Immutability and US Signal’s DRaaS Powered by Zerto
October 24, 2023
Backup, Disaster Recovery
Sometimes (actually, most of the time), our solution architects say it best. That was the case when a US Signal customer asked about immutability (the inability of a file to be changed) — specifically, the immutability of backups in US Signal’s Disaster Recovery as a Service (DRaaS) solution that’s powered by Zerto.
Here’s how the US Signal solution architect answered that question.
The Power of Zerto Technology
Managed DRaaS by US Signal uses Zerto for replication, but the service goes far beyond just deploying Zerto. Included in the US Signal DRaaS are many security-first practices and procedures that leverage both technology and design best practices with validated human processes for both implementation and ongoing support.
The Zerto technology uses something called Virtual Protection Groups (VPGs). This is Zerto’s proprietary way of storing replicated virtual machines (VMs) in the DR environment. The VPG is not a VM; there’s no operating system running. In fact, the VM isn’t actually a VM, so it can’t even be booted up, which means it can’t be directly targeted by malicious code.
The storage where the VPG resides is encrypted at rest and utilizes several protection measures (striping, write to all, RAID, etc.). Though the VPGs aren’t using immutability in the traditional sense — write once, read many (WORM), US Signal incorporates the Zerto journaling system and controls plane separation from the production environment to secure them.
By removing the administrative controls from the end customer’s production environment, we keep the Zerto data logically air-gapped from the production data. This provides multiple layers of data protection/separation to prevent any bad actor from deleting or altering VPGs.
Real-world Proof
We have several examples of what I’ve described working in real-world applications, particularly in customer on-premise environments backed up with Veeam. Veeam backup and replication get compromised, along with the other production servers, and backups get deleted. However, the Zerto hypervisor-based replication is under the US Signal control plane and remains intact. We’ve had customers who manage their own Veeam backups — but also have US Signal DRaaS — lose all their backups during an attack, but US Signal DRaaS saved the day.
The use of air gapping is even more robust in cloud-to-cloud deployments. This is because the end customer’s servers live in Cloud Director as a VM that has no access or visibility to vCenter/vSphere. This adds even more separation as Zerto only communicates to vCenter (not VMs or any server OS). The bad actors don’t even know it’s there, and US Signal carries all the admin controls totally outside the end customer environment.
When a ransomware attack takes place, the infected VMs begin to replicate encrypted data, but the journaling allows US Signal engineers to go back in time and recover the VM (server) at a point before the encryption took place (minutes, seconds, days or whatever is needed). This can all be done in an isolated environment (VMs recovered into an isolated DR pool), allowing incident response (IR) teams to scan, clean, and prepare the VMs to be put back into production.
Learn More
If you’re interested in learning more about US Signal’s DRaaS with Zerto, you’ll find additional information and resources here. Our eBook – BC/DR in Healthcare — also provides great information, as well as some use cases. There’s also a blog specifically on air gapping and cybersecurity.
Of course, our solution architects are always available to work with you directly to assess your IT needs and determine how DRaaS with Zerto can benefit your organization. To get started, just contact us.