Fight Kubernetes Ransomware with Kasten and Cloudian

Adam BerghAdam Bergh
Cloud Native Technical Partnerships at Kasten by Veeam
LinkedIn Profile

amit rawlani

Amit Rawlani
Director Technology Alliances, Product & Solution Marketing, Cloudian Inc.

LinkedIn Profile

The threat of ransomware should be thought of as serious problem for all enterprises. According to an annual report on global cyber security, there were 304 million ransomware attacks worldwide in 2020 — a 62% increase from 2019. While most IT organizations are aware of the continuously rising threat of ransomware on traditional applications and infrastructure, modern applications running on Kubernetes are also at risk. The rapid rise of critical applications and data moving into Kubernetes clusters has caught the attention of those seeking to exploit what is perceived to be a new and emerging space. This can leave many organizations ill prepared to fight back.

Kubernetes Vulnerabilities

Kubernetes itself and many of the most common applications that run in Kubernetes are open-source products. Open-source means that the underly code that makes up the applications is freely available for any to review and find potential vulnerabilities. While not overly common, open-source products can often lead to exploitable bugs being discovered by malicious actors. In addition, misconfigured access controls can unintentionally lead to unauthorized access to applications or even the entire cluster. Kubernetes is updated quarterly, and some applications as often as every week, so it’s crucial for organizations to stay up to date with patching.

Surprisingly, many organizations that use Kubernetes don’t yet have a backup and recovery solution in place — which is a last line of defense against an attack. As ransomware becomes more sophisticated, clusters and applications are at risk of being destroyed, and without a means to restore them, you could suffer devastating data and application loss in the case of an attack.

What to Look for In a Kubernetes Ransomware Protection Platform

When looking to an effective defense against ransomware in your K8s environment, think about these four core capabilities:

  1. Backup integrity and immutability: Since backup is your last line of defense, it’s important that your backup solution is reliable, and it’s critical to be confident that your backup target storage locations contain the information you need to recover applications in case of an attack. Having guaranteed immutability of your backup data is a must.
  2. High-performance recovery: No one wants to pay a ransom because it was faster to unencrypt your data than recover it from your backup system. The ability to work quickly to recover resources is critical, as the cost of ransom typically increases over time. Being confident that your recovery performance can meet target requirements even as the amount of data grows over time.
  3. Operational Simplicity: Operations teams must work at scale across multiple clusters in hybrid environments that span cloud and on-premises locations. When you’re working in a high-pressure environment following a ransomware attack, simplicity of operations become paramount.

Cloudian and Kasten by Veeam Have the Solution

Kasten By Veeam and Cloudian have teamed to bring a truly cloud native approach to this mission critical problem. The Kasten K10 data management software platform has been purpose-built for Kubernetes. K10’s deep integrations with Kubernetes distributions and cloud storage systems provide for protection and mobility of your entire Kubernetes application. Cloudian’s HyperStore is an enterprise-grade S3-compatible object storage platform running in your data center. Cloudian makes it easy to use private cloud storage to protect your Kubernetes applications with a verified integration with Kasten. With native support of the cloud standard S3 API, including S3 Object Lock data immutability, Kasten and Cloudian offer seamless protection for modern applications at up to 70% less cost than public cloud.

Kasten Cloudian blog diagram 1

Fast recovery: Cloudian provides a local, disk-based object storage target for backing up modern apps using Kasten K10 over your local, high-speed network. The solution lets you backup and restore large data sets in a fraction of the time required for public cloud storage, leading to enhanced Recovery Point Objectives (RPO) and Recovery Time Objectives (RTO).

Security and Ransomware Protection

Cloudian is a hardened object storage system that includes enhanced security features such as secure shell, encryption, integrated firewall and RBAC/IAM access controls to protect backup copies against malware. es in a shared-storage environment. In addition, to protect data from ransomware attacks, Cloudian HyperStore and Kasten support Object Lock for air-tight data immutability all the way up to the operating system root level.

Kasten-Validated Solution

Cloudian is Kasten-validated to ensure trouble-free integration. Kasten’s native support for the S3 API enables seamless integration with Cloudian HyperStore.

Easy as 1-2-3

Setting up Kasten K10 and Cloudian Ransomware Protection is as simple as 3 easy steps:

1. Create a new target bucket on Cloudian HyperStore and enable Object Lock.

Kasten Cloudian blog diagram 2

2. After Kasten K10 installation, check the “Enable Immutable Backups” box when adding a target S3 object storage bucket.

Kasten Cloudian blog diagram 3

3. Validate the Cloudian object storage bucket and specify your protection period.

Kasten Cloudian blog diagram 4

GET STARTED WITH KASTEN K10 TODAY!

VMware Cloud Director and Cloudian: A Closer Look at the Integration

Cloudian and VMware now offer an integrated solution that offers a seamless experience for all vCloud Director service providers and its customers/tenants to leverage Cloudian HyperStore object storage.

Cloudian and VMware now offer an integrated solution that offers a seamless experience for all vCloud Director service providers and its customers/tenants to leverage Cloudian HyperStore object storage.

Read the overview

Read the datasheet

View the VMware lightboard video

The integrated solution for the first time brings S3 API support and Cloudian object storage to VMware vCloud Director environments.

vmware cloud director use caseThe solution combines the power of:

  • VMware Cloud Director — a leading cloud service-delivery platform used by thousands of cloud providers to operate and manage successful cloud-service businesses
  • Cloudian HyperStore — an S3 API-based, infinitely scalable, durable and multi-tenant cloud object storage platform used by customers worldwide to address their ever-growing storage capacity needs

Now, cloud providers can now deliver new S3-compatible storage and and other high-value services to enterprises and IT teams across the world.

Under the Hood

So let’s dig a little deeper to better understand what this partnership and integrated solution offer. Every IT team has cloud on their mind and with vCloud Director, VMware is leading the charge by powering a network of thousands of cloud providers who guide their customers’ journey from on-premises to private cloud, hybrid cloud, or even multi-cloud roll out.

What was missing was a scalable, cost-effective storage layer. This is now addressed with the release of Object Storage Extension (OSE) and the integration of Cloudian HyperStore with VMware Cloud Director. The VMware Cloud Director admin can install OSE — just like they would install any other extension — which allows them to integrate and manage Cloudian HyperStore via the VMware Cloud Director admin portal. The VMware Cloud Director admin can also leverage SSO to sign on to the Cloudian management console to set up and configure a Cloudian HyperStore cluster.

vmware cloud director blogVMware Cloud Director creates virtual data centers with elastic pools of cloud resources that are seamless to provision and easy to consume. It creates a fluid hybrid cloud fabric between an on-premise infrastructure and Cloud Service Provider, offering a best-in-class private/hybrid cloud with on-demand elasticity, streamlined on-ramp, native security, and hybridity.

Deep Integration for Seamless Management

This integration is not just about offering S3 API-based storage. It’s fully integrated management. Now, a VMware Cloud Director admin can centrally manage, monitor and consume Cloudian HyperStore just like they would any other storage resource, such as vSAN. This integration covers three areas:

  1. Data APIs: S3 APIs have become the de facto language of cloud storage. Cloudian has a fully native implementation of S3 APIs, which means we have the industry’s most compliant S3 API solution out there. This is key because if a service provider wants to build services that leverage S3 APIs, it needs to support all of the S3 API verbs like MPU, Sig V4, Tagging, etc. Cloud service providers don’t have visibility into customers’ applications and what S3 API calls they are using. Not supporting certain S3 API will result in poor customer satisfaction and higher support costs, thereby impacting profit. Cloudian offers the highest S3 API support, ensuring the best customer experience.
  2. Object Storage Features: VMware Cloud Director is a multi-tenant framework, a key component of a VMware Cloud Provider platform. So, for a storage solution to seamlessly fit into that framework it must be securely sharable, and limitlessly scalable. Cloudian is a scale-out platform that offers multi-tenancy, QoS, geo-distribution, global namespace, integrated billing and reporting. It is cloud provider-ready.
  3. Control Plane APIs: Most important are the Control Plane APIs that allow the VMware Cloud Director admin to seamlessly manage, operate and report from a central VMware Cloud Director portal. It allows VMware Cloud Director tenants to self-service their environment – create users, buckets, assign policies and provide reports at a granular level.

With these, cloud providers can deploy and manage profitable, high value services is use cases such as:

  • Storage-as-a-Service (STaaS)
  • Backup-as-a-Service (BaaS)
  • Archive-as-a-Service (AaaS)
  • Disaster-Recovery-as-a-Service (DRaaS)
  • Big Data-as-a-Service (BDaaS)
  • Containers-as-a-Service (CaaS)
  • Software Test/Dev

Read the overview

Read the datasheet

View the demo

View the VMware lightboard video

S3 Compatible Storage Solutions Compared

S3 Compatible Storage, On-Prem

Today’s emerging on-prem enterprise storage medium is S3 compatible storage. Initially used only in the cloud, S3 storage is now being extended to on-prem and private cloud deployments.

The term “S3 compatible” means that the storage employs the S3 API as its “language.” Applications that speak the S3 API should be able to plug and play with S3 compatible storage.

A growing number of applications now support this storage type, thus benefitting from its unique attributes:

  • Scale: Designed to grow limitlessly within a single namespace
  • Geo-distribution: A single storage system can span multiple sites
  • Cost: Purpose-built to run on industry-standard servers, thus benefitting from the volume and efficiencies of that industry
  • Reliable data transport: The only storage type invented in the age of the Internet, S3-compatible storage is built to manage and move massive data volumes over WANs

Cloudian specializes in S3-compatible storage, but other examples of applications and devices the now employ S3 are Rubrik, Veeam, Commvault, Splunk, Pure Storage, Adobe, VERITAS, Hadoop, NetApp, EMC, Komprise, and more.

This is part of an extensive series of articles about S3 Storage.

Clarifying the Terms

But what is S3-compatible storage? This storage type goes by multiple names and can also be called:

Object storage: The underlying technology for S3 compatible storage is object storage. Over the years, multiple APIs have been used to access object storage, but the S3 API is now the most common.

Cloud storage: Most large-scale cloud storage today is object storage, and most of it employs the S3 API. There are multiple ways of referring to essentially the same thing: S3-compatible storage.

Benefits of S3 Compatible Storage On-Prem

There are 5 key reasons to deploy S3 compatible storage in your data center:

  1. Scale: S3-compatible solutions are designed to scale in a single namespace, and without disruption, to an exabyte. Grow your storage without adding workload.
  2. 70% less cost than public cloud: With industry-standard hardware, these solutions deliver the greatest value: less cost per GB and higher density. Also, no ingress/egress fees.
  3. Performance: Hardware is in your data center for low latency and high bandwidth.
  4. Control: Data is behind your firewall, so you consistently apply security and control access.
  5. Cloud compatibility: S3 is compatible with cloud storage, so you can employ cloud when you need it, without disruption. Capitalize on the growing ecosystem of S3 compatible applications. Seamlessly move data and applications from on-prem to cloud.

The S3 API

S3 compatible storage is built on the Amazon S3 Application Programming Interface, better known as the S3 API, the most common way in which data is stored, managed, and retrieved by object stores. Originally created for the Amazon S3 Simple Storage Service (read about the API here), the widely adopted S3 API is now the de facto standard for object storage, employed by vendors and cloud providers industry-wide.

Not All S3 Compatible Storage APIs Are Equal

Compared with established file protocols such as NFS, the S3 API is relatively new and rapidly evolving. Among object storage vendors, S3 API compliance varies from below 50% to over 90%. This difference becomes material when an application — or an updated version of that app— fails due to S3 API incompatibility.

Cloudian is the only object storage solution to exclusively support the S3 API. Launched in 2011, Cloudian’s many years of S3 API development translate to the industry’s highest level of compliance.

Employing the S3 API makes an object storage solution flexible and powerful for three reasons:

1) Standardization in S3 Compatible Storage

With Cloudian, any object written using the S3 API can be used by other S3-enabled applications and object storage solutions; the existing code works out of the box.

S3 compatible storage software

2) Maturity 

The S3 API provides a wide variety of features that meet virtually every need for an object store. End users planning to deploy object stores can access the plentiful resources of the S3 community — both individuals and companies.

3) Rich Feature Set

The S3 API is the only storage “language” created in the era of the internet. The other common storage protocols (SMB and NFS) were created prior to the internet’s meteoric growth, and therefore did not factor in the needs of this infrastructure. As a result, only the S3 API includes features such as multi-part upload that make it easy to reliably transfer large files over dodgy WAN links.

 

The Cloudian Difference

Among the S3 compatible storage vendors, only Cloudian HyperStore was built from the start on the S3 API.

Cloudian S3 compatible storage API is designed into the Cloudian storage layer

 

Translation Layers Introduce Potential Compatibility Challenges

Competitive solutions employ a translation layer (or some sort of “access layer” or software gateway), which introduces the risk of compatibility challenges. Cloudian has no translation layer, hence we refer to it as “S3 Native.”

Translation layer leads to incompatibility

Cloud Storage in the Data Center

The combination of object storage and the de facto language standard now creates the option for cloud-connected storage in the data center. For the cloud, AWS has set the standard with the S3 Storage Service. Now data center managers can capitalize on that identical set of capabilities in their own data center with Cloudian S3 compatible storage.

See the S3 API at Work

The City of Montebello uses the S3 API as a mechanism for streaming live video from busses to a central monitoring facility where it is recorded and stored with metadata to assist with search.

Categories