[gpfsug-discuss] Ransom attacks

Lindsay Todd rltodd.ml1 at gmail.com
Thu May 27 19:17:37 BST 2021


Henrik,

Generally you need to begin with a good backup or replica, as well as
suitable air-gaps to isolate contamination.  You also need to be able to
quickly detect unusual activity - an SIEM tool like QRadar might help.
Assume that a cyber-incident will happen and plan accordingly.  Use
in-depth security.  But you are right - you lose one of the advantages of
tape - you can make duplicate copies, maybe even a WORM copy, and store it
offsite.

You might at very least want to take snapshots of the storage being used by
Spectrum Protect, and have separate administrators for the ESS and SP
server (to reduce inside risk).  If it was actually GPFS being backed up to
SP, you could have a second GPFS file system that is a point-in-time
synchronized copy of the original GPFS file system - with its own
snapshots.  It could have yet another sysadmin, and you could isolate the
second copy from the network when not actively synchronizing. See
https://www.redbooks.ibm.com/abstracts/redp5559.html?Open

That might not make sense if GPFS is holding the SP backup data, but SP can
do its own replication too - and could replicate using storage from a
second GPFS file system off-site.  Take snapshots of this second storage,
as well as SP database, and again manage with a second sysadmin team.


*Lindsay Todd, PhD*
*Spectrum Scale (GPFS) Solution Architect*
*IBM Advanced Technology Group – Storage*
*Mobile:** 1-518-369-6108*
*E-mail:* *lindsay at us.ibm.com* <lindsay at us.ibm.com>


On Thu, May 27, 2021 at 11:10 AM Henrik Morsing <henrik at morsing.cc> wrote:

>
> Hi,
>
> It struck me that switching a Spectrum Protect solution from tapes to a
> GPFS filesystem offers much less protection against ransom encryption
> should the SP server be compromised. Same goes really for compromising an
> ESS node itself, it is an awful lot of data that can be encrypted very
> quickly.
>
> Is there anything that can protect the GPFS filesystem against this kind
> of attack?
>
> Regards,
> Henrik
> _______________________________________________
> gpfsug-discuss mailing list
> gpfsug-discuss at spectrumscale.org
> http://gpfsug.org/mailman/listinfo/gpfsug-discuss
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://gpfsug.org/pipermail/gpfsug-discuss_gpfsug.org/attachments/20210527/966d8a32/attachment-0002.htm>


More information about the gpfsug-discuss mailing list