Skip to Content
52:04 Video

Indestructible Backups with FlashArray SafeMode and Veeam Hardened Repositories

Backups are your last line of defense against cyber attacks. Are you doing everything you can to ensure an attacker doesn't destroy yours?
Click to View Transcript
Mm welcome to this session for pure accelerate tech fest 22 where my colleague jay Dee Wallace and myself will talk, we're gonna talk to you about indestructible backups with flash or a safe mode and VM hardened repositories. Hey man, that that actually is kind of bringing back some memories.
Maybe a little deja vu. Didn't we already do a session on this? Yeah, you would be correct in saying that J D. That's right for those of you that may have caught our session last year. If you accelerate, this is an update to that session where we show you what's changed with safe mode and again, how that works with the and this time concentrating on their heart and repository
technology and how the two together will make your backups indestructible protect you against all of those malware worries and phones out there in the world like like built in suspenders, mayonnaise and peanut butter. That is a good one. So yeah, we, we started last year's session with, you know, kind of finding the problem and what ransomware was and obviously it's a big
threat. I'm pretty sure we don't have to do that for this audience this year. I think you may be a believer already you understand the threat that upon us but if not, there's probably a lot of other sessions here to accelerate that you can go and check out and get that story and we'll be here waiting for you when you come back. Just just hit pause, go you know,
go go here about the story the problems we're having come right back. Well wait and we'll wait and we'll tell you what, how to answer that problem now for those of you that stuck with us and welcome back to those that maybe took a break. Let's move on. So again, I don't like last year but that's kind of how we frame that ransomware attack mitigation, right?
It's broken into these three parts right before the attack deterring the attack and after the attack. Yeah. And really we're doing a lot of different stuff in all of these different spaces before the attack. We've got the simplicity. One of the things that we've really started to highlight this year though is how we're using tools like flash blade to get quick access to
your log files so that when you've got to do forensics after the fact you can get that really quickly and get back up and running. And of course after the attack being able to recover incredibly quickly, you make sure that those backups are there and you were still really quickly but Zane we're gonna focus on that middle one for our session today, aren't we? That's correct.
That immutable plus safe mode or sometimes I would say immutable plus resiliency. Right, immutable plus how do we really hard that data so that all else fails? That data is there and ready for us to recover it's very easy to manage in an in scalable way. Mhm. So one more plug for that. Review it here with the accelerate 2021 session where it was immutable VM backups of flash racy
safe mode, concentrated on C were really just kind of talking about Flash ray this time itself and hardened repository. So again that session from last year, you could talk about what it was like then and here is now the update. So let's start with some of the safe mode enhancements since accelerate 2021. Right, you watched the session or you took a chance to go see it,
you can compare against them. So array wide safe mode right? Basically safe mode. Turn it on. The entire ray follows those rules. Right. JD So that's technically not new though. Right? That's what we've had essentially since, you know, we talked about the subject last year I think what's new though is because we need to
distinguish against some of the more granular safe mode options were being really deliberate about calling it array wide safe mode. Right? That's right. That's right, yeah, we would we just called a safe mode if you watched last year's session safe mode, I turned it on. Here's the protection but really Yeah,
that's that's not defined as a ray wide. So not new tech new kind of definition. And the reason is we move into per protection group safe mode and kind of what we're going to hone in a lot of today, you know, just just to make that distinction. Yeah. So what we found was after the session last year, a lot of people started to use these tools together and they noticed that especially
when using pure storage when using flash rate as their primary storage, they started to run into some issues where a lot of volumes were getting created or a lot of snapshots were getting created because of the automation that VM uses to interface with the flash array. And so a big part of what we're going to talk about today is actually how some of these enhancements that we have with safe mode are
helping to to eliminate some of those problems that we previously had. That's right, that's right. It was great to have the protection and you you were glad you had it and didn't have it. But really yes, now that we get more granular, we can kind of get out of the way and let you know the front end, do what it needs to do best but still protect that data on the back end and then
we're gonna cover another enhancement. Global volume protection for safe mode. We've caught it. I think it might have been an internal term ubiquitous p groups, you might have heard that but basically this global volume protection, right? Having a way to get closer to, you know, as volumes are created and management's happening on the ray,
we gotta we, you know, don't want to manually miss or forget to to include that protection. So a way to kind of automate that protection for all data that's sitting on top of the array. How do we help make it So that it's really hard to forget to do something and not have a safe mode. Actually kind of plays into that last one. Really well, auto on safe mode. Now we've had a couple of blog posts about this.
You may have actually heard about it. Auto on safe mode is kind of the next coming in the 6.3 purity code but not 6.3 dot Oh so we're actually not gonna dig too deeply into it today other than to say probably if not by the time you hear this session shortly thereafter will have auto on safe mode which is just again making it easier to make sure this is up and running when you upgrade to the version of purity that has this safe mode is
going to be on and ready to go for you, yep. I think that's right. So let's let's get into it. I think this actually leads us to our first demo where we're going to show how the purple group, right? JD we're gonna say per P group, how it's turned on, how you extend that eradication delay. Right? Because that's a big part of this still like it
was last year and then you know, lock that thing or what actually the term you'll hear is ratcheted, right? We ratchet that that on. So let's let's get started here. So This is our 6.3 code for safe mode. And you'll see right there, it's disabled. So in the Ui itself it's disabled. That's how you know. So the eradication delay right here in the
Gooey and you can actually adjust this customer as a customer. You can adjust this yourself. You can see the must be 1 to 30 days, Have some discussion on. Should it be that long? I like 7-14. So we're gonna just seven for this demo. Then we're gonna go under protection groups.
And this is that per P group. We can talk about that per protection group and we're gonna go ahead up and set up a new protection group or a new P group. You might hear us refer to refer to it as. So default group with safe mode some very very obvious names here. I really creative but you know, it makes it easy to figure out later what that's all about.
And the default part will come and play later. There's that retention lock, you'll see it says unlocked, highlight that there. So you know where you're at. And then we can go into the protection group itself and we can enable the schedule. Right? So protection group includes the snapshot schedule that's just like P groups before these
ones are default disabled. Those are the default it comes with. Now. Now Zane, I noticed that you're doing this before you get to that new box down there, that says safe mode. That's probably because once we turn on safe mode, we're gonna be restricted from doing a couple of things. Like maybe reducing the schedule.
Right? That's correct. Right? That's one of the features of safe mode. Not like unlike it was last time where once those settings are set, nobody can go in and defeat it by changing those settings, making them very small or you know, less less often or keeping them for for that for that
retention schedule replications also controlled here, we're not gonna do that today, but that is something you would also set. And again, once you enable safe law, a safe motor would be locked and then here and I'm gonna pause it here to highlight this. This is that that piece that like you said, you're safe mode at the bottom we turn this on. It's gonna set those settings in stone.
If you will right, the snapshot is going to be taken, they're gonna be kept retained for a certain amount of time. You have that eradication delay. It's not until you flip this on on the P group as we see here. So purple group again that we, the term using now is called ratcheted, right? We're going to ratchet that on until this point.
It's all self service and once that switch is flipped it will take the normal process through through support to authenticate with the with the pins and such to to change. So then you mentioned about having pins. That's a good point. So you can self service now and turn this on. Which means if you haven't worked with support yet to establish those those pins, That second factor authentication for the users in your
organization now is probably a really good time to do that to get prepared for this feature. Absolutely. Right, before we before you even upgrade to this, let's let's get that started. So we go we have this enabled, right? We enabled the schedule, we've ratcheted it now, it's not flipped on. And just to give you example here kind of put
this head uh not to belabor the point, but I now can't reduce that schedule. And this is very important. Right? It's just because I have a schedule. If I can make it less, you know, whatever, I'll just let the schedule run out if I'm trying to defeat it. So once that's on that's ratcheted, I can't change that setting
for just for comparison, we're gonna create a second P Group here, we're just gonna call this one unprotected P group. And again, this is the highlight that with the per P. Group. We can have safe mode on some groups and not on others not array wide. Right?
So really just kind of highlighting that fact. That's correct. Yes, you might have workloads. You want a snapshot snapshot schedule for but you don't need to retained in under safe mode. Whatever that may be just you know, enable schedule but you don't enable safe mode of the retention locked. You keep it unlocked there at the bottom.
So yeah. Big big change from last time. JD right. I mean we turned on safe mode before everything was locked here. We now have the ability to pick and choose which volumes are protected in which are not. Mhm. Needed a new volume to put in that.
Put in that production group we created. Here's another new feature. So now in the ui when you create a new volume right there and part of that workflow, you'll actually be asked whether or not you want to include that in one of those existing P groups. Again, trying to help prevent any lapses in memory and adding those and making sure they're protected.
Just always trying to make sure that we're we're helping you think about the protection workflow of your volumes. So now we have the protection group unprotected that new volume you added on the addition of the volume. Again, it's not automatically added to a pre group but you can have p groups that have ratcheted some that don't and on the volume
creation, you'll be prompted to choose to either create a new protection group which may you may or may not set protection on as well as add to existing protection groups. So it helps in the provisioning of those volumes to make sure that you're getting that data added to the to the right protection groups and just makes that easier easier to to not miss right to to not make that mistake.
So this is the first feature we want to talk about. This was the Purple Group safe mode. The next thing we're gonna talk about is global volume protection and global volume protection is um if you've used Safe mode on flash blade, it's similar to a feature we have there whereby any volume that gets created on the flash array, regardless of you know what membership that volume has in any existing P
groups, there will be one P group that has all volumes as a member all of the time. So what this does is this says hey if I'm ever creating volumes and I forget to add them to a P group even though I've got that new Ui wizard that's kinda helping remind me. But even if I forget or if I neglect to add that to a P. Group this this new global volume protection p
group is gonna pick that up and make sure that there's a snapshot schedule. So what we're gonna do is we're actually gonna take one of our existing P groups here and we're going to we're going to turn that into our global volume protection P group to do that. We had to you we we had already turned on retention so we had to unlock that. So we worked with support. You saw the little screen flash up when we did
that we deleted or we we had support remove that. That ratcheted retention lock on there. And then we went in we deleted our existing member volume because this P group needs to be completely empty before we turned it into this global volume protection P group. But now that we've done that now that it's empty we can go ahead and reach out to support
one more time and because it's unlocked they will be able to enable global volume protection. This is not self service yet. This is something you need to work with support yet. And when we come back we'll see something a little bit different notice that under the members for this protection group there's now a little picture of a volume and a star an
asterisk. That's telling us that the members of this P group are everybody every volume. Now that we've done that we can go ahead and ratchet this and create a schedule. So now it'll be protected with safe mode as well. So our our our Universal P group that has all of our volumes is protected with safe mode
here. We're creating an additional volume just to show that automation. Yeah we're gonna add it to the unprotected P group so we didn't add it to our default P group. However we're going to demonstrate that even though we didn't manually add it, it's already there because it's the Universal P group.
The show that will go into, Well, first of all, we're showing that it's in the Universal of the unprotected P group. Now we're gonna go into our default P group with universal volume protection turned on. We're gonna take a snapshot. So the snapshot is going to create a snap of every volume that exists on the array right now
because they hit that default group. And then sure enough there it is. There's that new volume we just created that we didn't add to that protection group. So just kind of demonstrating that it's it's catching everything. So not not on by default. But if you set up the default group, it'll catch all volumes that don't get added to their
own protection group. So it's just ensuring that, you know, you know, more automated fashion your volumes are protected. And what that means is eradication delays added and you're not able to delete or destroyed permanently destroy snapshot that has been deleted from the protection group. And now you can bring it back in to your protection group and back to its schedule and
use it to restore any data that may have been encrypted or deleted or removed from the array. So pretty great feature. So we we have granular level VP group and then we have a way to give a global protection group to add volumes that are missed by by other protection schedules. Right be fair to say. Mm hmm. Alright. So I think, I think
that's that ends that piece. Right. About what we can do from a protection group standpoint, just safe mode in general on the N R A on a flash array. Right. So really just any any other race in the, in the flash rail line. But now we can get into kind of what we alluded to in the beginning. How that changes interaction with primary
storage integration. Right? Like namely VM in this case how VM uses storage based integration to take its backups and and and so forth back up from storage snapshot I think is what we're calling it. Right. Usually basically volume clone that VM ask for from pure and utilizes to take its backup process.
We're gonna show the snapshot only backup jobs. So that theme controlling um calling for and keeping snapshots on the array. Maybe because you want to quiet some with me or you just want to manage them with me and of course the steam storage re scan which is how team kind of keeps track of what's in those volume clones or snapshots if you will so that you know, you can restore from them. Should should you need those restore points.
This first demo will be the backup from Georgetown back up from storage snapshots. So storage infrastructure you're familiar with them. This is very much the same if not this is how the peer storage is defined and added to the VM infrastructure and do a new virtual backup virtual machine backup job test. VM backup again, very, very creative with the
names but very descriptive, we know that we know what we got here. Just just regular beam stuff here, adding a VM to back up themes already again, has that storage integration set up so it will use that having objects next showing the integration there that is normally on by default and as long as the infrastructure
set up, that's how bean will do its backup job going to the default back of repository that we've set up and go ahead and just run that job manually when we finish. So here we go. We got a backup job to find VM storage integration set up. That's the process VM is going to try first and
because infrastructure is set up in this case, that is the process that's going to utilize and it's going to be a snapshot taken or volume clone really that beam is then going to back up across that connection. I think it's a nice cozy in this case but you know, whatever that HP a maybe see there it takes an automatic and snapped there the volume. Right.
And if we had array wide safe mode on, I wouldn't be able to delete that, that would be protected by a ray wide safe mode. Right, Yep. So previously 6.3. And even, you know what we didn't show in the last example but that process that would have not been able to be destroyed and those get kept along for the period of time that that eradication timer is.
But we can see here from the logs just to really prove it. It was eradicated VM calls all this is all very much automated and because the action group is at the p or safe mode, is that the protection group level, it's able to do its job so you can have protection on those snaps those volumes kept long term and let this backup process happen very efficiently kind of in the same system but
still be protected. So now that we've shown back up from storage, snapshots of your storage integration and you know how the new safe mode allows that to work and allows to be eradication. Let's go on to snapshot only backup jobs. So these are jobs where VM calls for and a snapshot on the puree and then kind of manages those through the VM interface and you might use this to quiet the application first,
you might just want to manage it with the Yeah. And before you start the demo, I'll mention think about how this works without the new features. So with a ray wide safe mode enabled, you know, VM would orchestrate these snapshots for you but whenever it got to the end of the schedule. For example, if you told them to keep keep no more than two snapshots.
Once it gets that third VM created snapshot it's gonna try to delete and eradicate the oldest one. And flash ray is gonna say nope sorry I have to protect that with safe mode. And so this is another way where I can have safe mode on my array and I can have certain things that are protected with that creepy group safe mode.
But I can have this VM automation where those volumes. I'm sorry those snapshots are created outside of the P group and so VM can actually go through and eradicate those on its own schedule. Yeah. So I love being to kind of manage and take those snapshots and safe mode doesn't interfere. So
so how those how those work if you're not familiar with it, they are a backup job if you will their snapshot only backup jobs we just really just change where the destination if you will for the repository is um and makes it the snapshot on the array. So we'll name this one. Test VM snapshot if you're playing playing along, you might have been able to guess that
the snapshot only job next a very similar process you're going to add. You know what you want to capture in that snapshot So it's going to do a VM So it's going to find that on the on the volume and and take the snapshot of that volume because the storage integration that's a choice we're going to change the repository to primary snapshot only and then the set of retention policies. This is I think the kind of the point you were
kind of trying to hit your J. D. V. M would not be able to to enforce that retention policy with safe mode on if they didn't coincide because it wouldn't be able to eradicate those snapshots in the future. Okay I'm gonna know schedule on these. You would normally set a schedule for those but we're just gonna run it manually.
You can kind of walk you through how that works. Now remember that when we set that up we set it to to keep two copies of those snapshots to snapshots. That's gonna be really important in a second we just ran the first iteration of this job and it created the first snapshot we see that there so now we're gonna go back and we're gonna rerun the job which will orchestrate a second
snapshot. That's the limit of our retention policy that we defined in. Wien trying to test this the lead that eradication there it is. There's that second VM created snapshot So now on the 3rd 1 we would expect that it gets rid of the first one. Right? Keeping to
there you go completely gone not in the pending eradication ST so here another example of how we can use features that have either ephemeral or snapshots that are better managed by an external process. We can have those live side by side with volumes that are protected with safe mode enabled p groups. Yeah, so simple. So basically letting beam work the way it was
intended to work. The thing I would remind you though is because those being created snapshots exist outside that peak group and because we don't have a ray wide safe mode enabled, those snapshots are not protected by safe mode. That means I would definitely make sure that you're supplementing those with flash array created snapshots through api group schedule to make sure that you do have something that you
can recover from in the event that there is a malicious attack that goes after your snapshots and tries to delete some. I won't be able to get access to those. Right. Yes. So we were thinking that you might use this because you know one of the great things about snapshot integration with theme is it gives you other recovery points on an array. Right?
So I can have backup once a day but I can have a snapshot every hour if I want to have recovery points. I might want to quiet social theme, I want to be able to manage them with them so I can see it and restore through them but I can also still want to be protected from a ransomware attack and that's where maybe the default global p group can be in place or protection groups in my volume.
So I know that in the case of ransomware attack, I still have a way back might be might be why you might do that too. Just a thought. Mhm. So now we're going to talk about the storage re scan so well did you find this? You can add, you can add something to it as well but might be not a feature we're talking
about. But what this is is because VM is able to restore from snapshot as I just talked about kind of in the last piece. What you might do storage only snapshot only backup shots is because VM takes inventory of what's inside of those snapshots. It really kind of close the volume scans it down for the the the the settings files right for vsV sphere.
And then it can define what VMS are available in the snapshot to restore during this re scan. Previously they had to clone the volume and you can probably guess in a global default or uh you know, ray based safe mode or just safe mode as we called it before. Those would get caught up on the on the safe mode protection as well. Right? Because they can't be deleted eradicated after
they were done. That is something you probably never even thought about. Right because some people didn't even realize that re skin was happening until they turned on safe mode and they noticed hey, where are all these temporary volume clones that are there pending eradication. Where did they all come from?
Um, this is where they're coming from And this is another thing that is mitigated with these new safe mode. Pictures. Yeah, I've had questions like hey, just because piers attached to, it just creates snapshots like well no VM is asking for the scans so that it can easily figure out the data in there. It's really efficient. Works in the background.
Don't even have to set a schedule. But yeah, as you mentioned, safe mode made that very apparent that this was happening because you can, you get the artifacts right? You get, you get with the leftover. So I'm just gonna demonstrate that again. Just kind of how that works and, and and how the new safe mode per P group removes that
issue. So he's kind of did a manual re scan of that. This happens again automatically. We just forced one So we can show the example and now you can see that that eradication is done before. You would have had an hour error in the eradication.
It wouldn't have been eradicated. It would have been caught up in the destroyed and you would just see all these volume clones. So so pretty pretty simple. But I think very powerful point again, we're allowing them to do what it does best on the primary storage and give you all those features but also not have to sacrifice the fact that you can now enable safe mode to protect your data on those arrays as well.
Right. So saying this has been cool. We talked about what was new in safe mode since the last time we did this session we demoed how all of those new safe mode features could actually be used with VM to improve the experience over what we had previously to make it. We were not having as many of these temporary volumes and snapshots that they get kind of
incidentally caught up in safe mode while still having the production. Now I think we're gonna come back full circle though we're gonna revisit a topic that we touched on a little bit last year and we're actually gonna go come back to hardened repositories, Linux hard repositories with safe mode. This is that belt and suspenders approach giving you double layers of protection.
You're protected by hardened repo you're also protected by safe mode. And how do those two features work together? Right. Yeah. Yeah. Yeah. I don't think these are mutually exclusive. I think I probably said this last time. I'm sure I did these work hand in hand. Right. These can give you protection at defense and
depth as we've used to say. Right love that term. And so it's taken a lot of the features. I mean it's the safe mode features we already talked about definitely opponent on the premier rate but bringing it to that repository peace. So let's go through it. Right. We're gonna we're gonna do the setup not unlike last time have
our have our volumes we're going to do a new volume which is going to be our flash array repository. Or repo for short. Right again go creative with the names but again you come here another admin you can know exactly what these volumes are for. You have that feature to add to a protection group as they're created.
I would remove it. I didn't add it to a protection group. Right? Because this is that same array we demoed earlier that has the universal volume protection enabled. So I know that that repo that I just created is going to get picked up by Universal volume protection by that Universal P group. If I didn't have that enabled absolutely would
want to make sure I added this repo too a protection group with a schedule and with ratcheting turned on. Yeah I guess I thought there is global for a repository. Especially using like a C array for repository. Why not just turn it on globally. Any repository volumes that are created will always be protected. And even if your front and data gets
compromised, you have your backup volumes and here what we're doing in the demos we're just demonstrating once more that that did actually get caught by that Universal connection group. So it's a way to do kind of global lockdown but on a per P group level. Take that snapshot now it's protected. Then we're gonna go ahead and set up So that's the volume.
We're gonna go ahead and set up the Linux repository. Like last year we went through and configured all this kind of cut it a little shorter here. It's really a Linux repository at this step here is some of the steps that we took and what you know carve the volume attached, attached that to the Linux machine and so forth. And if folks need to see that full version you can go,
you know, if we provided the link to last year's session we go in there we show how to shut up ice because we showed up how to make make all the connections we kind of do all of that. We figured you know that at this part we're jumping right to the heart and repo part pardon? Repo parts. So the biggest parts there were on the Linux side you're gonna add that that theme service
we call the beam service but we had a user that's what we're gonna utilize and beam to create that one time password setup. Right? So it's that that at least privilege access that service that they put on the Linux repo to to eliminate protect, protect you from that level anybody getting access to the VM server and then we're gonna
give it uh permissions to the the volume that we are presenting to the repository or as a repository. So we will show you that part really quick. So setting password for root, gonna use route to kind of make these changes. Again, best practice would be to remove route at some point to you know eliminate ssh access to this box.
Again these are all things that could be missed or left on during a maintenance window. Something to that degree and that's why safe mode is also layered on in this in this in this approach to that user we called them service. I'm just going to confirm that it's added. I can't type apparently let's try that again definitely works there it is.
We're gonna make that new directory. So what we're going to define inside VM to store the backups on to be on top of that volume that we added to that group that's being protected by safe mode. Mhm. There it is. Check the permissions.
I'm gonna check the owner on that that account for change the owner to that account for that arrest for that volume and then and to remove the permissions for for group and other Right. So we're just giving permissions to that volume or that mount point that that we created for the backup for the repository backups that we're gonna define a beam and give it to this
VM service account. Again this VM service account. The unique account they're going to use to set up the one time credentials to the Linux machine. Give them total permissions. And then at that point I was just going to send the backup is over and then it's this account that's going to basically own writing and
keeping the mutability of those files on the Linux machine moving forward. Yeah. And there's a couple different ways to do this. This is the way that we kind of chose to to proceed. I'd always remind everybody, since this is actually setting up part of the team's infrastructure. Always refer back to VM documentation or your
VM system engineer if you've got any questions or I want to make sure that you're you're following the current best practices for how to set how to set this account up. Absolutely, absolutely, yeah, that's a great point. These are all really being related. Right. This is being related best practices and how you set it up for their feature.
So now we have the we have the mount point, we have the service in place. Now we officially create the beam hardened report story, This is done in the VM interface green on the back of infrastructure. It's a repository. That's right. Gonna do add repository.
It's gonna be direct attached storage again, that's that's how the VM Linux hardened repository works on direct attached storage. We're gonna do the Linux, we're gonna name it by some very creative name. Flash array, Lennox. Repo huh, exactly what that is. We're gonna add the repository service server if it hasn't been added already.
So this is the Linux machine that beam needs to talk to to get that service set up. Use DNS we use I P I P in this case. And then this is the next week. Alright. We set up that user this is where we're gonna use that user in a single use credentials for hardened repository. So the theme service user, I'm gonna put in the password that we utilize it is going to use
this stage 422. We are doing sue because it's not a pseudo user didn't add it to the pseudo file or file though. You could we didn't do that in this case. We're just going to get that one time connection through Ssh. It's gonna install that service. It's gonna have that that connection from beam to that service and then that service account
will manage writing and setting those backups to immutable. And what does that mean? One time you saying? How how is that different than any other if I just put in a regular Linux password So yeah, one time is it's just a sense of that service makes that connection and then that's the only way you can talk to them now, no longer has it doesnt ssh.
And again, after the fact doesn't have really any rights to go remove any of the data, it just kind of requests the right to the Linux machine which then, you know that service that's installed. Over their rights down to the to the to the mount point or to the to the volume that we've created. We're gonna use fast cloning. That's XF s kind of the RFs equivalent if
you're if you're used to that and don't know X F s. And then the second part. So one time use credentials harden it make backup immutable would be the second part. And that just uses lies is the extended attributes on Linux itself to set immutable for those mutability for those files. And again because we're using the one time user password I think we're going to set per machine
backup files here. 11 could do that for for streamline. We are going to decompress backup files before storing as well. That's kind of the best practice for for pure, allow the puree to give you further compression de doop just and yeah, once this is all set up we'll have that one time password again through this setup,
if I go back I would have to reset the password. I won't see it in there. We're not gonna store it. It's not gonna store be stored anywhere inside beam and it's just going to be for this one connection and then everything that's written from at least from a VM set back up or physical backup or an a an image based backup is going to be set to immutable on the Linux repository itself and that's kind of the two
parts I would say to the to the hardened Linux repository. Again, all backed by volume that we put in the P group that default P group that has safe mode enabled. Right? We're taking snapshots on some schedule behind that. So three layers and layers of hardening I don't know, hired hardening for access to a Linux
machine, immutable set on the back of files and immutable post resiliency with curved pre group protection. Safe mode protection on the array based snapshots. So then we just set up a backup job to target that new lee built Linux repository. We're gonna run that job when you finish and let that run.
So you promised all this. Right. We did the setup. Now let's test it. All right. Katie feel confident it's gonna do everything. We always said it would. I'm confident. I think we did a good job. So now we have that backup that's sitting on the repository.
We're going to make a file based backup job. And the reason we do this, we're probably kind of positive talk about that is I kind of mentioned this and the other one. Anything that's image based backup. Right. B M physical is going to be set for immutable. Right? We have that little mutable checkbox.
Right. But that that doesn't necessarily follow suit for all the backups there. Is that craig J D Yeah, that's right. So hardened repository only covers certain backup types. And so SMB backup or file backup is one of the ones that doesn't cover.
So we want to show that having your hardened Linux repository backed up with flash ray safe mode. And having that extra layer of protection really helps make sure you're covering all your bases there, yep. Yeah. So you're getting immutable on those image based backups but maybe not in your file based backup, but you can use all the same,
you know, repo to protect all of that, right? To add some layer protection. If not, you know, double layer protection for your backup files. I'm not going to log into the pure array here. I think we're gonna force a force a snapshot. Alright. We got we got the backups laid down to the repository. You know, you have a normal snapshot schedule.
We might just want to force one here for the demo. And again, so that it will protect all the data on there. All the all the data will be protected by a snapshot. Some can be someone's also protected by the mutability upfront. So you couldn't delete it.
So it might not be. But all of it is protected on the array itself. There it is. Okay, so again, to reiterate that snapshot is a snapshot of the VM repository that has both a file backup and an image based backup of VM backups stored in that in that repo right? So you're kind of minimizing the repo you have But protecting,
protecting both of them. Mm hmm. So let's go. Let's go try to break something. Let's pretend like we're an attacker. Let's break it. That's the fun part. So there's that there's that D m backup that image based backup.
We're gonna hit. Yes, checking objects and backup. Right? I have full admin rights of in here. I should be able to delete this and I will be met with unable to delete. Right? So this is that immutable, that mutability. That's a flag by the extended attributes on the Linux server.
Because I checked that box when I set up my Linux hardened repository, Right? That's part of that hardened repository feature. So I'm I'm attacker, I got access to VM. I know they're storing backups and I'm like, hey, I know them a little bit. I know I can I can go right down that file. Try and go right to that of that directory and
I can delete those backups manually. Right. This isn't the VM interface trying to protect me at all. You know, the VM hard repository. The mutability. I'm gonna find that backup share because we named him so very clearly. It's very obvious what's what And we're able to see the files themselves.
The BBK is the BBM file, the V I B s. I should be able to delete these manually. But no, I met with that as well. Right. That immutable flag again. It's that one time credentials being doesn't have that elevated access anymore. That is protected by the Linux kernel, Linux repo itself.
Hey, there's my file back up. But I noticed this file backup centers SMB and maybe I just want to try because I think maybe my odds are good or I know, hey, that's great. You're immutable and all but your files aren't right. And maybe that's what I'm gonna encrypt anyway. So I've got it, I removed it so I was able to actually delete that S and
B backup. Yeah. So even if I didn't get all your backup data, you know, as an attacker, you got some of your backup data that might be the crucial stuff, right. Files might be very crucial for your organization. That's just as bad. I still want to try to back up that BBK though. Let's try a little bit,
try a little bit more in depth. Let's actually go to Linux and give it a shot. Huh? Yeah. Say Ssh was left open and I can get access to it. I'm gonna go right. I got a little more knowledge about what those directories look like so I can go down and find it and I have access to to the Linux machine.
I did get slowed down here because you know, the regular user couldn't get access because remember we went through the effort of changing but let's say I still have access to root and I'm able to run is S. U. I work at it hard enough. I should be able to get into that directory I'm taking on my feet here, I'm doing Sudo under su what counts do I know?
Boom, I'm gonna change directories writing that back up and there it is. There's a backup folder, test VM backup the name is so easy for me to find you can list the attributes right? Does that attribute feature that gives you that mutability or turns and turns off the mutability so as an attacker as a rude access to this machine because it got left open, I can act as root,
which means I am able to remove that flag, right? That mutability flag, you couldn't do it couldn't do it from the beam interface. But again, I now have root access to this box. Can't remove it with the flag enabled but I can change that attribute.
It's just to kind of illustrate that right. I probably would have known that right away. It would have gone right for it. But just for illustration purposes I showed you that right, it's still further immutable until it's not. And again, I'm still protecting against a lot of things here. A lot of things had to happen in a certain way for me to get this access.
Ssh had to be left open. I had to have the credentials for an account with root privileges. I had to know to go change that mutability extended attribute. There's a lot of things that I kind of had to know and figure out to get through this was actually providing a good deal of protection We're just highlighting how you know, safe mode adds that like kind of last line of defense,
that that last layer of protection, even if an attacker manages to brute force their way through all of these other all of these other things, yep. So let's illustrate that, right? We have that default protection group or we have an inter protection group, we know that those snapshots are getting created on some schedule and we have safe mode applied.
It's a really easy just go in here and show that if I take that snapshot I want and I was destroyed right? The attacker it got all the root access hey it probably has admin access to my array as well. But with that extended timer, safe mode enabled, they're not gonna be able to go past this step right. Even after getting all those through all those
other steps are gonna be met with resistance here. There's absolutely nothing to do except for hope that you don't notice for the time that that eradication timer it's set. So you restore that snapshot kind of bringing it out of that eradication bucket back into the P group. If you will into the snapshot schedule we can
flip a restoring the volume. I see the sMB share back up his back. Yeah, that one we deleted through VM. So that wasn't even here when we saw it through the night before and there's my BBK Welcome back that snapshot brought back my entire repository as it was before the attacker got in and started causing mayhem.
Just a simple flexible button. Right? And this probably takes a lot longer because we're explaining it. I mean very easy to get back up and running quickly scanning the repository. Just so anything changed team was aware of it. We can put it all back. Team has a very much that we used to call the
self describing backup file so it can even even if you lost all of them, you can bring those backups back into the fold. But this is just gonna re scan it. Be well aware that's there. You notice the SMB share backup is it's right on the array. We have deleted that from VM but it's you know, it's it's aware of it again.
And were able to restore any file or files or whole directories right? Or do the incident share recovery if you need to from just to kind of prove that everything actually came back. We're actually gonna do a little test for store, we're gonna restore one of the files from that file share backup that got deleted
no where's success. All of our data is back. Even with all the efforts that that attacker put in and there we go. We've saved your logo never missing an opportunity for little marketing. I restored a file that had the pure logos, the icon. Most important data right there.
JD So yeah, you can see here how safe mode can further harden the Linux hardened repository but also fill in the gaps where uh the mutability flag can't be utilized. Right? So now you can combine everything to a single ray, one set of management and make sure that your data is protected even from the most, most, you know, they are diligent. There's even through the most diligent attacker.
Right? That's gonna use brute force every aspect or an insider threat. Someone that knows all these things even be protected to that with the safe mode feature, Pure flash array but we do have one more thing. Right. JD Right. I mean we have I think everything covered and we just had protected data.
Even the data that's not protected by the mutability. If we have several layers of security here, what else could be left? Like what else? What we need here? I think the thing that comes to my mind is, you know, I'm protecting the repository, right? If that,
you know, I just showed how I can bring that back. But that doesn't keep an attacker from blowing away the sequel server that beams installed on or are actually going and you know, corrupting those servers. Right. That's right. That's right. So protecting the VM infrastructure itself.
So I always like to throw this tidbit in. We're talking to people at the end and that is the configuration backup settings. You got a Linux sergeant repository that backed by safe mode. Why not put that config file there. Right. Could recover even if you blew up team could still find the backups. Absolutely great examples from this from
customers. Even from my own passes of the music. But you have that in place. So why not protect that configuration file, making it that much easier to restore an environment that even if the whole thing has been obliterated. Yeah. And again, I'll point out that a configuration backup is another example of a backup type that
is not protected by the Linux hardened repository. So this is only protected by the fact that safe mode is actually enabled in protecting that repository and providing you the ability to roll back from a snapshot that's protected. So again, many examples here of how hard and repository from VM and and and pure flash or a safe mode just worked incredibly well together.
Yeah, I think, I think that's it. I think that's it. I'm going to say. That's it. That's a lot. That's that's fantastic. And hopefully everyone that watches today can understand how they could utilize these two together these two technologies, the best of both to further protect themselves from the the
malware and from insider threats and and the threats that are more and more we see in the in the news and hear from our colleagues and in the world today. So with that I thank everybody to join us today and if you want to continue the conversation, here's our contact information. J. D. And myself are we love talking about this subject of feedback from it, what you love to see, examples of where it works,
where you think it could work. So reach out to us at J D J D Wallace at pure storage dot com and see Ellen at pure storage dot com and our twitter handles, they're at the bottom any other way they can contact you. I think you might have a blog out there JD if you want to talk about that. But yep, yep, I've got some blogs out there on demand and pure,
you know, you can just do a quick little search of your favorite search engine and find those but I just want to say again how much I appreciate you having me on to join you for this for this session, this was such a great topic last year and we had so much interest in it and I love that we can highlight that we didn't stop innovating. You know, we continue to take feedback from our customers and deliver even more ways that these
that these solutions can work even better together and so there's a lot of fun to come back and get to get to highlight some of that with you. So thanks, thanks again. Likewise, as always enjoyed this and until next time, thank everybody for joining us today and enjoy the rest of pure accelerate. Thank you
  • Technology Alliance Partner
  • Backup & Recovery
  • Video
  • Veeam
  • Pure//Accelerate
  • FlashArray//C

Join data protection experts Zane and JD as they discuss how FlashArray SafeMode and Veeam Hardened Repositories work together to ensure your backups are highly resilient against malicious destruction and ready to help you recover fast.

Continue Watching
We hope you found this preview valuable. To continue watching this video please provide your information below.
This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.
Meet with an Expert

Let’s talk. Book a 1:1 meeting with one of our experts to discuss your specific needs.

Questions, Comments?

Have a question or comment about Pure products or certifications?  We’re here to help.

Schedule a Demo

Schedule a live demo and see for yourself how Pure can help transform your data into powerful outcomes. 

Call Sales: 800-976-6494


Pure Storage, Inc.

2555 Augustine Dr.

Santa Clara, CA 95054

800-379-7873 (general info)

Your Browser Is No Longer Supported!

Older browsers often represent security risks. In order to deliver the best possible experience when using our site, please update to any of these latest browsers.