PowerFlex and PowerProtect: Keeping Your IT Kingdom Free of Ransomware
“To be, or not to be? That is the question.” Sadly, the answer for many organizations is “to be” the victim of ransomware. In 2020, the Internet Crime Complaint Center (IC3), a department of the FBI, received “2,474 complaints identified as ransomware with adjusted losses of over $29.1 million” according to their annual report.
This report is just the tip of the iceberg. Some organizations choose not to report ransomware attacks and keep the attacks out of the news. Reporting an attack might cost more in negative publicity than quietly paying the ransom.
These perspectives make it appear that no one is immune to ransomware. However, if your organization is attacked, wouldn’t you prefer to avoid both the attention and paying a ransom for your data?
The Dell PowerFlex Solutions Engineering team developed a white paper to help make this dream come true for PowerFlex customers. They worked jointly with the Dell PowerProtect team to create a design that illustrates how to integrate Dell PowerProtect Cyber Recovery with PowerFlex. See Ransomware Protection: Secure Your Data on Dell PowerFlex with Dell PowerProtect Cyber Recovery.
The white paper shows how to use the Cyber Recovery solution with PowerFlex to thwart ransomware and other malicious attacks, protecting your kingdom from would-be attackers. This protection is accomplished by creating an air-gapped vault that can be used with other data protection strategies to mitigate the actions of bad actors. This configuration is shown in the following architectural diagram: 
Figure 1: Architectural diagram
Air gaps and keeping the kingdom secure
The white paper describes a two-layer PowerFlex design in which the storage and compute environment are separate. The left side of the diagram shows the production environment. On the right side of the diagram, notice that there is a second environment, the Dell PowerProtect Cyber Recovery vault. The Cyber Recovery vault is a separate, logically air-gapped environment that helps to protect the production environment. The PowerProtect software runs on the Cyber Recovery vault and analyzes data from the production environment for signs of tampering, such as encryption of volumes or a large number of deletions.
The logical air gap between the two environments is only opened to replicate data from the production environment to the Cyber Recovery vault. Also, the connection between the two environments is only activated from the Cyber Recovery vault. I like to think of this scenario as a moat surrounding a castle with a drawbridge. The only way to cross the moat is over the drawbridge. The drawbridge is controlled from the castle—a secure location that is hard to breach. Likewise, the air gap makes it very difficult for intruders.
Separation of powers
Notice that there are two different users shown in the diagram: an Admin User and a Cyber Recovery User. This difference is important because many attacks can originate within the organization either knowingly or unknowingly, such as a spear phishing attack that targets IT. The division of powers and responsibilities makes it more difficult for a bad actor to compromise both users and get the keys to the kingdom. Therefore, the bad actor has a nearly impossible challenge disrupting both the production environment and the Cyber Recovery environment.
Protecting the kingdom
Let’s take a deeper look at the logical architecture used in the white paper. The design uses a pair of PowerProtect DD systems in which the data resides for both the production and vault sites. Replication between the two PowerProtect DD systems occurs over the logically air-gapped connection. Think of this replication of data as materials moving across the drawbridge to the castle. Material can arrive at the castle only when the gate house lowers the drawbridge.
The Cyber Recovery software is responsible for the synchronization of data and locking specified data copies. This software acts like the guards at the gate of the castle: they raise and lower the drawbridge and only allow so many carts into the castle at one time.
A backup server runs the Cyber Recovery software. The backup server supports various options to meet specific needs. Think of the backup server as the troops in a castle: there are the guards at the gate, archers on the walls, and all the other resources and activities that keep the castle safe. The type of troops varies depending on the size of the castle and the threat landscape. This scenario is also true of the backup server.
The Cyber Recovery environment also includes the CyberSense software, which is responsible for detecting signs of corruption caused by ransomware and similar threats. It uses machine learning (ML) to analyze the backup copies stored in the vault PowerProtect DD to look for signs of corruption. CyberSense detects corruption with a confidence level of up to 99.5 percent. Think of CyberSense as the trusted advisor to the castle: alerting the appropriate teams when an attack is imminent and allowing the castle to defend against attacks.
Putting it all together
In the following animation, we see a high-level overview of how the environment operates under normal conditions, during a ransomware attack, and during recovery. It shows content being replicated into the Cyber Recovery vault from the PowerFlex environment. We then see a bad actor attempt to compromise the VMs in the PowerFlex environment. CyberSense detects the attack and notifies the Cyber Recovery administrators. The administrators can then work with the production team to secure and restore the environment, thwarting the bad actor and the attempt to hold the organization hostage.
Figure 2: Animation of a ransomware attack and recovery
Beyond describing the architecture of this solution, the white paper shows how to deploy and configure both environments. Readers can take the next step towards building protection from a cyberattack.
The white paper is an excellent resource to learn more about protecting your kingdom from ransomware. To choose “not to be” a ransomware victim, contact your Dell representative for additional information.
Author: Tony Foster
Twitter: @wonder_nerd
LinkedIn
Related Blog Posts
Part 2 – PowerProtect Cyber Recovery – Abilities and Improvements in the Cloud
Mon, 24 Oct 2022 18:43:01 -0000
|Read Time: 0 minutes
In my previous blog I talked about the new abilities on the cloud for the PowerProtect Cyber Recovery 19.11 release, which also covered Cyber Recovery on Microsoft Azure.
This time I want to focus on the latest release of Cyber Recovery 19.12 that supports a Google Cloud Platform (GCP) deployment with the entire Cyber Recovery Vault content.
As in AWS and Azure, the architecture remains the same: there’s a dedicated VPC with a Cyber Recovery Jump Host running in its own isolated subnet, and another isolated subnet that runs the Cyber Recovery Management Host and the Vault DDVE. The entire solution is secure with GCP firewall rules that prevent access to the vault. Only the Cyber Recovery Jump Host can access the Cyber Recovery Management Host and Vault DDVE.
You’ll notice in the following architecture diagram that the vault has a second VPC with a subnet, which doesn’t exist in the AWS or Azure deployments. That’s because this is how GCP handles and allows the DDVE to have another NIC (that’s intended for replication).
The deployment process is similar to the deployment process for other cloud platforms and is based on a template that deploys the entire Cyber Recovery Vault and its components.
Note: Deploying PowerProtect Cyber Recovery in the cloud must be performed by Dell Technologies Professional Services.
Now that we’ve talked about GCP, we should talk about CyberSense on AWS, which I know a lot of people have been waiting for. Starting in the Cyber Recovery 19.12 release, CyberSense 8.0 is also available for deployment on AWS using an AMI that can be shared with the customer’s AWS account.
Cyber Recovery users who run their vault on AWS can now deploy CyberSense in their vault, connect it to their Cyber Recovery Management Host, and use it to analyze their CR copies.
CyberSense was improved for this release and uses DDBoost (instead of just NFS) to read data from the DDVE, to make the analysis process much faster!
There’re other exciting new features coming out in Dell PowerProtect Cyber Recovery and CyberSense – so make sure to check out the latest release notes and documents.
Resources
Additional interesting resources can be found here:
Author: Eli Persin, Principal Systems Engineer
PowerProtect Cyber Recovery – Abilities and Improvements in the Cloud
Mon, 20 Jun 2022 19:01:06 -0000
|Read Time: 0 minutes
As part of organizations’ cloud journey, their presence in the cloud is increasing and they are running their development and production environment, or some of it, in the cloud.
Although running in the cloud has its own benefits, the need for cyber recovery abilities doesn’t change from on-premises to cloud, because the dangers remain the same.
Organizations understand the benefits and contributions of a working cyber recovery solution. And PowerProtect Cyber Recovery provides them exactly that, and it’s already supported on AWS.
The design is simple – organizations run their Cyber Recovery vault on their AWS cloud account. Their production site is also in the cloud. The production and the vault can be deployed in different regions or even using different cloud accounts. (It is also possible to run the Cyber Recovery vault on the cloud in conjunction with an on-premises production environment, but this option is less recommended). The production data could be protected with PowerProtect Data Manager (for example) with PowerProtect DDVE and replicated to the vault DDVE.
Until the recent PowerProtect Cyber Recovery 19.11 release, these environments were missing an important component that completes the solution on the cloud – CyberSense.
CyberSense will soon be supported on AWS, so you will be able to deploy it as an EC2 instance and be able to analyze their copies.
New also to the PowerProtect Cyber Recovery 19.11 release is the ability to use the “Secure Copy Analyze” action, which saves you from having to run “Secure Copy” first, followed by “Analyze” on the copy itself after it’s created.
You can now simply select “Secure Copy Analyze” to combine both actions:
You can also change their two “Secure Copy” and “Analyze” schedules to a single “Secure Copy Analyze” schedule. This means that if you have multiple sites replicating to the vault or multiple policies, you’ll be able to reduce the number of schedules that you need to maintain.
These new features are exciting on their own, but why stop there?
PowerProtect Cyber Recovery 19.11 also allows you to deploy the Cyber Recovery solution on Azure! Here’s a simplified view:
In this figure, notice that the Cyber Recovery components are the same as those in the on-premises and on AWS deployments. The Cyber Recovery host and a PowerProtect DD system are on an isolated subnet, and the Jump host is on another isolated subnet providing access to the Cyber Recovery server and the DDVE. (CyberSense is not supported yet on Azure.)
Note: Deploying PowerProtect Cyber Recovery in the cloud must be performed by Dell Technologies Professional Services.
Resources
Additional interesting resources can be found here:
Author: Eli Persin