Infinidat Blog

GDPR compliance: Don't forget to consider data loss due to ransomware attacks

Since the General Data Protection Regulation (GDPR) enforcement date was set at the end of May 2018, discussions about the risk of data breaches are abundant. This is a high-risk scenario for any business keeping private data, and requires a lot of attention (See my previous blog on this topic).


The focus on data breaches while warranted, has overshadowed another critical requirement in GDPR, which in some ways is diametrically opposite: data loss. So, what’s the difference? A data breach is when an unauthorised third party gains access to private data that only the organisation was supposed to access. Data loss is when the organisation itself can no longer access its customers’ private data. In recent years, the most common data loss cause was ransomware attacks with prominent names like WannaCry, Petya (and then “NotPetya”) and CryptoLock. In 2017, ransomware attacks were the most common malware attacks with over 70 percent in some sectors (e.g. healthcare).


With many challenges to overcome, has your organisation developed a robust strategy for ransomware attacks?


Challenge 1 - Detecting a ransomware attack

Modern ransomware attacks stay hidden for a long time in order to encrypt as much data as is possible, before being detected. When it hits a critical threshold, it locks the user out and asks for crypto-currency. This behaviour is very efficient but is also the Achilles’ heel of this attack vector: Since changes accumulate over time, they can be detected, if there is a mechanism that tracks changes. This mechanism comes for free with any modern storage solution - snapshots!

Snapshots, which usually consume a minimal percentage of a dataset’s size, will start to inflate, by consuming capacity. If your storage array provides any sort of monitoring and alarms for capacity consumption, the organisation can easily detect this rise in capacity and react long before the attackers lock the users out.


Challenge 2 - Respond rapidly to a ransomware attack

If the silent ransomware attack was able to encrypt 100 terabytes (TB) of data, for example, over a week, the backups from that week are also compromised and can’t be used to recover the data. So now the administrators are forced to recover 100TB over the network from a backup target, which will take hours without any guarantee that the recovery doesn’t contain corrupted files.

However, a snapshot’s size will immediately suggest whether it contains encrypted data.

So, if an organisation using snapshots can access these, test the data inside them and immediately recover the right snapshot it reduces recovery times from days to minutes.


Challenge 3 - Preventing storage capacity explosion

One risk which isn’t typically mentioned in the context of a ransomware attack is that the additional capacity consumed over its ‘silent’ time can take existing storage arrays from their average capacity of 80% to 100%, hence crashing applications.

A bigger storage array means more free space to allow administrators time to identify and respond to the ransomware attack. However, a bigger array also means more consolidation, and hence requires higher level of reliability. The dual controller architecture originally designed in the 1990's for a few terabytes can't provide this new level of reliability required for the petabyte-age.



The InfiniBox special sauce to combat ransomware attacks

While the hardware in an InfiniBox is shared between consumers, InfiniBox offers capacity pools that allow customers a way of separating critical applications from one another. In this way, InfiniBox’s capacity pools allow customers to guarantee that capacity explosion in one area, which is corrupted with ransomware, can’t bring down applications in other pools. This is similar to how customers segment their network to minimise the risk of attackers moving between hosts.

On top of this segmentation that protects at the pool level, InfiniBox's scale provides protection on the system level, as free capacity is centralised instead of spread between many smaller arrays. This extends the duration administrators can detect and react to a ransomware attack.


Additional benefits capacity pools provide to protect against ransomware attacks:

  • Capacity guarantees: Separating pre-allocated (guaranteed) capacity from non-committed, shared capacity that is only consumed on-demand.
  • Warning: Real-time monitoring of its capacity to alert administrators of the threat.
  • Automatic response: When a pool is full, the system will respond based on the growth policy set for that specific pool. Policies may prevent the pool from:
    • Growing automatically - usually applies to non-critical apps
    • Allowing it to grow but only within certain limits for - usually applies to more important apps only
    • Allow the pool to grow as much as is needed - mission critical apps that shouldn’t be allowed to crash even if they grow very rapidly

Protection from ransomware attacks (and data loss in general) requires a multi-faceted approach: Snapshots offer both detection and speedy recovery from these attacks. Capacity pools offer the separation required to safeguard mission critical apps as well as dynamic capacity management that prevents the need to pre-provision capacity.


Download the White Paper: Understanding the Impact of Comprehensive Data Security

About Eran Brown
Eran Brown is the EMEA CTO at INFINIDAT.
Over the last 14 years, Eran has architected data center solutions for all layers — application, virtualization, networking and most of all, storage. His prior roles include Senior Product Management, systems engineering and consulting roles, working with companies in multiple verticals (financials, oil & gas, telecom, software, and web) and helping them plan, design and deploy scalable infrastructure to support their business applications.