A recent problem presented to us was the need to protect an organisations data from Ransomware. There are obviously multiple routes to addressing this problem, all of which layer on the defences.
Appropriate physical firewalls
Robust firewall rules. Managed and equivalent across an estate using explicit source, destination, port allow / deny configurations
RBAC to firewalls, switches, servers, databases using the principles of least privileged access
Segregation of the LAN to reduce the direct server to server and EUC to server traffic opportunities.
Server based malware protection. Perhaps stretching to an explicit anti-malware toolset
Backups
More backups
The focus for this client was a partially designed LTO tape drive solution they wanted to develop. There had already been a study into AWS S3 storage with Object Lock and several on-premise disk based chassis.
All of these could integrate with the existing VEEAM solution, but none provided the old-fashioned assurance equivalent to a physical tape that can be disconnected from the network and removed from the site.
Within the bounds of what was possible in this engagement the focus was not to throw-out the design already created (and purchased) but rather to ensure the backup data could be written to tape in a suitably short time to enable a speedy tape removal from site.
As is usual, the engagement started with a capture of the actual requirements and expected outcomes. Some of these points need a degree of challenge and modification to ensure expectations of the final service performance were realistic so that SLAs could be aligned to what is possible.
The end result. That will be proven once the solution is physically implemented and tuning of the backup job sequence gets underway.
More later when we the service is up and running.
Comentários