![\"Data](\"https:\/\/nsrd.info\/blog\/wp-content\/uploads\/2019\/10\/bigStock-Data-Security.jpg\")
Aside: Why not use tape?<\/em><\/strong><\/p>\n\n\n\n There’s two elements to the secret sauce:<\/p>\n\n\n\n Let’s run through what they deliver.<\/p>\n\n\n\n First, let’s consider the simple issue that we hear of from time to time: “our backups got encrypted by ransomware, too”, or “our backups got targeted by the ransomware”. The problem there is that those backups were permanently visible to an operating system vulnerable to ransomware. They were written to a local filesystem for the OS (e.g., a Windows D:\\ drive), or to a standard SMB or NFS share. Any process running on the operating system could see the files, and any infected process with administrator privilege could scramble the content.<\/p>\n\n\n\n When you’ve done a Boost backup (e.g., via Avamar, NetWorker, Boost for Databases\/Apps or PowerProtect), neither the client, the server or (with NetWorker) the storage node directly mount<\/em> the storage. The Boost API allows the accessing host to get details of a particular file path they can send data to, but the path is never mounted.<\/p>\n\n\n\n So it doesn’t matter if your Windows (or even, egads! Linux) backup server gets infected with Ransomware \u2014 the backups are not there<\/em> to get impacted.<\/p>\n\n\n\n When you login as say, the sysadmin user on Data Domain, you don’t get to see the underlying filesystem. Data Domain as a protection storage platform is a true appliance. So a nefarious virus can’t just drop a payload onto a Data Domain \u2013\u00a0it just doesn’t work that way.<\/p>\n\n\n\n If you want further protection than the above, you’ve got the option to work within a backup appliance. Avamar is natively an appliance, and so too is PowerProtect. NetWorker can be deployed as an appliance, too. At that point, yes, there’s an underlying Linux operating system (as is so often the case with appliances), but it’s not for general consumption. You can’t just log remotely in as the root user, for instance. Your traditional Windows ransomware can’t impact the system, the systems have pretty tight security just from the install, let alone before you do any hardening. (Check the individual product security guides for additional details on how you can do that hardening.)<\/p>\n\n\n\n Data Domain supports a variety of hardening techniques. This gives you an added layer of protection. For that extra protection, work through the Data Domain OS security guide.<\/p>\n\n\n\n Data Domain retention lock allows you to set rules on stored data preventing deletion or modification even by the application that stored it until a specific period of time has expired. That way even if something issued a delete instruction to the backup server, retention lock will prevent it from taking place. (Turns out the computer really can say no.)<\/p>\n\n\n\n And then there’s the big guns. A full cyber-recovery solution gives you vaulted protection for your critical data, held not just under retention lock, but also featuring options to automatically test and analyse the transferred data. The data copy placed in the cyber-recovery vault is outside the visibility and control of your regular backup environment, essential in providing another layer of protection.<\/p>\n\n\n\n Virus scanning, firewalls and other forms of end-point protection clearly don’t provide sufficient protection against ransomware. You can guarantee that practically every company that’s been hit by ransomware has had virus scanners and firewalls in place, after all. But when ransomware hits, it hits fast, and there’s always a period between when the ransomware first makes it into the wild and when virus definitions are updated.<\/p>\n\n\n\n So one of your first phases of planning ransomware defence is to plan to recover, and Data Domain and Boost will provide you the bedrock underpinning for that recovery.<\/p>\n","protected":false},"excerpt":{"rendered":" Ransomware is practically a fact of life. Criminals, script kiddies and other malfeasant individuals make a living from Ransomware. Businesses…<\/p>\n","protected":false},"author":1,"featured_media":8476,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"jetpack_post_was_ever_published":false,"_jetpack_newsletter_access":"","_jetpack_dont_email_post_to_subs":false,"_jetpack_newsletter_tier_id":0,"_jetpack_memberships_contains_paywalled_content":false,"_jetpack_memberships_contains_paid_content":false,"footnotes":"","jetpack_publicize_message":"","jetpack_publicize_feature_enabled":true,"jetpack_social_post_already_shared":true,"jetpack_social_options":{"image_generator_settings":{"template":"highway","default_image_id":0,"font":"","enabled":false},"version":2}},"categories":[1181,21],"tags":[1343],"class_list":["post-8475","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-data-domain-2","category-security","tag-ransomware"],"aioseo_notices":[],"jetpack_publicize_connections":[],"jetpack_featured_media_url":"https:\/\/nsrd.info\/blog\/wp-content\/uploads\/2019\/10\/bigStock-Data-Security.jpg","jetpack_shortlink":"https:\/\/wp.me\/pKpIN-2cH","jetpack_sharing_enabled":true,"jetpack_likes_enabled":true,"_links":{"self":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/8475","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/comments?post=8475"}],"version-history":[{"count":5,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/8475\/revisions"}],"predecessor-version":[{"id":8481,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/posts\/8475\/revisions\/8481"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media\/8476"}],"wp:attachment":[{"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/media?parent=8475"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/categories?post=8475"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/nsrd.info\/blog\/wp-json\/wp\/v2\/tags?post=8475"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}1 \u2013 A Boost Backup is Off-Platform to Your Backup Server<\/h2>\n\n\n\n
2 \u2013\u00a0Data Domain Does Not Have an Accessible Filesystem<\/h2>\n\n\n\n
3 \u2013 Using a Backup Appliance Gives You Even More Protection<\/h2>\n\n\n\n
4 \u2013\u00a0Data Domain Hardening<\/h2>\n\n\n\n
5 \u2013\u00a0You can use Retention Lock<\/h2>\n\n\n\n
6 \u2013\u00a0Cyber Recovery<\/h2>\n\n\n\n
Wrapping Up<\/h2>\n\n\n\n