The Modern Data Protection Need for Cleanroom Technology

The Modern Data Protection Need for Cleanroom Technology

Chris EvansCommvault, Data Practice: Data Protection, Data Protection, Podcast, Video

Ransomware is driving the data protection industry to create new technologies that mitigate the impacts of a cyberattack.  Cleanrooms provide businesses an effective way to perform test recoveries, both as a regular task and also in the case of an emergency.  Here’s why you need to consider adopting a cleanroom strategy.

Background

News of new ransomware attacks has become an almost daily occurrence.  The sophistication of infiltration methods continues to increase, with financial loss and reputational risks as the consequences of a security breach.  Every business should now be implementing a ransomware mitigation strategy that expands on traditional data protection, as the implications of not having a strategy can be profound.    

One solution for creating an effective ransomware mitigation strategy is to use a cleanroom; an isolated computing environment into which backups can be restored, either to validate integrity or to clean up the data.  To understand why this approach differs from traditional backup & restore, we need to examine the reasons why a ransomware attack and typical data loss scenario are different.

Certainty

Traditional backup and restore is used to recover from common data loss scenarios such as inadvertent data deletion, software corruption (bugs) or hardware failure.  For companies with sufficient budget, backup can be evolved into disaster recovery, with entire replica secondary private sites or “pilot light” sites in the public cloud that take over in the event of a primary site failure.  In these scenarios, backup images (and replicated copies) are assumed to be secure and have recovery integrity or be a faithful copy of the primary.  By this, we mean that the recovery is expected to work, and the backup images haven’t been compromised by a ransomware attack or otherwise corrupted.

Backups could be compromised, for example, by containing dormant ransomware code.  In many instances, hackers also target backup systems as a first wave of an attack, hoping to prevent a business from performing a successful recovery.

Simply assuming that backup images are safe to use for a restore is now a flawed process.  Primary systems could have been infected for months prior to the launch of an attack, leaving dormant ransomware code in months of previous backups.    

Reactive

The nature of cyber-protection has also changed in recent years.  Initially, ransomware responses were reactive in nature, responding to an attack or breach with a data recovery process.  Modern ransomware protection is now much more pro-active, looking to identify potential attacks at an early stage, and mitigate or remove them. 

New techniques include zero-trust networks and honeypots, for example.  We highlighted the evolving approach to data protection that incorporates data security in a blog post from 2022 (link here).  Ultimately, the entire cyber-protection process needs to pivot to a proactive stance, putting in place processes to identify and respond to attacks but in a way that has much greater chance of succeeding to restore normal operations.

Cleanroom

How does the concept of a cleanroom assist in improving the ability to respond to a cyberattack?  As we highlighted earlier, effective ransomware recovery relies on trusted backups that can be used to quickly recover from a ransomware incident.  However, testing every backup after creation can be both a costly and risky exercise, depending on the volume of applications running within an organisation.

Recovery testing can be risky, because recovered data could cause IP address and DNS conflicts, or even security issues.  The safest way to test backups is to restore into a completely isolated and secure environment – a cleanroom. 

The cleanroom provides a secure and isolated networking environment into which applications can be safely restored without causing conflicts with production systems.  In addition, the isolation ensures that only personnel that need access are granted it.  A secondary copy of live production applications is itself, a valuable asset to be protected.

We see the following scenarios where a cleanroom environment could be used.

  • Backup image validation.  The cleanroom is used to validate that the backup data is recoverable and free from malware infection.
  • Recovery process testing.  A cleanroom can be used to validate the process of recovery, including testing restoring critical components such as DNS, Active Directory, and core applications. 
  • Forensic analysis.  As a cleanroom is safely isolated, the environment could be used to investigate malware code by restoring an infected system into the cleanroom.

Cost Optimisation

One final consideration in the use of a cleanroom is optimising the cost of backup image testing.  The public cloud provides the perfect environment into which a cleanroom can be deployed.  Virtual instances, storage and networking, are all charged by usage (generally time-based), with the capability to create isolated multi-tenant environments, either through unique accounts or virtual private networks.  Using the public clouds to create a cleanroom, individual applications (or an entire suite) can be tested quickly and cost-efficiently, keeping infrastructure in use for only the time the testing takes place.  Once finished, the cleanroom environment can be securely deleted.

Of course, it would be possible to manually script and automate the processes needed to build a cleanroom from existing backups.  However, Commvault (a leading data protection company) has automated the process for its customers with a feature called Cleanroom Recovery, which we briefly discussed as part of the Q4 FY2024 company financial results

Cleanroom Recovery provides Commvault customers with the capability to take existing backups and easily build test environments to validate backup recovery (otherwise called “Backup Assurance”) as frequently as desired.  While testing every single backup may be a little excessive (but still possible), Cleanroom Recovery provides more frequent testing than is typically performed with disaster recovery processes (which may only be once or twice a year).

We recorded a webinar with Commvault Director of Product Marketing, Thomas Bryant, where we discuss the need for Cleanroom technology and how Commvault has implemented Cleanroom Recovery.  You can find the video embedded here.

The Architect’s View®

With the openness of modern IT systems, protecting against a ransomware attack is a challenging process and made more complex by the rate of change in operational deployment.  Businesses must transition to a proactive protection regime, where IT departments can demonstrate recoverability.  This also needs to include a discussion of service levels, applying Recovery Time and Recovery Point Objectives to ransomware recovery. 

Rather than assume backups are suitable for data recovery, Commvault’s Cleanroom Recovery enables customers to provide their application owners “Recovery Assurance” by testing restoration of data and the recovery process. We expect cleanroom technology to be a key piece of every enterprise organisation’s future data loss prevention strategy.

Copyright (c) 2007-2024 – Post #d22a – Brookend Ltd, first published on https://www.architecting.it/blog, do not reproduce without permission. 

Commvault is a client of Architecting IT and has sponsored this video episode.