelligent, future objects added to a particular object type group will be inherited automatically and assigned to the group. This reduces the operational burden on IT teams while maintaining security controls.
Figure 2: Rubrik DataGuardian Policy Engine controls
Additionally, the Policy Engine also enforces the privileges of each IT administrator once they are granted access. Privileges cover protection operations (e.g., SLA policy parameters) and recovery methods, such as the ability to download or export files, or live mount a snapshot. This provides yet another measure of platform-level security.
Data Plane
Threat Engine
Discovering threats to enterprise data is fundamental to protecting that data. This includes attacks that aim to modify, compromise, or encrypt data–such as ransomware attacks. Rubrik DataGuardian incorporates a powerful Threat Engine that detects data anomalies and then delivers the data intelligence necessary to rapidly restore affected workloads.
The Threat Engine leverages machine learning technology that monitors and understands changes to data over time. It establishes a normal baseline of activity for each protected workload or data set and then looks for anomalous changes and suspicious events. This includes abnormally high change rates, changes to file names and types, and high entropy that may signal malicious data encryption. These machine learning models are custom trained over time and have no impact on the performance of the production environment.
If an anomaly or threat is detected, an analysis of affected files or applications is performed to help users visualize the full scope of the attack and pinpoint the optimal recovery points. The Threat Engine can issue context-sensitive alerts and in-depth data intelligence for consumption by incident response (IR) solutions.
The Threat Engine can also discover, classify, and report on certain types of sensitive data in a Rubrik-managed environment. Rubrik administrators can define policies for specific data types, such as credit card numbers, and then assign these policies to targets (e.g., Windows or NAS file sets). Policies can also be defined to discover sensitive data types defined by regular expressions (regex).
This intelligence can be vital in determining if an attack has impacted sensitive and/or regulated data. This includes understanding what data may have been exposed to potential data exfiltration. Knowing with confidence whether sensitive data has been impacted may be the deciding factor of whether to pay a ransom.
Immutable Data Platform
Rubrik DataGuardian keeps backup data immutable. Simply put, once data has been written it cannot be modified or encrypted. This is the only way to ensure reliable recovery if production storage systems are compromised.
Native data immutability is derived from Atlas, Rubrik’s append-only file system. Atlas tightly controls which applications can exchange information, how each data exchange is transacted, and how data is arranged across physical and logical devices. Once data is securely ingested into Atlas, it is written into a proprietary file, called a Patch File. These are append-only files (AOFs), which means that data can only be added to the system. No external or internal operation can modify data. Because Atlas does not allow data to be overwritten, infected data that Rubrik may later ingest cannot infect other files or folders.
DataGuardian also extends its data immutability into the cloud. For example, when data is migrated from a Rubrik appliance in the data center to Azure Blob cloud storage, DataGuardian uses Azure APIs to preserve data in an immutable state.