Scalable Storage: how we made our Ceph storage immutable with Veeam

Closed padlock for data cloud
Contents
Share

Nowadays, organisations experience ever-increasing data creation. The value of the data itself grows, and with it the need to protect it from security threats and data loss. Ensuring the permanence of data, and thus its authenticity, is crucial for most businesses.

Before revealing how we made our Ceph storage immutable, it is good to give a brief summary of why we use a cloud storage system and what are the benefits for the end user.

Why is cloud storage needed? Why does it need to be immutable?

The basic rule, which we all know, to ensure efficient data backup is the 3-2-1 rule: namely, to keep 3 copies of the data, 2 on different storage devices, and one off-site copy. Following this logic, every company, in the ideal scenario, should have this structure for their data backups. Specifically:

  • A first copy of the data: which we can define as original, represented by the production VM;
  • The second copy: involves creating a copy on storage different from the production VM, in this case, it will be Veeam that, by performing the backup, will create it;
  • The third copy: which must be off-site to comply with the 3-2-1 rule, will be the result of duplicating the data from the previous copy.

Sintesi tipologie di backup raccomandate

At this point, the choice of off-site data copy can fall into several options:

  1. On-Premise Infrastructure: If you have a second infrastructure, for example, in another company location, you can connect via VPN and transfer the third copy of backups to local storage. This option incurs costs related to infrastructure and chosen storage.
  1. On-Premise Off-Site Infrastructure: Another possibility could be to save an off-site copy in another company location, and therefore another infrastructure, where Veeam will be installed again, through the implementation of a VPN. For transparency, it's worth noting that replicating to the cloud via a VPN entails creating additional VMs on Veeam and an additional NAS. It's a solution that is costly due to the necessary resources and, above all, precarious from a security perspective. Using a VPN increases the possibility of malware or CryptoLocker access if proper precautions are not taken.
  2. Cloud Storage: Another option is to use Veeam Cloud Connect, through which you can save a copy of the data directly to cloud storage without having to implement a dedicated infrastructure. This way, you have numerous features, including the Wan Accelerator. Additionally, since these are two Veeam tools that interface with each other, no additional resources or effort are required. CloudFire offers the Veeam Backup and Replication solution in all editions with Cloud Connect included in the rental license cost.
  3. S3 Bucket: A final option is to save a copy of the data directly to an S3 Bucket. This solution saves resources compared to the previous two options, as it does not involve creating VMs. In terms of costs and required resources, S3 storage is optimized for ingesting large amounts of data at low cost, making it more affordable. Another significant advantage of S3 storage is related to security; the bucket offers the possibility to utilize a native API called object-lock, through which data immutability can be enabled within Veeam.


Storage mmutabile - regola 3-2-1-1-0


Data immutability provides security benefits and prevents risks such as:

  • Production data corruption or compromise;
  • Accidental deletion of production data;
  • Malicious activities such as changes to backup process retention jobs or deletion of restore points.


Also, for clarity, immutability, applied to S3, is only usable with Veeam licenses of at least Enterprise edition or higher because the scale-out Repository is required.

Immutable storage is the answer to concerns about malicious, intentional, or unintentional access, with the ability to modify or delete objects within the storage itself. Through the immutability option, you make the content of the Capacity Tier unchangeable for a set period of time established during the creation of the backup itself.

The underlying principle of this type of storage is indeed the guarantee of data immutability, which translates into the impossibility for malware or malicious actors to modify backup files and inject malicious code into them that could be executed during backup restoration. The data remains in its original form until a certain expiration date, remaining unaltered and undeletable, meeting the most stringent requirements for data preservation and integrity.

How does CloudFire combine scalability and immutability in its scalable storage?

Admin storage side

CloudFire implements this functionality with Ceph, thanks to compatibility with the S3 protocol and the object-lock feature, version Pacific or higher.

However, some clarifications are necessary.

In particular, to make the Immutability feature of Veeam available to users, which relies on the native S3 object lock API, it is necessary to activate this technology so that Veeam can add metadata to files during upload. This step binds the read-only state for a predetermined period, exactly the duration for which I want to make the stored data immutable.

More specifically, before accessing this functionality, it is necessary to create a bucket with the locking option and the versioning enabled, without setting a number of retention days. Veeam takes care of this last step, i.e. setting the retention days, directly file by file.It is important to use the bucket with immutability only through Veeam. As a matter of fact, it is Veeam that takes care of loading the files, with the specific retention dates. Otherwise the files become immutable forever, leaving no opportunity for anyone to modify or delete them afterwards: the file will remain so forever, as long as the bucket itself exists. By default there is no expiry date. Unless otherwise chosen, the storage becomes immutable forever.

Screenshot Ceph - creazione bucket

However, the process, to make the storage immutable still isn't finished. Arrived at this point, the bucket is not ready for integration yet. It is necessary to make Ceph compatible with Veeam. In order to do this it is essential for Veeam to manage both the modality ('Mode') and the quantities of days ('Days'). It is therefore necessary to modify this property, via API call, through the following actions:

Once '200 OK' is received in response, the bucket will be 100% compatible with Veeam.

With that being said, it is up to the user to proceed by following the steps listed in this guide.

What advantages do you get with CloudFire's Immutable Scalable Storage?

Therefore, considering the fact that making a storage immutable on the administrator-side requires expertise and clear ideas on what to do, choosing such a solution with such a feature brings significant advantages. These include:

  • Compliance with the 3-2-1 rule of efficient backup, reducing resource costs;
  • Ensure data integrity for a specified period of time, according to one's needs. This excludes any possibility of modification or deletion by anyone;
  • Freedom from hardware components and from all the limitations that such technologies bring, ensuring storage flexibility and scalability.

Through Object Lock technology, CloudFire enables the immutable layer for your data and storage in S3 buckets.

Ready to revolutionise your storage? Got any questions? Contact us here.

You might also be interested