IBM Thwarts Ransomware in FlashSystem with New Data Safeguard
July 26, 2021 Alex Woodie
The steep uptick in ransomware attacks this summer has gained the full attention of business and tech leaders at businesses of all sizes. It also has the attention of IT vendors, including IBM, which last week added a new data protection mechanism to FlashSystem intended to help thwart ransomware attacks.
Ransomware, which has been simmering on the security backburner for years, has roared to life this summer, thanks to several high-profile attacks that caused severe business disruptions, including Colonial Pipeline, JBS, and Scripps Health, among others. While the attacks on these large companies were headline-grabbing, they bely the full extent of the ransomware problem, particularly among smaller organizations that fly below the radar.
It feels like ransomware attacks are up, and the data actually backs that up. According to the cybersecurity firm SonicWall, ransomware attacks grew by 62 percent in 2020, which it attributes to the business disruptions caused by COVID-19. There were 304.6 million individual ransomware attacks last year, according to the 2021 SonicWall Cyber Threat Report, and through the first five months of 2021, the group detected 226.3 million ransomware attacks, a 116 percent increase.
While the IBM i server is protected from most traditional forms of malware, the server has a major vulnerability when it comes to ransomware. Data housed in the Db2 database is considered safe, but any data stored in the IFS is susceptible to being encrypted during a ransomware attack.
Now IBM is responding to the ransomware threat with an update to its FlashSystem family of all-flash storage arrays. Last week, the company announced that it has added a mechanism that automatically protects data stored on the arrays and makes it less likely that it will be encrypted during a ransomware attack.
The feature is called Safeguarded Copy. It works by creating an immutable snapshot of a customer’s data, which is then stowed in an isolated part of the system. These snapshots “cannot be accessed or altered by unauthorized users,” IBM says. If a ransomware attack occurs, or if there’s a security event or a natural disaster, the customer can recover their system using the copy of the data that has been safeguarded in the FlashSystem array.
IBM borrowed Safeguarded Copy from the high-end DS8000 arrays, which got the new feature with the release of IBM Copy Services Manager version 6.2.3 earlier this year. A key element of the technology is the mechanism that makes the snapshots immutable. According to IBM, once the data is in a Safeguarded “pool,” changes can be made to it only after it has been recovered, which eliminates the risk of data tampering or deletion.
Safeguarded Copy can be used in tandem with other data and application protection mechanisms, including FlashCopy and high availability setups. IBM recommends using Safeguarded Copies to take many frequent copies of a production environment, such as on an hourly or even 30-minute schedule, while leveraging FlashCopy for smaller number of less frequent copies, such as weekly backups.
There are also several ways Safeguarded Copy can be used with Metro Mirror and Global Mirror high availability solutions to facilitate rapid recovery of business data in the event of a ransomware attack. IBM describes various setups in the IBM DS8000 Safeguarded Copy Redbook (the 6.3 MB PDF file can be found here).
At the end of the day, there is no silver bullet to deal with the ransomware problem, which crosses IT disciplines, including security and DR. Training users not to click on malicious URLs that appear in emails and texts is perhaps the best way to guarantee that ransomware never enters your networks and servers. But humans, of course, are fallible, and even tech-savvy experts can be tricked into clicking on bad links by crafty cybercriminals.
“Protecting against ransomware and other forms of malware requires a two-pronged approach to resiliency that involves automated protection and rapid recovery,” IBM Storage general manager Denis Kennelly said in a press release. “That’s why we’re standardizing our modern data protection software, Safeguarded Copy, across our portfolio, bringing even more cyber resiliency to IBM FlashSystem. Cyberattacks are on the rise, but data can be protected and restored when you are prepared.”