As I mentioned in the previous blog post (Ransomware, Security, NextGen Storage, and You), we’ll be walking through various Pure capabilities and see where they layer into a defense in depth security strategy.
First up, snapshots!
TLDR = FlashArray snapshots can be your fastest way to recover in the event of a ransomware attack or security event. They’re simple to configure, flexible, and can be sent off-array for longer retention.
Back to the Beginning
It’s hard to believe I started using true pointer based snapshots back in 2003 (yes, before Pure Storage was even a gleam in Coz’s eye).
First, a quick review. As we all know, pointer based snapshots (also known as redirect on write) changed the use of snapshots by offering benefits such as:
- Instant – since a snapshot simply captures a block map of the volume metadata, it is literally instant.
- Redirect on write – new writes are written to new blocks and avoid the performance overhead of “copy on write” snapshots.
- Immutability – to be true to the concept, snapshots should not be able to be modified – period. This is especially critical from a security perspective.
Pure Snapshots, Day 1
Pure didn’t stop with regular snapshot benefits but thought through both what’s possible on an all flash array as well as what makes sense with the benefit of looking at previous snapshot implementations.
- No hierarchy or dependency – this is huge. A snapshot isn’t dependent on any other snapshots or volumes even if the source is deleted.
- Policies / Complexity – snapshot settings are not tied to an individual volume but rather a policy that can be applied to multiple volumes. Speaking from previous experience, this matters a LOT for day to day operations. Imagine having a default snapshot policy you apply to volumes on creation.
- Performance – 100% metadata so no performance impact.
- Data Efficiency – no Snapshot Reservations / reservation planning needed. Snapshots are always thin provisioned, deduplicated, and compressed.
- Instant Recovery – can turn a snapshot into a full volume at any time OR use it to roll a volume forward/backward.
For most customers, we recommend creating default snapshot policies as a safety net. There’s no practical reason not to and snapshots can always be removed if needed to regain space.
There are a ton of resources available from Pure on this topic – it’s a feature our customers truly use. Here’s a few.
- FlashRecover Snapshot blog post
- FlashRecover Snapshot white paper
- All Pure Blog posts with “Snapshot” in the title.
Snapshots – Going Further
What if you want to keep snapshots for a longer period than you have space on the array? Wouldn’t it be great if you could archive snapshots in an array-native format to a local NFS target (fast or slow depending on your needs) or to the cloud?
That’s exactly what Snap to NFS & CloudSnap do.
- Snap to NFS – store snapshots in an array-native format to a local NFS target potentially for longer than you’d want to keep snapshots local to the array. This could be anything from an inexpensive disk target (do think about restore speeds though) or a Pure FlashBlade (crazy fast snapshot restore). Bringing a snapshot back to the array is a one click operation in the Purity GUI.
- CloudSnap – same idea BUT to the cloud (where cloud = S3 target today…more targets to come in the future). Same simple setup, same simple restore process. You do want to think about your internet pipe and speed of course – not just for sending snapshots to the cloud but also pulling them back from the cloud.
- Portability – snapshots archived to the cloud are portable and can be mounted by another Pure array whether it’s a Cloud Block Store (i.e. running in AWS) or a Pure array with Direct Connect to AWS.
- Want a screenshot walkthrough? Check out this blog or these videos (demos, lightboards, Cloud Field Day).
What about ransomware?
Or…what about ransomware and other security events?
One thing I’ve found interesting in talking with customers is that from a data recovery perspective many have discounted or forgotten about snapshots. Often this is for good reason – snapshots aren’t space efficient, are painful to manage, etc.
But…if those day to day operational issues are addressed (as Pure does), snapshots become the best first line of defense. They shouldn’t be your only line of defense BUT if you have a storage snapshot available, it will be the single fastest way to recovery – restoring a Pure snapshot is instant. It’s just a metadata operation after all (and we focus on metadata scalability and speed).
Let’s look at it from a different perspective – even if you have your data protected otherwise, how long will it take to restore? After a certain amount of time, a long restore turns into the same as not having any backups – the financial/reputational/operational impact can’t be avoided if the restore takes hours to days to weeks. Snapshots avoid this issue.
If you’ve made it this far, hopefully the conclusion above is obvious. My first manager managed liked to talk about “belt and suspenders”. I wouldn’t trust my data protection or ransomware recovery strategy solely to snapshots but they’re a great tool to have available. I also know firsthand of customers where snapshots have been what’s saved them even after they forgot they’d setup them up long ago.
Questions? Concerns? Do let me know – we’ll continue this series by looking at another Rapid Restore option (although still not as fast as snapshots).
Thanks for reading!