The statistics are chilling. Last year, there were nearly 300 million ransomware attacks. That’s a 72% increase during the pandemic. And each successful attack nets an average ransom of $300,000. That number represents a 171% increase during the same period. And the threat is escalating as attackers become more organized, more capable, and exploit new entry points, like mobile and edge devices.
There are no guarantees in defending an enterprise cloud environment from ransomware. And if your applications are cloud-native, you have an elevated set of worries owing to the particular challenges of securing reliable point-in-time backups or check points that include data volumes as well as application configuration information (metadata). If you consider that emerging ransomware threats target the backups themselves—via the operator console or the physical devices—enterprises have some important choices to make about how they are going to reliably secure their data (and their users’ data) for business continuity and regulatory compliance.
Legacy Ransomware Solutions Don’t Work in a Cloud-Native Environment
Ransomware protection in a legacy environment is addressed by many solutions in the market. For cloud-native environments, it’s a new world. Complex and distributed databases require complex and robust security solutions. The sheer quantity of data to identify and protect in a cloud-native environment is a hurdle, and safeguarding applications only happens when apps and their data are backed up. As IDC analyst Lucas Mearian noted, “As container production deployments grow, there’s a need for data protection that includes detection and defense against ransomware, as traditional data protection methods may not scale well in containerized environments.” (IDC 2021, #US48131821)
The amount of time required to run backups at the necessary intervals and then recover once an episode occurs impacts both the efficiency and productivity of a production environment, which leads to lost revenue. The rapid pace of work in an agile, cloud-native world requires a data protection solution that can keep up. Legacy solutions are almost certainly a non-starter.
Consider this obvious reality: backups mean nothing without the ability to recover and reorchestrate a point-in-time. And while we have already touched on the pointlessness of long backup windows, slow recoveries are an even bigger concern with legacy backup and disaster recovery (DR) solutions. Prolonged data recovery windows can severely impact business operations, not to mention cause huge losses for businesses (reputation, customers, revenue) during an outage. In order to avoid these issues, businesses need ways to accelerate recovery speeds.
A more nuanced weakness of legacy backup and DR solutions for cloud-native environments is that they are often cobbled together leveraging technologies that are not ready for enterprise-grade environments. This leads to issues like failed backups, lack of visibility into backup status and inconsistent recovery point objectives. This inconsistency can lead to issues with the deployment and management of backups.
Also, consider the problem of trustable recovery and isolation testing to identify vulnerabilities such as malware or misconfigurations. Cloud backup and DR solutions are more reliable, fast and secure than legacy solutions and thus provide greater peace of mind. Data that is backed up consistently, that is easy to access, and that can be recovered faster will provide companies with a more productive staff not just when disaster strikes, but in every day operations. By not wasting time managing multiple RPOs and waiting for sluggish backups and recoveries to finish, companies can innovate more and manage backup and DR less.
Protecting the Attack Points in Your Backup & Recovery Systems
Keeping backup copies of data and “point-in-time captures” are the most effective means of thwarting ransomware attacks, since there’s no need to pay to recover data if there’s another copy of the data safe and sound. However, attackers are becoming increasingly sophisticated and have started targeting backups first.
Attackers frequently try to penetrate the backup system either through the administrative console (accessing the primary Kubernetes storage cluster) or the storage media itself (S3 or NFS) in order to modify and delete point-in-time data. As a result, organizations can lose data and not even know about it until later. This greatly inhibits an enterprise’s ability to restore business operations after their data is held ransom.
Critical Considerations for Cloud-Native Ransomware Protection
Let’s look at some of the unique challenges faced when securing data in a Kubernetes environment. First and most obvious is the number of players involved in a cloud-native application’s chain of responsibility. There are application developers, GitOps managers, DevOps engineers, cloud architects and IT Ops team members, and of course, line-of-business owners and C-level stakeholders. Each has a role to play.
Next, let’s consider the criticality of securing backups on an application-centric level. All apps running on a Kubernetes cluster must be protected (no matter what deployment method was used: Labels, Helm charts, Namespaces, and Operators): every object, every piece of data, and every piece of metadata must be secured so the precise state of a point-in-time can be recovered.
And just like we do in legacy environments, the backups need to be stored elsewhere. In the case of a Kubernetes environment, that means—at the very least—storing the backups outside the cluster.
The NIST CyberSecurity Framework as a Trusted Guide
Trilio recommends that all cloud-native backup models leverage the NIST Cybersecurity Framework. NIST has documented a series of well-respected, comprehensive security best practices in this framework, and we’ve aligned the design of our cloud-native ransomware offering, Triliovault for Kubernetes, to this framework. The “Day 2” data management capabilities of TrilioVault for Kubernetes—backup and recovery, DR, data migration, and ransomware protection—are modeled after NIST best practices. Specifically, it uses the best practices that are detailed in the Data Integrity projects of the National Cybersecurity Center of Excellence (NCCoE) at NIST. The three main components of the framework are—Three components of the National Cybersecurity Center of Excellence Framework. Corresponding features help deliver comprehensive ransomware protection and recoverability for cloud-native applications—
The primary benefits of aligning to the NIST Cybersecurity Framework for enterprises running cloud-native applications are consistency of data protection schemes so that learnings can be shared across industries, and the benefits that come from taking an approach that doesn’t cause administrative overhead. While backup immutability and encryption are useful enabling technologies standardized in the NIST framework, it’s important to remember that the framework does not relate to one or two features in a backup and recovery model; it has to be comprehensively built into the entire approach.
In a recent Angelbeat virtual seminar that we participated in, it was noted that only a year ago, CNCF survey data informed us that 78-80% of enterprises are using Kubernetes for data storage and applications. With that kind of market penetration, with the sophistication of contemporary ransomware threats, and with the ineffectiveness of legacy backup solutions for cloud-native applications, there is a perfect storm brewing that enterprises need to prepare for if they’re going to weather the threat of ransomware attacks sinking their businesses. Fortunately, the NIST framework gives us a sound, reliable guide to follow.
###
About the Author:
Justin Bartinoski is the Vice President of Marketing at Trilio where he oversees global marketing, including brand, messaging, product marketing and demand generation activities for the company’s cloud-native data protection platform.