Protecting Your Business Backup Data from Ransomware Attacks

The need for a robust data protection strategy has increased over the past years as the value of real-time data access has become more strategic for organizations, and, according to ESG research, 82% of respondents believe cyber-risk is greater than it was 2 years ago.¹ The economics of cloud storage have also shown massive adoption. In fact, an ESG research study showed that more than 45% of respondents had a cloud-first policy for their infrastructure, and more than 68% of respondents had plans to increase cloud infrastructure spending in 2021. As shown in Figure 1, when ESG asked respondents about their public cloud infrastructure adoption, 78% indicated that they are either using or intend to use public cloud in 2021.² This is more than double what it was just 5 years ago. ESG has been tracking IaaS adoption since 2011 when usage surveys showed only a 17% adoption rate.

One early and still important use case for cloud-based infrastructure is the protection of corporate production data across an organization, whether that data originated in the cloud or on-premises. Now, as organizations continue to embrace digital transformation for both their business and IT groups, the use of public cloud infrastructure has become a key driver for that transformation. Organizations are also using cloud infrastructure services and cloud storage to mitigate the capital and operational expenses associated with data protection infrastructures and traditional IT hardware deployments.

Wasabi Overview

Wasabi hot cloud storage is scalable, affordable, and tier-free. Exponential data growth shouldn’t simply translate to astronomical data storage and data tier management costs. As shown in Figure 2, Wasabi hot cloud storage is a universal, one-size-fits-all cloud object storage service that eliminates confusing storage tiers and satisfies nearly all storage performance requirements. Some key use cases include secure backup and restore and data archiving. With Wasabi Hot Cloud Storage, all data is treated equally and made readily accessible no matter how hot, cool, or cold it is. Wasabi offers low-cost and highly available secure cloud storage with no tier-based latency delays, and it can be purchased as reserved capacity or in a pay-as-you-go model. There are also no ingress, egress, or API fees, which account for additional cost savings, and Wasabi eliminates the cost of testing security and recovery scenarios. With third-party integrations, Wasabi can be an organization’s single S3 storage solution to address multiple cloud workload requirements.

• Account Security: Wasabi supports a comprehensive set of data privacy and security capabilities to prevent unauthorized access and disclosure. Account security includes multi-factor authentication (MFA), enterprise single sign-on (SSO) options, and identity and access management (IAM) policies. Strong user authentication features tightly control access to stored data.

• Encryption: Wasabi encrypts data at rest and data in transit to prevent leakage and ensure privacy. All data stored on Wasabi is encrypted by default to protect data at rest, and all communications with Wasabi are transmitted using HTTPS to protect data in transit.

• Object Lock: Wasabi supports data immutability through “Object Lock,” which protects data against administrative mishaps or malicious attacks. Wasabi data immutability protects against the most common causes of data loss and tampering, including accidental file deletions, viruses, and ransomware. It also meets regulatory and compliance data retention management requirements.

• Wasabi Account Control Manager: The Wasabi Account Control Manager includes cloud storage account creation, management, and user billing with a secure easy-to-use, centralized management interface. Multiple storage accounts are securely managed in one place, and implementation time is dramatically reduced.

Wasabi focuses heavily on simplicity and ease of use. This starts with secure login features. ESG was able to quickly configure access and log in to start administering cloud storage. The initial login screen is shown in Figure 3 below. After creating the root account, an admin can set up account security using the account settings. Some of the login security features include single sign-on, multi-factor authentication, and identity and access management using the SAML 2.0 standard. MFA is highly recommended for all administrative accounts. If the backup or storage console is breached by a cyber-criminal, the attacker can change backup policies, alter backup jobs, or delete backups. MFA can protect against unauthorized access to the storage console. Identity and access management works hand-in-hand with MFA as another layer of access controls and protection.

Once an account is created, an access key and a secret are assigned, these becomes the keys for the root user. Additional access keys can be created for sub-users as well as business partners. Policies based on user credentials or on groups can be set to allow access to specific buckets, similar to what is done within AWS S3.

With access controls in place, a user can access Wasabi management console through the login process and create buckets as shown in Figure 4. Setting up a bucket is an easy, three-step process. The first step is setting a name for the bucket and the region where data should be stored. Next, policies are set, which include:

Bucket Versioning: When versioning is enabled, an authorized user can then retrieve and restore any previous version of an object in the bucket.

Bucket Logging: When logging is enabled, a text log file of all access to a bucket is created for the specified bucket.

Object Locking: Enabling Object Lock allows the prevention of objects from being overwritten or deleted for a designated amount of time. An immutable object cannot be deleted or modified by anyone, including Wasabi.

Bucket policies can be extremely detailed, even down to the IP address. One example is a policy to prevent anyone from accessing the bucket from a specific address. Another example is to restrict certain users from deleting an object in a bucket. Policies can be created down to the folder or key level within the bucket. Wasabi uses the AWS IAM policy model as its standard and maintains strong compliance. This also has the added benefit of being a familiar protocol for many organizations.

The last step in the configuration process is a final review and acceptance of the settings made. Once accepted, the bucket is created, and the user can begin to upload files to the new bucket or configure a third-party solution such as a backup or archive software product to begin sending data to the bucket.

Wasabi Cyber-resiliency and Security Features

Planning for cyber-attacks has become core to every IT organization. It's no longer if an attack will happen, but when an attack will happen. Wasabi has taken the steps necessary to protect an organization’s data from both external and internal threats as well as unintentional actions. Three cyber-resiliency features available in the Wasabi solution are identified in Figure 5 and detailed below, along with additional features.

Bucket Logging: Wasabi supports bucket logging, which creates a text log file of all access to a bucket. The format of the log file is identical to the AWS S3 log file. Bucket logging is a recommended security best practice that can help teams with upholding compliance standards and identifying unauthorized access to your data.

Versioning: The versioning feature offers an additional level of protection by providing a means of recovery when customers accidentally overwrite or delete objects. This allows recovery from unintended user actions and application failures. Versioning can also be used for data retention and archiving. The Wasabi versioning feature allows organizations to preserve, retrieve, and restore every version of every object stored in a Wasabi bucket. Once versioning is enabled for a bucket, Wasabi preserves existing objects anytime you perform a PUT, POST, COPY, or DELETE operation on them. By default, GET requests will retrieve the most recently written version.

Public Access Override: The default bucket policy prevents public use of a bucket, folder, or file. This helps to prevent public access and data leaks. Root account users can override the default policy if the bucket is intended for public access.

Encryption: All data stored in a Wasabi bucket is encrypted with AES 256 Encryption.

Object Locking: This is an additional, advanced compliance and security feature of Wasabi. The steps to enable Object Locking are shown in Figure 6 below.

Wasabi Object Lock is a feature that prohibits modification or deletion of specific object versions during a configured retention period. The retention policy can be specified on each object placed into a bucket. Additionally, bucket-level settings can be applied so that new objects placed in a bucket will have the same default settings. To enable Object Locking, versioning is required on the bucket. Immutability is a core function of Object Locking that is inherited on the bucket and files and prevents Wasabi storage buckets from encryption by crypto ransomware. There are two modes of Object Lock:

• Governance Mode: will lock the object for the configured retention policy. However, the root user or any user with the IAM permission “s3:BypassGovernanceRetention” can bypass the retention policy and modify or delete files. This allows the flexibility required by some organizations or designated employees to modify policies.

• Compliance Mode: will lock the object for the configured retention policy, and no user can modify or delete the object until that retention policy has passed. This is often required by highly regulated organizations.

Legal Hold: Legal Hold is an additional locking mechanism that can be placed on an object in an Object Lock-enabled bucket. A legal hold will prevent the modification or deletion of an object indefinitely until the legal hold has been removed. A legal hold overrides both Governance Mode and Compliance Mode retention policies but does not remove them. After removing the legal hold, the existing Governance Mode or Compliance Mode retention policy will still be in effect.

ESG tested the integration with third-party solutions. Wasabi has made integration with third-party applications a simple and easy process by adopting the S3 Object Lock API. Any vendor supporting this API can interface with Wasabi as their storage target to create immutable objects. Enabling a connection starts with creating an access key in Wasabi as shown below in Figure 7.

Before creating the access key, a user is created in the system. This can be a current user or one dedicated to the application interfacing with Wasabi. The user is assigned permissions, including which buckets they have access to. During the process of creating an access key, the key is assigned to the user. As the key is created, the user can download the access key and secret key pair, store it in a safe place, and have it available for setting up the third-party software.

As an example, Figure 8 shows the setup process to use Wasabi as the storage repository for data backup using Veeam. If this is an entirely new configuration, a new user would be created and a local storage repository for backed up files would be established. Then, Wasabi is set up as the off-site cloud storage target. Figure 8 shows the initial step to “Add Backup Repository” by selecting Object Storage. The user is then prompted to add the Wasabi Access Key and Secret Key. This initiates the API so the user can select which bucket is the target location from the list of buckets they have permission to use. The next step is to set the retention period, which enables immutability of the data being stored. It is important to note that if immutability is enabled on Wasabi through Object Lock in Governance or Compliance Mode, it must also be enabled in Veeam or an error message will appear as shown. Veeam also recommends encrypting files going to a backup location. Since Wasabi also encrypts the target bucket with AES256 Encryption, the organization has two layers of encryption. Once this step is complete, the connection is enabled, and the configuration is complete.

To start a backup, the data source, such as a VM, is identified. A backup schedule is created, such as a full weekly backup followed by daily incremental backups. The user has the option to Copy Backup to Object Store, which leaves a local copy, or Move Backup to Object Storage, which moves all files without leaving a copy. In most cases, to maintain multiple versions, Copy Backup is the preferred method.

In this case, the control over the retention, backup policies, and recovery are handled by Veeam. Should a failure take place on the Veeam server or any type of corruption leading to the rebuilding of the Veeam system, the root account can create a new Access and Secret Key associated with the original user. When the application is back online, the key can be installed, and the user can scan and find the backup’s metadata files. Data can then be recovered back to the production system. Other third-party backup and recovery solutions may not have the same sophisticated management capabilities. For customers using these types of data protection solutions, Wasabi’s encryption and immutability become the primary layers of protection for stored backup data.