VMware Cloud Disaster Recovery

Operational “Air-gapping” in the Fight Against Ransomware

2 Key Elements of Operational Isolation / “Air-gapping”

Recently, my colleague Sazzala Reddy wrote a blog about VMware Cloud Disaster Recovery’s Scale-out Cloud File System (SCFS), summarizing its inherent design and characteristics that enable rapid ransomware recovery. He covers how backup copies alone are not sufficient anymore and that a new type of filesystem is needed to recover from ransomware – a filesystem that enables a deep history of backup copies, instant VM power-on for rapid experimentation, immutable copies, protection against data corruption, and cost efficiency.

Building on those core concepts, this blog expands into the need for DR solutions to deliver operational isolation (or operational “air-gapping”) and how VMware Cloud DR’s design and components deliver this important requirement.

Let’s define the key elements of operational isolation. Analysts commonly point to two elements: 1) operational isolation of the DR system itself, including the repository where the recovery points are stored, to prevent ransomware from encrypting existing recovery points, and 2) the ability to instantiate an isolated recovery environment (IRE) to prevent ransomware from infecting production systems during the staging, experimentation, and evaluation process.

#1: Operational Isolation of the DR System, Including the Repository

First, VMware Cloud DR’s recovery points are immutable backup copies that are stored offsite in the cloud (Scale-out Cloud File System). Ransomware is unable to encrypt those existing copies because data in an LFS-structured filesystem cannot be modified. (Again, see Sazzala’s blog which explains this more.) In addition, VMware Cloud DR’s replication transfer protocol is proprietary so ransomware cannot use common insecure network protocols (such as file shares) to ever access the recovery points in the first place.

At the solution level, VMware Cloud DR itself is a SaaS service, fully operated and managed by VMware, with a different management domain than the customer’s production environment. Therefore, authentication, authorization, and role-based access controls are different from the customer’s production environment. Ransomware cannot gain access to the VMware Cloud DR management domain simply by compromising the customer’s production management domain. VMware Cloud DR credentials are managed by VMware Cloud Services Platform (CSP). Whereas on-premises production credentials are usually managed by the customer’s corporate AD or LDAP. A second perimeter of defense that protects the DR solution and repository is better than having a single set of credentials for production and DR environments.

#2: Instantiating Isolated Recovery Environments (IREs)

During the recovery process, all recovery points are considered infected/affected by ransomware until proven otherwise. Therefore, candidate recovery points must be initially staged in an IRE from which ransomware cannot escape to production environments.

VMware Cloud SDDCs are perfect for this purpose; clean clusters can be created on-demand and isolated from the rest of the world. (A VMware Cloud DR pilot light environment can be isolated as well). These SDDCs are not only cost efficient, but also maintains the integrity of the on-premises production systems, preserving evidence for forensics.

Recovery points can then be staged in these SDDCs for security testing, evaluation, and cleansing. Even when the candidate recovery points (VMDKs) are accessible in the IRE, the original stored blocks in the SCFS are not at risk of compromise because they are immutable, and the IRE is actually accessing a cloned copy.

Later, SDDCs can be destroyed and recreated again as needed because of the elasticity of the cloud. Once VMs and data have explicitly satisfied all security criteria, the environment is connected back into production.

Designed from the Start for DR Operational Isolation

Operational isolation (operational “air-gapping”) is critical to DR. VMware Cloud DR was designed from the very beginning for its systems and repository to be operationally isolated and for instantiating isolated recovery environments.

To get started with VMware Cloud Disaster Recovery: