Tape backup as a defense vs. ransomware

Tape is definitely not the best choice for primary recovery, but it does have features that make it a credible option for restoring systems and data that have fallen victim to ransomware without having to pay the ransom.

The cloud has many more upsides than tape as a recovery tool in general, but there are circumstances where tape should be seriously considerd, and ransomware recovery is one of them.

When cloud’s not good enough

Using the cloud for ransomware recovery—or not—has become somewhat of a religious discussion in many circles. Choosing the cloud offers many positive things, including cost, speed, and immediate availability—all great advantages when responding to a ransomware attack.

But perhaps you work in an industry that does not yet trust the cloud. Some companies, and especially some governmental entities, really frown on relinquishing physical control over their data. They want a copy in their hands that they can manage both electronically and physically. They what to be able to put it in a box or cage that they can see and know that it is physically protected. They can’t see the cloud, so they regard it as unsafe.

Other organizations are fine with using the cloud for some applications but just don’t think of it as suitable for data protection.

The risk of disk

“If it’s on disk it’s at risk” was the marketing slogan for a tape company years ago. Perhaps that was in response to a disk vendor’s “Tape sucks, move on” campaign, but there was also some truth to the disk and risk claim.

If your backups are sitting on a disk drive in your data center that is accessible as a file system from the operating system of your backup server, it can indeed be attacked by the same ransomware you’re trying to defend against.

Even filesystems with immutability built into them can be overwritten if a hacker executes privilege-escalation to gain status as root or administrator. So the tape vendor’s claim about disks and risks was true: If your data is on a disk in your data center, it can be attacked.

Tape is the only true airgap

A lot of backup vendors market their products as having an airgap between the backed-up data and the backup data. The truth is that all vendors that use disk as their storage mechanism can at best say they have an electronic or virtual airgap. Since everything is still on disk somewhere, even if that somewhere is in the cloud, there is a risk that something could happen to the backup copy.

It is also true that if you put enough separation between the primary copy and the backup-disk copy, you can reduce that risk to virtually zero. You do this by changing as many things as you can between the two copies. Don’t use the same OS, the same storage, the same authentication systems, or the same LAN—and use the best available security practices to keep your backup data safe.

Tape, on the other hand, offers a true physical gap between the protected system and the backup copy. It doesn’t need to be turned on or connected to a backup system. In fact, the thing that tape is best at is being put in a vault that is nowhere near electronics. Instead of being worried about electronic security, you only need to worry about the physical security, which is much easier to manage, despite what you may have seen in the “Ocean’s 11” movies. Tape on a shelf in a vault can’t be touched by ransomware, and that’s why many people are reconsidering it.

Tape myths

You may have heard that tape is both slow and unreliable, but neither is true. As long as you address tape’s limitations, tape can be an effective part of your ransomware-recovery strategy. It has an excellent uncorrected bit error rate (UBER) and coercivity rate. UBER measures how often your magnetic device writes a “one” when it should write a “zero”. Coercivity is how likely a bit is to flip its polarity over time, a.k.a. bit rot. As long as you address these limitations, tape is a good place to store data.

Tape strategies vs. ransomware

If you are considering tape as part of your ransomware strategy, don’t send backups directly to tape. Tape drives write data at a certain speed and no slower. If the incoming transfer rate is slower than the speed at which a tape drive writes, the drive has to stop, reposition, and start again—back and forth, back and forth. So tape drives are essentially incompatible with incremental backup, and most backups are incremental.

A way around this problem is to send the backups to disk first. Because a disk is a random-access device, it can write data as it comes in, pause, and write the next chunk of data as it comes in without suffering performance loss. Once it has received a significant number of backups, they can be copied from the disk to tape at high speed, overcoming the mismatch between backup and tape.

Also don’t be obsessed about getting the latest and greatest tape drive, because chances are you’re not going to be able to supply data at their advertised speed. Buying older and slower tape drives will make the job easier, and your restore process probably will not suffer much because throughput speed is rarely the problem during a large recovery.

There are many steps you should take to protect backups from ransomware that don’t necessarily include tape, but the bottom line is that tape should definitely not be off the table in a ransomware discussion. If you don’t like any of the other options, tape can be a viable so long as you’re willing to accept its shortcomings. Make sure to backup to disk first and then copy to tape. And for goodness sake send that tape off-site, and put it in a vault managed by a professional organization that will keep it safe. Hopefully you will never need to use it, but if you do, you know it will be there.

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.