Fight Kubernetes Ransomware with Kasten and Cloudian

Adam BerghAdam Bergh
Cloud Native Technical Partnerships at Kasten by Veeam
LinkedIn Profile

amit rawlani

Amit Rawlani
Director Technology Alliances, Product & Solution Marketing, Cloudian Inc.

LinkedIn Profile

The threat of ransomware should be thought of as serious problem for all enterprises. According to an annual report on global cyber security, there were 304 million ransomware attacks worldwide in 2020 — a 62% increase from 2019. While most IT organizations are aware of the continuously rising threat of ransomware on traditional applications and infrastructure, modern applications running on Kubernetes are also at risk. The rapid rise of critical applications and data moving into Kubernetes clusters has caught the attention of those seeking to exploit what is perceived to be a new and emerging space. This can leave many organizations ill prepared to fight back.

Kubernetes Vulnerabilities

Kubernetes itself and many of the most common applications that run in Kubernetes are open-source products. Open-source means that the underly code that makes up the applications is freely available for any to review and find potential vulnerabilities. While not overly common, open-source products can often lead to exploitable bugs being discovered by malicious actors. In addition, misconfigured access controls can unintentionally lead to unauthorized access to applications or even the entire cluster. Kubernetes is updated quarterly, and some applications as often as every week, so it’s crucial for organizations to stay up to date with patching.

Surprisingly, many organizations that use Kubernetes don’t yet have a backup and recovery solution in place — which is a last line of defense against an attack. As ransomware becomes more sophisticated, clusters and applications are at risk of being destroyed, and without a means to restore them, you could suffer devastating data and application loss in the case of an attack.

What to Look for In a Kubernetes Ransomware Protection Platform

When looking to an effective defense against ransomware in your K8s environment, think about these four core capabilities:

  1. Backup integrity and immutability: Since backup is your last line of defense, it’s important that your backup solution is reliable, and it’s critical to be confident that your backup target storage locations contain the information you need to recover applications in case of an attack. Having guaranteed immutability of your backup data is a must.
  2. High-performance recovery: No one wants to pay a ransom because it was faster to unencrypt your data than recover it from your backup system. The ability to work quickly to recover resources is critical, as the cost of ransom typically increases over time. Being confident that your recovery performance can meet target requirements even as the amount of data grows over time.
  3. Operational Simplicity: Operations teams must work at scale across multiple clusters in hybrid environments that span cloud and on-premises locations. When you’re working in a high-pressure environment following a ransomware attack, simplicity of operations become paramount.

Cloudian and Kasten by Veeam Have the Solution

Kasten By Veeam and Cloudian have teamed to bring a truly cloud native approach to this mission critical problem. The Kasten K10 data management software platform has been purpose-built for Kubernetes. K10’s deep integrations with Kubernetes distributions and cloud storage systems provide for protection and mobility of your entire Kubernetes application. Cloudian’s HyperStore is an enterprise-grade S3-compatible object storage platform running in your data center. Cloudian makes it easy to use private cloud storage to protect your Kubernetes applications with a verified integration with Kasten. With native support of the cloud standard S3 API, including S3 Object Lock data immutability, Kasten and Cloudian offer seamless protection for modern applications at up to 70% less cost than public cloud.

Kasten Cloudian blog diagram 1

Fast recovery: Cloudian provides a local, disk-based object storage target for backing up modern apps using Kasten K10 over your local, high-speed network. The solution lets you backup and restore large data sets in a fraction of the time required for public cloud storage, leading to enhanced Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).

Security and Ransomware Protection

Cloudian is a hardened object storage system that includes enhanced security features such as secure shell, encryption, integrated firewall and RBAC/IAM access controls to protect backup copies against malware. es in a shared-storage environment. In addition, to protect data from ransomware attacks, Cloudian HyperStore and Kasten support Object Lock for air-tight data immutability all the way up to the operating system root level.

Kasten-Validated Solution

Cloudian is Kasten-validated to ensure trouble-free integration. Kasten’s native support for the S3 API enables seamless integration with Cloudian HyperStore.

Easy as 1-2-3

Setting up Kasten K10 and Cloudian Ransomware Protection is as simple as 3 easy steps:

1. Create a new target bucket on Cloudian HyperStore and enable Object Lock.

Kasten Cloudian blog diagram 2


2. After Kasten K10 installation, check the “Enable Immutable Backups” box when adding a target S3 object storage bucket.

Kasten Cloudian blog diagram 3


3. Validate the Cloudian object storage bucket and specify your protection period.

Kasten Cloudian blog diagram 4

GET STARTED WITH KASTEN K10 TODAY!

The Common Foundations of Kubernetes and Object Storage

Reading Brendan Burns’ The History of Kubernetes & the Community Behind It, I was struck by the common technical foundations of Kubernetes and object storage.  Burns lists Kubernetes’ “basic feature set” as an orchestrator to deploy and manage containers as (1) Replication to deploy multiple instances of an application; (2) Load balancing and service discovery to route traffic to these replicated containers; (3) Basic health checking and repair to ensure a self-healing system; (4) Scheduling to group many machines into a single pool and distribute work to them.

Gary OgasawaraGary Ogasawara, CTO, Cloudian

View LinkedIn Profile

Reading Brendan Burns’ The History of Kubernetes & the Community Behind It, I was struck by the common technical foundations of Kubernetes and object storage. Burns lists Kubernetes’ “basic feature set” as an orchestrator to deploy and manage containers as:

  1. Replication to deploy multiple instances of an application
  2. Load balancing and service discovery to route traffic to these replicated containers
  3. Basic health checking and repair to ensure a self-healing system
  4. Scheduling to group many machines into a single pool and distribute work to them

For modern object storage systems like Cloudian HyperStore, the foundational feature set is:

  1. Distributed and replicated services and data for availability and durability
  2. Scale-out capacity across multiple locations
  3. Fault tolerance and self-healing
  4. A single, global namespace to address data via a REST API

 

Though somewhat different in scope and focus, these four technical foundations of Kubernetes and object storage overlap to a large extent. There are other features for both, such as multi-tenancy to organize users, that are not reflected, but mapping these four listed features show the striking similarities:

FEATURE KUBERNETES OBJECT STORAGE
Availability, durability Pod replication strategies as deployments, stateful sets, services. This ensures service availability and data durability in case of temporary failures. Distributed and replicated services and data to ensure service availability. Replication and erasure coding (EC) methods for data to ensure data durability in case of partial and/or temporary failures.
Load-balancing, routing The Service resource defines a logical set of Pods and a policy to access them. DNS is used for resolving Services by their DNS name. Example: a Service my-service in a namespace my-ns has a DNS record for my-service.my-ns. A Pod can do a DNS name lookup for my-service. Scale-out, elastic capacity across multiple locations (e.g., geographic zones) is networked together. DNS is used for resolving data location by their DNS name. Example: S3 uses a virtual-hosted-style URI where the S3 bucket name is part of the domain name in the format
Self-healing Controllers are control loops that reconcile the actual state of the cluster to the desired state. An obvious case is ensuring the spec number of Pods of a Deployment matches the actual number of Pods, and if not, then starting a new Pod. Object data can be missing or out-of-date in a particular replica or EC fragment due to temporary failures when writing or new disk or node failures. In these cases, automatic data “repair” using the other replicas or EC fragments is done to restore full data integrity.
Distribute work across a single resource pool The Kubernetes scheduler places a Pod on the best Node based on resource requirements and explicit labels. Dynamic configuration changes can cause rescheduling of the Pod to a different Node. Buckets and objects are addressable in a single, global namespace. This contrasts from many file-based storage systems where data is partitioned in silos. Data API requests can be made to any load-balanced server.

One more important similarity is the primacy of the declarative API of both Kubernetes and object storage.

FEATURE KUBERNETES OBJECT STORAGE
Declarative API Resources are declarative, described in explicit YAML specifications. In particular, a “spec” defines what a resource should be, and it is up to Kubernetes to implement. Amazon’s S3 API is the standard object storage API. App developers can reliably use the S3 API at both Amazon and other S3-compatible object storage systems without regard to the implementation underlying the S3 API.

A possible reason for these similar foundations is that Kubernetes and distributed data stores underlying object stores rapidly developed in the same time period around 2010 to address the needs of new use cases Around that time, new apps and services started requiring massive data stores and cloud-native deployment and management. Examples include always-connected mobile devices, deep learning and map-reduce analyses, and social media apps like Instagram.  Jeff Barr’s post from 2011 showed Amazon S3’s exponential growth of stored objects around that time:

kubernetes chart

Given the common technical foundations, there is a natural fit when incorporating object storage software to Kubernetes.  The Kubernetes control plane can manage distributed object storage Pods in a standard way, especially in regards to failure handling and resilience.  With an object store’s single, global pool of data, Kubernetes apps can directly use the S3 API to address data at any location or execution status.  For example, machine learning training can exploit training data stored in an object store, and streaming apps can write and process data utilizing storage policies with different data distribution and consistency levels. From the app developer’s perspective, the goal is always how to make it easier to build apps — e.g., build apps faster.  Kubernetes plus object storage makes this goal more achievable.

As a side note, Kubernetes added the Container Storage Interface (CSI) as a standard for exposing arbitrary block and file storage systems.  Block and file storage systems can implement a CSI driver, and then apps can use standard Kubernetes resources (PersistentVolumeClaims (PVCs), PersistentVolumes (PVs), and StorageClasses) to access that storage.  For example, a PVC can be dynamically created with a specific StorageClass that represents an external block storage system.  There is promising, ongoing development of a similar standard for object storage (Container Object Storage Interface) that would make object storage even more consumable by Kubernetes workloads.


Learn more about Kubernetes and Object Storage

kubernetes and object storage
Cloudian Storage for Kubernetes Solution

esg logo
ANALYST REPORT
How Private Cloud Overcomes the Top 5 Kubernetes Storage Challenges

MayaData logo
ON-DEMAND WEBINAR
Data Protection for Kubernetes