Itzikr's Blog

Dell EMC PowerStore was built for next generation datacenter capabilities with an explicit focus on data-centric workloads, intelligent automation and management, and deployment adaptability. Within that “intelligent” umbrella we could also address security. Part of PowerStore’s native capabilities include Data At Rest (D@RE) Encryption for all data and the definitional term of immutability as it pertains to snapshot protection.

PowerStore Snapshots

As noted in our snapshot whitepaper: “Dell EMC PowerStore provides a simple but powerful approach to local data protection using snapshots. PowerStore uses the same snapshot technology across all the resources within the system, including volumes, volume groups, file systems, virtual machines, and thin clones. Snapshots use thin, redirect-on-write technology to ensure that system space is used optimally and reduces the management burden by never requiring administrators to designate protection space. Snapshots can be created manually through PowerStore Manager, PowerStore CLI, REST API, or automatically using protection policies. Protection policies can be created and assigned to quickly create local and remote protection on supported resources.”

Customers can take advantage of advanced snapshot technology and capabilities in an easy to use policy-based environment using PowerStore Manager – the HTML5 management GUI of PowerStore. For example, you can create different snapshot schedules within a policy and then apply that policy to your volumes at the point of creation automatically or after the fact. The volume (or even volume group) will streamline snapshot creation and management for all of those schedule via a single policy.

Now that we have an idea of the snapshot basics the question of ransomware protection can be addressed. All PowerStore snapshots are immutable by design and by definition. An immutable snapshot cannot be manipulated or changed in any way; they can’t even be mounted. They are for recovery purposes only. However, you can create a Thin Clone of a snapshot. Thin Clones are zero space copies of snapshots that can be mounted and made writeable – this is where advanced copy data management comes into play with technology like AppSync.

But back to “immutable snaps“… Since a PowerStore snapshot is 100% read-only and cannot be modified or manipulated it is the perfect tool for recovering instantly from ransomware scenarios. You can know with confidence that your snapshots have not been tampered with or modified in anyway.

Merriam-Webster defines immutable this way:

Definition of immutable: not capable of or susceptible to change. This being the case, your snapshot data is secure and worry free.

CloudIQ

Now let’s take that immutable snapshot conversation to the next level and introduce our cyber security integration with CloudIQ. Dell EMC CloudIQ is included with every PowerStore at no additional cost. It comes as part of your support contract and provides simplified machine learning / artificial intelligence based monitoring and reporting. With CloudIQ Cybersecurity a user can gain access to proactive security configuration information about their PowerStore environment.

• Cybersecurity Assessment – Determines if there are deviations in your security policy.
  
• Cybersecurity Risk Overview – Quick dashboard view of High, Medium, and Low risk scores and guidance on prioritizing needed security changes.
  
• Cybersecurity Risk Levels – A single dashboard to see every single system with a risk and an associated risk value.
  
• Cybersecurity Details and Remediation – A detailed look at the associated risks and the appropriate actions to take for remediation.
  

All of this is based on NIST 800-53 r5 and NIST 800 – 209 standards as well as Dell Technologies best practices for each specific infrastructure product. Security is TOP of mind and with CloudIQ Cybersecurity you are getting the ability to ensure that your storage infrastructure is secure per the industries best practices.

Another integral part of CloudIQ is what we call “Anomaly Detection”. Once again, using fully proactive ML/AI capabilities your PowerStore environment can leverage CloudIQ to alert you of anomalies taking place in your environment. This is critical when it comes to ransomware detection.

One of the most well known vectors of a ransomware attack is encryption. Customer under a ransomware attack begin to take quick notice that their host data is being encrypted. Once the data is encrypted an attacker will request the ransom in exchange for the decryption key. This problem is multifaceted.

1. Even paying the ransom and getting the decryption key you are not guaranteed the ability to recover all of the data
   
2. The decrypt process could take days, weeks, or months depending on the amount of data and the encryption algorithm. It is not an instantaneous recovery.
   

I would highly recommend taking a look at Dell EMC’s PowerProtect Cyber Recovery for the industries most robust ransomware detection and recovery…. but back to CoudIQ and PowerStore.

With CloudIQ Anomaly Detection your PowerStore environment is constantly being assessed for any type of performance or capacity based anomaly. What does this mean in reference to ransomware?

Performance Anomaly – If a sudden IO performance change happens you get notified. Machine learning identifies abnormalities in performance and lets you know that something is going on.

Capacity Anomaly – If a sudden capacity change happens you get notified. Identify capacity anomalies and threats of full capacity.

Don’t Forget Data Reduction

Remember that PowerStore has advanced data reduction technologies that reduces data inline. Performing tasks like deduplication and compression using Intel’s QAT technology are part of the PowerStore data path – it is just how things work.

With data reduction always on and in play, CloudIQ learns the IO patterns and capacity trending of that reduced data. When ransomware encryption is applied that trend instantly changes. Encrypted data is not reduceable and therefore capacity begins to grow abnormally. Also, it is highly likely that the IO pattern changes since suddenly everything is being encrypted. Dell EMC’s CloudIQ is providing insight into your environment that can give you any early detection that something is happening.

If it is determined that you are under a ransomware attack then you can instantly recovery from a PowerStore immutable snapshot.

In Closing

We work extremely hard at Dell EMC to ensure security and provide customers with solid recoverability options. From read-only immutable snapshots to CloudIQ Cybersecurity and Anomaly Detection, PowerStore can help you maintain a highly performant and secure environment. These are tools that are natively included with PowerStore and have no additional cost.

A guest blog post by Jodey Hogeland