In light of the rising tide of ransomware attacks globally, organizations are compelled to enhance their data protection strategies. Many businesses have turned to various solutions to secure their critical data. Traditional methods, such as offsite tape storage, may offer security but often come with slow recovery times, jeopardizing service-level agreements (SLAs). To address these limitations, some enterprises have opted for DIY data vaults at remote locations, which improve data accessibility but can compromise security.
These solutions often prove to be complex, prone to errors, and expensive to manage. Furthermore, the onus of maintaining these systems and ensuring data resilience falls on companies already grappling with resource constraints. This reality leads many to seek reliable partners to help shoulder this responsibility.
In response to these challenges, Cohesity introduced FortKnox, a cutting-edge data isolation and recovery-as-a-service solution that operates on Amazon Web Services (AWS). FortKnox enables users to maintain an immutable virtual air-gapped copy of backup data, providing an extra layer of defense against ransomware and other cyber threats.
Cohesity is recognized as an AWS Storage Competency Partner, redefining data management to reduce total cost of ownership (TCO) and streamline how businesses manage and safeguard their data. FortKnox is a software-as-a-service (SaaS) solution that allows organizations to swiftly deploy, manage, and monitor isolated copies of their essential data in a secure offsite environment, all overseen by Cohesity. In the event of a security breach, the backup data preserved in FortKnox can be restored to the original or an alternate “clean room” location, including either private or public cloud setups.
FortKnox is part of Cohesity’s Data Management as a Service (DMaaS), a suite of “as-a-service” offerings designed to help organizations meet their data protection, business continuity, disaster recovery, and data isolation needs.
This article will guide you through the steps to configure Cohesity FortKnox for protecting your backup data against ransomware threats. You’ll gain insights into preventing unauthorized access to your backup data and the recovery process in the event of a ransomware incident. Additionally, we’ll emphasize FortKnox’s built-in anomaly detection features, which help ensure that your backup data remains free from infections.
Overview of Cohesity FortKnox
Cohesity FortKnox offers a secure, virtual air-gapped vault for backup data storage. Cohesity clusters, whether deployed on-premises or in the cloud, utilize FortKnox to safeguard backup data from malware, including ransomware.
At the heart of FortKnox lies a multilayered defense-in-depth strategy that transcends Zero Trust principles, ensuring that the vaulted copy of data serves as a reliable fallback in the event of a cybersecurity incident. This is accomplished through geographical, network, and operational isolation, which restricts access to vault data and policies from both external and internal threats, effectively minimizing data exfiltration risks.
Here are some key features that enhance FortKnox’s data security:
- Virtual Air Gap: A secure and temporary network connection is established between the backup (secondary) copy and the vault (tertiary) copy, which is severed once the data is vaulted.
- Operational Isolation: This is facilitated through either a Cohesity-managed or customer-managed key management system, or AWS Key Management Service (AWS KMS), preventing users with access to the backup cluster from accessing or restoring vault data.
- Tamper Resistance: Immutability provided by Amazon Simple Storage Service (Amazon S3) object lock, along with encryption for data-at-rest and data-in-flight, ensures that vault data is protected.
- Access Controls: Role-based access control (RBAC), multi-factor authentication (MFA), and short-term token-based authentication work together to prevent unauthorized access to vault data.
- Quorum: Requires at least two authorized users to approve critical actions, such as data recovery from the vault, preventing unilateral changes to vault policies.
- Anomaly Detection: Leveraging machine learning (ML), FortKnox identifies clean copies of data for recovery.
Configuring Cohesity FortKnox
Cohesity Helios serves as the centralized control plane that operates as a SaaS service on AWS. It provides users with a unified interface to manage their Cohesity clusters and DMaaS offerings, including FortKnox.
Once a customer registers their Cohesity cluster in Helios, they can proceed to configure and utilize the FortKnox service. The initial step involves creating a cloud vault by selecting the desired region for data vaulting. For enhanced security, organizations can establish a backup window allowing data to be written to the cloud vault only during that period.
After the cloud vault is set up, a protection policy can be established to dictate how data is stored in the vault. The data retained in the cloud vault will remain immutable until the specified retention period expires.
Using Quorum Groups for Operational Control in FortKnox
To govern operations, such as data recovery from a cloud vault, a quorum group can be configured, necessitating approval from a minimum of two members before any operation can proceed. This feature adds an extra layer of protection against misuse by rogue administrators or users.
Recovering Data from FortKnox
The FortKnox dashboard provides vital information about your environment, including storage metrics, number of cloud vaults, and vaulted objects. FortKnox currently supports a diverse range of data sources, including VMware, Hyper-V VMs, physical servers (Windows/Linux), NAS workloads, Microsoft 365, Oracle, and SQL across data centers. For a comprehensive list of supported workloads, visit this link, they are an authority on this topic.
To recover data from FortKnox, simply utilize the search bar to locate the desired data, making the recovery process seamless and efficient.
For further insights on similar topics, check out this blog post, where additional strategies for data protection are discussed. Additionally, if you’re looking for an excellent resource on what to expect on your first day at Amazon, you can find it here.
Leave a Reply