Continuous, Near Continuous Backup and Ransomware

Ransomware attacks have made it necessary to engage in granular data, operating system, application and file system backups.

Traditionally, backups have been scheduled events where we simply send large data dumps to an external storage or tape.  There is not much of a ‘recovery’ process about dumping our data to an external server.  Many firms don’t have playbooks to recover an application and many don’t have a real disaster recovery strategy or environment.

Along with encrypting data everywhere, data deduplication was develop which saves space by removing unnecessary data copies. While deduplication minimized overhead and permitted block-by-block restores, it was only part of a new backup architecture, as backups were still a single-event-driven process.

Now with ransomware and other malware attacks continuous data protection is now mandatory. Continuous data protection is a schedule-free backup process that is change driven, rather than time dependent — every time a file changes, it’s backed up. While this sounds simple, there’s more going on under the hood.

Continuous backup benefits

Continuous backups have some clear benefits from a ransomware protection perspective. With continuous backups, IT teams can revert files back to the version that existed before a ransomware incident and recover as if the attack hadn’t spread. This replaces the monolithic recovery approach to backups with a more focused strategy.

Even in cases where larger-scale backups are necessary, IT teams’ recovery point objectives (RPOs) can be much shorter because backups are not minutes or hours old. This can be a huge benefit to organizations struggling to fit backups into a non-production window as they attempt to handle today’s larger data volumes.

Another advantage is reduced storage overhead. With continuous backups, a single backup is performed at setup; after that it captures changes only. While this process can take a long time at the outset, the space required over the long term can be much less than you might expect after the initial setup.

Because many organizations devote storage space to irrelevant and stale data, only capturing changes can result in staggering space savings, unless you’re also doing some level of versioning. The storage ratio also depends on whether continuous backups take place at the file or block level. Continuous block-level backups are much more space efficient than at the file level.

Continuous backup downsides

Despite the benefits, continuous backups also have disadvantages — most notably, the speed they require. The disks that capture the changes have to be fast, or users will experience lags as they access and change data.

Understanding backup options

IT teams have a variety of options to structure their organization’s backup processes. Not every backup needs to be a full, comprehensive recovery file — in fact, such a structure wouldn’t be time or cost effective. Alternative options include incremental and differential backups, as well as the newer synthetic-full and incremental-forever backup methods. Read more about backup options and evaluate which is the best fit for your organization.

As a result, continuous backups must keep pace with the fastest storage in an organization’s IT environment. This can be problematic, especially when using tiered storage. Similarly, for data transfers, the environment must have sufficient resources to effectively perform two writes for every single write.

It’s possible to get around this limitation by using near-continuous backups: data snapshots performed every hour, as opposed to per every file action. This can reduce overhead and offer an acceptable RPO without the cost of continuous backups.

In addition to performance concerns, there’s also the issue that continuous data protection uses a single backup source. Both the data repository and the file or block mapping are critical to ensuring that backups are intact and ready in the event of an attack. Damage, deletion or corruption to either of these pieces could render the entire backup infrastructure useless. Other backup systems include virtual or physical tape, where the tape contents are often stored on the media and in the library itself in the event of an issue.

Finally, performing and maintaining continuous backups can get expensive. While the price tag might be tough for some organizations to handle, others find that the benefits of having a record of every transaction is worth the costs of top-tier data transfer and storage.

In a ransomware attack, continuous backups offer more than just the ability to restore — they can also help IT teams determine how the ransomware entered the organization, and even point them to the source and root cause of the incident. This is invaluable in ensuring the same issue doesn’t occur again after recovery. Continuous backups can also be valuable for auditing and compliance when dealing with legal counsel or cyber insurance following a ransomware attack.

Continuous backups aren’t a magic bullet against ransomware, but they are an important tool in IT teams’ arsenals. While continuous or near-continuous backups can reduce the RPO window and storage overhead, these benefits must be balanced against the system’s cost and potential effects on the organization’s production storage environment.

Source