Two proven techniques for reducing the attack surface on your backup data are data isolation and air gapping.
Data isolation is a technique that uses secondary and/or tertiary copies of backup storage targets that are segmented and unreachable from the public portions of the environment using virtual LAN (VLAN) switching, next generation firewalls, or zero trust technologies. If your organization is infiltrated by ransomware, or a malicious attacker, the cyber threat will have a limited attack surface. The public portions of the environment may get infected, but the isolated data will not because it cannot be accessed. To be most effective, isolated environments should not be accessible to public networks of the organization as well as the internet. Physical access to isolated resources should be secured and heavily controlled. All inbound network communication is blocked, and only restricted outbound access is allowed. Commvault will then securely tunnel from the isolated storage targets to the Commvault resources and source storage targets for data replication.
Air gapping is another technique that complements data isolation. Traditionally, air gapped networks have absolutely no connectivity to public networks. Tape is a traditional medium for air gapped backups because tape can be removed from the tape library and stored offsite. To air gap secondary backup targets on disk, or cloud, some access is needed, but when it is not needed, communication is severed. Commvault provides secure replication of data to an isolated environment with air gap capabilities. The isolated environment is completely blocked from all incoming connections. Outgoing connections are restricted, which greatly reduces the attack surface of cyber threats. Once data is fully replicated, the connection can be severed, and the secondary data becomes air gapped until data needs to replicate again or recovered.
How They Work
Commvault’s network topology and workflow engine provide the basis for configuring data isolation and air gap solutions.
Data Isolation Using a Direct Connection
The figure below represents the overall high-level functionality of Commvault data isolation using a direct connection.
Site A represents the public portion of the production backup environment. Site B is a segmented portion of the environment, isolated logically and physically. Site B communicates through the firewall over a single outbound port, and everything else is blocked. The tunnel supports HTTPS encapsulation using the mutual TLS 1.3 protocol, and will connect only when certificate authentication is successful. This protects against man-in-the-middle and spoofing attacks.
Data transfer is multi-streamed through the tunnel to ensure the fastest backup possible. Data residing on the storage target on Site B is protected from ransomware and accidental deletion by utilizing Commvault’s security controls, encryption, WORM and native ransomware locks for immutable storage. Data replication is deduplicated to further optimize bandwidth and storage considerations.
Once data transfer is complete, connectivity can be severed by turning off routing, enabling firewall rules, or shutting systems down. Severing the connection can be scheduled around VM power management, or blackout windows.
Data Isolation Using a Proxy-Based Connection
A proxy-based configuration, as shown in the figure below, has the same ransomware and encryption benefits as a direct connection. However, in a proxy-based configuration, both sites communicate between each other using a proxy located between the isolated and public networks. All inbound connectivity is blocked between the sites, providing isolation capabilities on both sites. Proxy-based configurations are very common, especially when data is moving between remote geographic locations across the internet.
Air Gapping
The simplest method of air gapping is to use VM power management, a Commvault capability that automatically shuts down a MediaAgent virtual machine when not in use. The VM only starts up when needed. This method requires a hypervisor in the isolated environment and does not need additional scripts.
Another method of air gapping is to create blackout windows using scripts and workflows. Blackout windows are defined time frames when backup and administrative tasks are not allowed to run on isolated resources. When blackout windows are not in effect, the resources are brought online using scheduled scripts included on the air gapped resource (such as the MediaAgent). This air gapping method can be used on any storage target or network device.
The downside to air gapping is planning around recovery point objectives (RPOs), because when resources are turned off, data replication will not run. Depending on the environment, resources, and service level requirements, data replication will queue when destination targets are offline. To help reduce the effects of this downside, Commvault incorporates multi-streaming within the one-way encrypted tunnel to maximize backup performance.