Ransomware - Immutable Backups Guide for Nexsan Unity
  • 08 Nov 2023
  • 4 Minutes to read
  • Dark
    Light
  • PDF

Ransomware - Immutable Backups Guide for Nexsan Unity

  • Dark
    Light
  • PDF

Article summary

Ransomware

Nexsan Unity is an on-premise NAS hardware device that delivers outstanding performance at an affordable price point with its combined software-driven block-based storage, file-based storage, and object-based storage. Its object-based storage uses MinIO. MinIO provides an open-source, scalable storage service for secure on-premise data protection on a Nexsan Unity system.

With its Object Lock capabilities, MinIO enables customers to lock specific files for a retention period, such that no one, not even the root user on the account, can delete the files until the time has passed. See MinIO documentation for more details. PDF version also available.

Overview

Ransomware attacks are increasingly sophisticated, having the capability of watching for cloud account credentials, deleting backups and cloud storage, then encrypting everything and demanding a ransom. It’s imperative to build defenses against this escalating attack. SMBs and large businesses need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark objects as locked for a designated period of time, preventing them from being deleted or altered by any user.

Retrospect Backup integrates seamlessly with this new object lock feature. Users can set a retention period for backups stored on supporting cloud platforms. Within this immutable retention period, backups cannot be deleted by any user, even if ransomware or a malicious actor acquires the root credentials. Retrospect Backup’s powerful policy-based scheduling allows it to predict when those backups will leave the retention policy and protect any files that will no longer be retained, ensuring businesses always have point-in-time backups to restore within the immutable retention policy window.

Using ProactiveAI for advanced scheduling logic, Retrospect provides a rolling window of immutable backups, combining forever-incremental backups with point-in-time restores even after the initial backup passes out of the immutable retention policy.

For more information about backing up to MinIO with Retrospect Backup, see

Step-by-Step Guide

Retrospect Backup makes it easy to add an immutable retention policy with Nexsan Unity. The MinIO Console and credentials are available on Nexsan Unity from the top navigation bar under "Storage" and then "Object Storage".

The MinIO Console provides a user interface for accessing the object storage.

However, the Console does not expose the entire set of functionality that MinIO supports. To create a bucket that supports immutable backups, you would need to use the command-line interface, but Retrospect can auto-create the bucket with the appropriate settings.

When creating a backup set, simply check "Immutable Retention Policy" and specify the number of days. Retrospect Backup will mark any backups to MinIO as immutable until that date in the future and delete any backups that are no longer protected by the retention policy, saving costs on storage space.

Let’s walk through the steps to create an immutable backup.

Retrospect: Add a destination. On Windows, select "Backup Sets" then "Create". On Mac, select "Media Sets" and click "Add". Select type "Cloud". Then click "Immutable Retention Policy" and specify the number of days to protect your backups.

For an existing bucket, type in the appropriate path and credentials.

For a new bucket, type in the object store URL and the appropriate credentials and append the name of the bucket you’d like to create:

Retrospect: Add the destination to a script, and set the script grooming policy to match the retention period. By ensuring the two time periods match, Retrospect Backup will automatically delete backups that fall outside of the retention policy.

You can always verify the retention period of a file in Cyberduck under the file’s "Info" tab.

MinIO CLI

To create a bucket outside of Retrospect, you need to use the MinIO command-line interface (CLI):

  1. On an Ubuntu 18.04 System, follow this video tutorial onMinIO with Standalone Erasure Coding.
  2. Install the MinIO client.
  3. Run the following commands from the [MinIO documentation] using the MinIO client:
  4. Setup client to work with your MinIO installation using MinIO Documentation.

mc alias set <ALIAS> <YOUR-S3-ENDPOINT> [YOUR-ACCESS-KEY] [YOUR-SECRET-KEY]

  1. Create a bucket with object locking enabled.

mc mb <ALIAS>/objectlock --with-lock (i.e. mc mb minio/objectlock --with-lock)

Your bucket is created.

Under The Hood

Every backup within the retention period is an immutable backup with point-in-time restore capabilities. Because each backup is incremental, Retrospect only transfers the files that are new or have changed since the last backup. However, you can always restore any part of a backup in Retrospect.

Retrospect Backup uses its advanced scheduling workflow to make sure every immutable backup includes all applicable files. Let’s say the chosen retention period is 90 days, and backups occur every week. Retrospect Backup starts backing up. When it gets to Day 85, it looks ahead to the upcoming back on Day 92, marks which files will no longer be protected on that date based on when they were last backed up, and adds them to the new immutable backup.

With the grooming policy set to match the retention policy, Retrospect will automatically delete the backups that are no longer immutable, saving you storage space while ensuring every file is protected by an immutable backup.

The maximum allowed retention period by Retrospect is 9,999 days.

Last Update: February 15, 2022


Was this article helpful?