Brought to you by:
Enterprise Strategy Group  |  Getting to the Bigger Truth™


Protecting Your Business Backup Data from Ransomware Attacks

Secure Cloud Storage from Wasabi

By Vinny Choinski, Senior Validation Analyst; and Brian Garret, EVP Validation Services


This ESG Technical Validation report documents an in-depth analysis of Wasabi Technologies Hot Cloud Storage and its security features. ESG performed analysis and auditing of Wasabi account and data security features and validated the benefits businesses get from Wasabi’s ability to protect an organization’s data from ransomware and other events that can lead to business disruptions. This Technical Validation report focuses on the S3-compatible Object Lock and other features, including encryption, that help to deliver business resiliency in the face of continued ransomware attacks..


The need for a robust data protection strategy has increased over the past years as the value of real-time data access has become more strategic for organizations, and, according to ESG research, 82% of respondents believe cyber-risk is greater than it was 2 years ago.1 The economics of cloud storage have also shown massive adoption. In fact, an ESG research study showed that more than 45% of respondents had a cloud-first policy for their infrastructure, and more than 68% of respondents had plans to increase cloud infrastructure spending in 2021. As shown in Figure 1, when ESG asked respondents about their public cloud infrastructure adoption, 78% indicated that they are either using or intend to use public cloud in 2021.2 This is more than double what it was just 5 years ago. ESG has been tracking IaaS adoption since 2011 when usage surveys showed only a 17% adoption rate.
Figure 1. Public Cloud Infrastructure Adoption Rate

Percent of organizations currently using infrastructure-as-a-service (IaaS), 2017-2021.

Source: Enterprise Strategy Group

One early and still important use case for cloud-based infrastructure is the protection of corporate production data across an organization, whether that data originated in the cloud or on-premises. Now, as organizations continue to embrace digital transformation for both their business and IT groups, the use of public cloud infrastructure has become a key driver for that transformation. Organizations are also using cloud infrastructure services and cloud storage to mitigate the capital and operational expenses associated with data protection infrastructures and traditional IT hardware deployments.

Wasabi Overview

Wasabi hot cloud storage is scalable, affordable, and tier-free. Exponential data growth shouldn’t simply translate to astronomical data storage and data tier management costs. As shown in Figure 2, Wasabi hot cloud storage is a universal, one-size-fits-all cloud object storage service that eliminates confusing storage tiers and satisfies nearly all storage performance requirements. Some key use cases include secure backup and restore and data archiving. With Wasabi Hot Cloud Storage, all data is treated equally and made readily accessible no matter how hot, cool, or cold it is. Wasabi offers low-cost and highly available secure cloud storage with no tier-based latency delays, and it can be purchased as reserved capacity or in a pay-as-you-go model. There are also no ingress, egress, or API fees, which account for additional cost savings, and Wasabi eliminates the cost of testing security and recovery scenarios. With third-party integrations, Wasabi can be an organization’s single S3 storage solution to address multiple cloud workload requirements.
Figure 2. Wasabi Hot Cloud Overview

Source: Enterprise Strategy Group

Key protection capabilities and features include:

• Account Security: Wasabi supports a comprehensive set of data privacy and security capabilities to prevent unauthorized access and disclosure. Account security includes multi-factor authentication (MFA), enterprise single sign-on (SSO) options, and identity and access management (IAM) policies. Strong user authentication features tightly control access to stored data.
• Encryption: Wasabi encrypts data at rest and data in transit to prevent leakage and ensure privacy. All data stored on Wasabi is encrypted by default to protect data at rest, and all communications with Wasabi are transmitted using HTTPS to protect data in transit.
• Object Lock: Wasabi supports data immutability through “Object Lock,” which protects data against administrative mishaps or malicious attacks. Wasabi data immutability protects against the most common causes of data loss and tampering, including accidental file deletions, viruses, and ransomware. It also meets regulatory and compliance data retention management requirements.
• Wasabi Account Control Manager: The Wasabi Account Control Manager includes cloud storage account creation, management, and user billing with a secure easy-to-use, centralized management interface. Multiple storage accounts are securely managed in one place, and implementation time is dramatically reduced.

ESG Technical Validation

Wasabi provided ESG with full access to a test environment, enabling ESG to perform comprehensive testing and validation. ESG exercised, investigated, and validated all major elements of the Wasabi Hot Cloud Storage solution and its object storage security and administration features and capabilities.

Getting Started with Wasabi

Wasabi focuses heavily on simplicity and ease of use. This starts with secure login features. ESG was able to quickly configure access and log in to start administering cloud storage. The initial login screen is shown in Figure 3 below. After creating the root account, an admin can set up account security using the account settings. Some of the login security features include single sign-on, multi-factor authentication, and identity and access management using the SAML 2.0 standard. MFA is highly recommended for all administrative accounts. If the backup or storage console is breached by a cyber-criminal, the attacker can change backup policies, alter backup jobs, or delete backups. MFA can protect against unauthorized access to the storage console. Identity and access management works hand-in-hand with MFA as another layer of access controls and protection.
Figure 3. Access Management and Security

Source: Enterprise Strategy Group

Once an account is created, an access key and a secret are assigned, these becomes the keys for the root user. Additional access keys can be created for sub-users as well as business partners. Policies based on user credentials or on groups can be set to allow access to specific buckets, similar to what is done within AWS S3.
With access controls in place, a user can access Wasabi management console through the login process and create buckets as shown in Figure 4. Setting up a bucket is an easy, three-step process. The first step is setting a name for the bucket and the region where data should be stored. Next, policies are set, which include:
Bucket Versioning: When versioning is enabled, an authorized user can then retrieve and restore any previous version of an object in the bucket.
Bucket Logging: When logging is enabled, a text log file of all access to a bucket is created for the specified bucket.
Object Locking: Enabling Object Lock allows the prevention of objects from being overwritten or deleted for a designated amount of time. An immutable object cannot be deleted or modified by anyone, including Wasabi.
Figure 4. General Bucket Management

Source: Enterprise Strategy Group

Bucket policies can be extremely detailed, even down to the IP address. One example is a policy to prevent anyone from accessing the bucket from a specific address. Another example is to restrict certain users from deleting an object in a bucket. Policies can be created down to the folder or key level within the bucket. Wasabi uses the AWS IAM policy model as its standard and maintains strong compliance. This also has the added benefit of being a familiar protocol for many organizations.
The last step in the configuration process is a final review and acceptance of the settings made. Once accepted, the bucket is created, and the user can begin to upload files to the new bucket or configure a third-party solution such as a backup or archive software product to begin sending data to the bucket.
Why This Matters
In an ESG research survey, IT professionals were asked how complex their IT environment was relative to two years ago. 75% of respondents reported that their environments have increased in complexity over the past two years, with 54% stating that their organization’s IT environment was more complex than it was two years ago, and 21% stating their organization’s IT environment was significantly more complex than two years ago. Only 5% of respondents felt their organization’s IT environment was less complex.3
Environments have gotten more complex and harder to manage, and there is a strong desire to simplify management as much as possible. ESG found that getting started with Wasabi Hot Cloud Storage was a straightforward process, and we had our validation environment configured in a matter of minutes. This included creating access security, building the first storage bucket, and enabling Object Lock with immutable storage.

Wasabi Cyber-resiliency and Security Features

Planning for cyber-attacks has become core to every IT organization. It's no longer if an attack will happen, but when an attack will happen. Wasabi has taken the steps necessary to protect an organization’s data from both external and internal threats as well as unintentional actions. Three cyber-resiliency features available in the Wasabi solution are identified in Figure 5 and detailed below, along with additional features.
Figure 5. Bucket Logging, Versioning, and Public Access

Source: Enterprise Strategy Group

Bucket Logging: Wasabi supports bucket logging, which creates a text log file of all access to a bucket. The format of the log file is identical to the AWS S3 log file. Bucket logging is a recommended security best practice that can help teams with upholding compliance standards and identifying unauthorized access to your data.
Versioning: The versioning feature offers an additional level of protection by providing a means of recovery when customers accidentally overwrite or delete objects. This allows recovery from unintended user actions and application failures. Versioning can also be used for data retention and archiving. The Wasabi versioning feature allows organizations to preserve, retrieve, and restore every version of every object stored in a Wasabi bucket. Once versioning is enabled for a bucket, Wasabi preserves existing objects anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET requests will retrieve the most recently written version.
Public Access Override: The default bucket policy prevents public use of a bucket, folder, or file. This helps to prevent public access and data leaks. Root account users can override the default policy if the bucket is intended for public access.
Encryption: All data stored in a Wasabi bucket is encrypted with AES 256 Encryption.
Object Locking: This is an additional, advanced compliance and security feature of Wasabi. The steps to enable Object Locking are shown in Figure 6 below.
Figure 6. Object Locking with Immutable Storage

Source: Enterprise Strategy Group

Wasabi Object Lock is a feature that prohibits modification or deletion of specific object versions during a configured retention period. The retention policy can be specified on each object placed into a bucket. Additionally, bucket-level settings can be applied so that new objects placed in a bucket will have the same default settings. To enable Object Locking, versioning is required on the bucket. Immutability is a core function of Object Locking that is inherited on the bucket and files and prevents Wasabi storage buckets from encryption by crypto ransomware. There are two modes of Object Lock:
• Governance Mode: will lock the object for the configured retention policy. However, the root user or any user with the IAM permission “s3:BypassGovernanceRetention” can bypass the retention policy and modify or delete files. This allows the flexibility required by some organizations or designated employees to modify policies.
• Compliance Mode: will lock the object for the configured retention policy, and no user can modify or delete the object until that retention policy has passed. This is often required by highly regulated organizations.
Legal Hold: Legal Hold is an additional locking mechanism that can be placed on an object in an Object Lock-enabled bucket. A legal hold will prevent the modification or deletion of an object indefinitely until the legal hold has been removed. A legal hold overrides both Governance Mode and Compliance Mode retention policies but does not remove them. After removing the legal hold, the existing Governance Mode or Compliance Mode retention policy will still be in effect.
Why This Matters
Data protection is a critical part of any data management strategy. Wasabi has implemented multiple layers of protection designed to prevent the loss of data from attackers or by accident with the ability to retain records for corporate governance and compliance. This strategy includes immutability, where a user can designate certain files or “objects” to be immutable, meaning they cannot be altered or deleted by anyone until the retention period has expired. This layer of protection is essential for protecting data from cybersecurity threats, maintaining regulatory compliance, and enhancing overall data recovery.

Third-party Data Protection Integration with Wasabi

ESG tested the integration with third-party solutions. Wasabi has made integration with third-party applications a simple and easy process by adopting the S3 Object Lock API. Any vendor supporting this API can interface with Wasabi as their storage target to create immutable objects. Enabling a connection starts with creating an access key in Wasabi as shown below in Figure 7.
Figure 7. Access Key Creation

Source: Enterprise Strategy Group

Before creating the access key, a user is created in the system. This can be a current user or one dedicated to the application interfacing with Wasabi. The user is assigned permissions, including which buckets they have access to. During the process of creating an access key, the key is assigned to the user. As the key is created, the user can download the access key and secret key pair, store it in a safe place, and have it available for setting up the third-party software.
As an example, Figure 8 shows the setup process to use Wasabi as the storage repository for data backup using Veeam. If this is an entirely new configuration, a new user would be created and a local storage repository for backed up files would be established. Then, Wasabi is set up as the off-site cloud storage target. Figure 8 shows the initial step to “Add Backup Repository” by selecting Object Storage. The user is then prompted to add the Wasabi Access Key and Secret Key. This initiates the API so the user can select which bucket is the target location from the list of buckets they have permission to use. The next step is to set the retention period, which enables immutability of the data being stored. It is important to note that if immutability is enabled on Wasabi through Object Lock in Governance or Compliance Mode, it must also be enabled in Veeam or an error message will appear as shown. Veeam also recommends encrypting files going to a backup location. Since Wasabi also encrypts the target bucket with AES256 Encryption, the organization has two layers of encryption. Once this step is complete, the connection is enabled, and the configuration is complete.
To start a backup, the data source, such as a VM, is identified. A backup schedule is created, such as a full weekly backup followed by daily incremental backups. The user has the option to Copy Backup to Object Store, which leaves a local copy, or Move Backup to Object Storage, which moves all files without leaving a copy. In most cases, to maintain multiple versions, Copy Backup is the preferred method.
Figure 8. Third Party Integration – Veeam

Source: Enterprise Strategy Group

In this case, the control over the retention, backup policies, and recovery are handled by Veeam. Should a failure take place on the Veeam server or any type of corruption leading to the rebuilding of the Veeam system, the root account can create a new Access and Secret Key associated with the original user. When the application is back online, the key can be installed, and the user can scan and find the backup’s metadata files. Data can then be recovered back to the production system. Other third-party backup and recovery solutions may not have the same sophisticated management capabilities. For customers using these types of data protection solutions, Wasabi’s encryption and immutability become the primary layers of protection for stored backup data.
Why This Matters
An ESG research survey found that an astounding 18% of respondents reported that they deal with ransomware attacks on a daily basis, 24% reported weekly attacks, 13% reported monthly attacks, and 15% reported attacks on a more sporadic basis.4 These results emphasize the need for immutable storage, encryption, and high-performance egress/download capabilities provided by Wasabi to protect data resources from cyber-criminals.

The Bigger Truth

ESG’s analysis of Wasabi demonstrated the solution’s strong capabilities that help protect data against cyber-attacks and unintentional deletion of data and to meet governance and corporate compliance requirements. These core features are just one part of Wasabi’s story. Wasabi is designed for organizations that require high-performing, reliable, and secure cloud storage infrastructure at a minimal cost. The basic cost structure is lower than the major public clouds, and Wasabi has eliminated many of the hidden costs found with public clouds by not charging for ingress, egress, or API access.
Eliminating these costs also reduces risk. Many organizations rarely test their recovery capabilities, immutable storage, or ability to recover from a cyber-attack because the cost of moving their data is far too high. With Wasabi, these tests can be run more frequently and at no additional charge.
Wasabi also integrates into third-party applications through a standard S3 API for Object Storage. This allows customers of any application vendor willing to support the S3 API the ability to use Wasabi storage as their primary or secondary cloud storage destination. This includes data backup and recovery applications from Veeam and Commvault, FTPS vendors, such as Lucid Link, and Komprise. Some applications offer controls over data security, but for those that do not, Wasabi’s native encryption and immutability through Object Lock add the protection organizations need. Wasabi also maintains compliance with HIPAA, CJIS, GDPR, and MPA.
In addition to reducing costs and management complexity, delivering interoperability with partners, and enabling compliance with regulatory and corporate governance capabilities, ESG views Wasabi as a strong solution for cybersecurity. Ransomware is a very real threat to every organization, and Wasabi has taken the steps to provide an organization multiple options to integrate its cloud workloads into Wasabi threat protection strategies.
Spice up your data strategy by adding Wasabi hot cloud storage

This ESG Technical Validation was commissioned by Wasabi Technologies and is distributed under license from ESG.

Source: ESG Research Report, Cybersecurity in the C-suite and Boardroom, Feb 2021.

Source: ESG Research Report, 2021 Technology Spending Intentions Survey, Jan 2021.

Source: ESG Research Report, 2021 Technology Spending Intentions Survey, Jan 2021.

Source: ESG Research Report, Tape’s Place in an Increasingly Cloud-based IT Landscape, Jan 2021.

All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.

Enterprise Strategy Group | Getting to the Bigger Truth™

Enterprise Strategy Group is an IT analyst, research, validation, and strategy firm that provides market intelligence and actionable insight to the global IT community.