The idea that mainframes couldn’t be hacked disappeared a long time ago. People are using penetration testing (pentesting) to see how vulnerable their mainframe is to hackers. People are using file integrity monitoring (FIM) software on their mainframes to identify when files are being altered without authorization and to ensure their backups aren’t being modified. And now IBM has announced anti-ransomware Safeguarded Copy for its FlashSystems and on-premises Storage-as-a-Service offerings, with planned public cloud extensions.
So, what do they mean by Safeguarded Copy? It seems the feature automatically creates data copies in point-in-time immutable snapshots that are securely isolated within the system and cannot be accessed or altered by unauthorised users. Organizations can create these protected point-in-time backups of their critical data as frequently as they want, knowing that the process will have a very small impact on resource utilization.
Note: it’s the standard FlashSystem arrays that are being used. There aren’t separate backup target arrays. The idea is to enable the main system to have its own safeguards against ransomware and be able to recover from an attack. Safeguarded Copy allows user to create multiple recovery points for a production volume, which are called Safeguarded Copy backups, and they are stored in a storage space that is called Safeguarded Copy backup capacity.
Although the data copies created by Safeguarded Copy are security isolated within the systems and cannot be accessed, they are available should normal operations be disrupted by a data breach or cyberattack. And then the copies can be used to recover quickly. You might be wondering how this can be done if the backups aren’t directly accessible by a host. The answer is that the data can accessed once it has been recovered to a separate recovery volume.
The practicalities are that storage administrators can schedule automatic snapshots, which are then stored into safeguarded pools on the storage system. The data has to be recovered (as mentioned above) to become usable. In addition to validating copies of data, the Safeguarded Copy can be used to diagnose production issues.
By integrating Safeguarded Copy with IBM Security QRadar platform for security monitoring, it’s possible for QRadar to look out for signs of a ransomware attacks and proactively trigger Safeguarded Copy to create backups, which can then be used to restore data in the event of a successful attack.
With the IBM and Ponemon Cost of a Data Breach Report 2020 showing that the average total cost of a data breach was $3.86 million, and that figure went up to $8.64 million for organizations based in the USA, it makes sense for IBM to make security a top priority in their development work. There is much discussion at the moment about whether companies should be obliged to reveal not only whether they’ve paid a ransom, but how much they paid. I’m sure that when those figures are fully revealed, it will start to make sense to the accountants at most organizations to spend money wisely beforehand to ensure that they are not funding hackers – who could be criminal gangs or nation state actors – after a ransom has been received, their data has been sold on the dark web, and their reputation has been muddied.
A report in March from Palo Alto Networks found that the average payment following a ransomware attack in 2020 was up 171 percent to $312,493, compared to $115,123 in 2019. The report also found that the highest ransom demanded in 2020 was $30 million, which was double the highest of $15 million during 2015-2019. The largest payout that the survey found was $10 million.
This just adds weight to the argument for mainframe-using organizations to spend some money up front, whether that is on pentesting, FIM software, or Safeguarded Copy on FlashSystems, or anything else that works, to prevent successful ransomware attacks happening to them.