Transcription

Technical White PaperDell EMC PowerProtect Cyber Recovery:Reference ArchitectureAbstractThis white paper focuses on the features and reference architecture of DellEMC PowerProtect Cyber Recovery—another layer of protection to customers’data protection infrastructure.June 2021H18661

RevisionsRevisionsDateDescriptionJune 2021Initial releaseAcknowledgmentsAuthor: Vinod Kumaresan and CharuThe information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in thispublication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.Use, copying, and distribution of any software described in this publication requires an applicable software license.This document may contain certain words that are not consistent with Dell's current language guidelines. Dell plans to update the document oversubsequent future releases to revise these words accordingly.This document may contain language from third party content that is not under Dell's control and is not consistent with Dell's current guidelines for Dell'sown content. When such third-party content is updated by the relevant third parties, this document will be revised accordingly.Copyright 2021 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other trademarks are trademarks of DellInc. or its subsidiaries. Other trademarks may be trademarks of their respective owners. [7/6/2021] [Technical White Paper] [H18661]2Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Table of contentsTable of contentsRevisions . 2Acknowledgments . 2Table of contents . 3Executive Summary . 41Introduction. 51.1Dell EMC PowerProtect Cyber Recovery . 51.2Dell EMC PowerProtect DD series appliances for Cyber Recovery . 61.2.1 Cyber Recovery features . 71.2.2 Cyber Recovery support matrix . 823Cyber Recovery Architecture . 92.1Cyber Recovery solution components. 92.2Logical air gap. 102.3Cyber Recovery integration with DD series . 112.4Cyber Recovery integration with the IDPA (DP4400) . 122.5Cyber Recovery vault in Amazon Web Services (AWS) . 13Integrating Vault Storage and Applications with Cyber Recovery . 143.1Adding vault storage with Cyber Recovery . 143.2Adding CyberSense with Cyber Recovery . 153.3Adding PowerProtect Data Manager with Cyber Recovery . 153.3.1 Adding vCenter . 153.3.2 Adding PowerProtect Data Manager . 1643.4Adding NetWorker with Cyber Recovery . 173.5Adding Avamar with Cyber Recovery. 17MTree Replication. 184.1Creating the MTree replication context on DD series . 194.1.1 Cyber Recovery policies and actions . 195Infrastructure Service Recommendations . 215.1.1 Recommended network speed for DD series interfaces . 215.1.2 Cyber Recovery network ports. 225.1.3 Recommended connections between DD series . 226Cyber Recovery Software Limitations. 23ATechnical support and resources . 24A.13Related resources . 24Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Executive SummaryExecutive SummaryAs organizations become increasingly aware of the cybersecurity risks that threaten their mission-criticaloperations and their reputation, IT security has become an essential part of enterprise digital strategy. Accordingto the Gartner 2020 Board of Directors Survey, cybersecurity-related risk is rated as the second-highest sourceof risk for the enterprise, following regulatory compliance risk.According to Gartner, 40 percent of boards of directors will have a dedicated cybersecurity committee overseenby a qualified board member by 2025, up from less than 10 percent today. This incorporation is one of severalorganizational changes that Gartner expects to see at the board, management, and security team level inresponse to greater risk created by the expanded digital footprint of organizations. This expansion has beenfurther affected by the pandemic.Global business relies on the constant flow of data across interconnected networks, and digital transformationmeans an increase of sensitive data. This increased data flow presents ample opportunity for cyber threats andexposure of data for ransom, corporate espionage, or even cyber warfare.Dell Technologies and Dell EMC PowerProtect Cyber Recovery protect business-critical data and minimize theimpact of a cyberattack. The PowerProtect Cyber Recovery solution provides a higher likelihood of success inthe recovery of business-critical systems.Cyber Recovery provides proven, modern, and intelligent protection to isolate critical data, identify suspiciousactivity, and accelerate data recovery. This protection allows normal business operations to resume quickly.Note: This white paper is based on the Cyber Recovery version 19.8 release and will be updated for eachversion released.4Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Introduction1Introduction1.1Dell EMC PowerProtect Cyber RecoveryPowerProtect Cyber Recovery enables automated workflows to augment data protection infrastructure with truedata isolation, data forensics, analytics, and, most importantly, data recovery for increased business resiliency.Cyber Recovery combines multiple layers of protection and security into a turnkey solution to provide maximumprotection for critical data.The Cyber Recovery solution protects the backed-up mission-critical business data and technologyconfigurations in a secure vault environment that can be used for data recovery. The management softwarealso enables creation of writable sandbox copies for data validation and analytics.The Cyber Recovery vault is disconnected from the production network by using an automated air gap. Thevault stores all critical data off-network to isolate it from attack. Cyber Recovery automates data synchronizationbetween production systems and the vault by creating immutable copies with locked retention policies.5Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

IntroductionIf a security breach occurs, the Security Officer or an Admin user can manually secure the Cyber Recoveryvault. During this time, the Cyber Recovery software performs no replication operations including the scheduledreplication operations. This action promotes business resiliency, provides assurance following extreme dataloss or destruction, and includes both business and technology configuration data to enable rapid recovery ofthe environment and resumption of normal business operations.1.2Dell EMC PowerProtect DD series appliances for Cyber RecoveryPowerProtect DD series appliances are fast, secure, and efficient data protection appliances that support theCyber Recovery solution and accommodate a unique Cyber Recovery vault.Cyber Recovery works with DD series MTree replication technology to move and retain the protected copies ofcritical data in the Cyber Recovery vault.Required DD series licenses for Cyber Recovery include DD Boost, Replication, Retention Lock Governance,and Retention Lock Compliance.6Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Introduction1.2.1Cyber Recovery featuresThe Cyber Recovery solution key features include: 7Secure data in an isolated network with an automated operational air gapPolicy-based secure copy creation, management, and schedulingIntegration with Index Engine CyberSense software to detect if the backup data has been tamperedRobust REST API framework that enables analytics with artificial intelligence (AI) and machine learning(ML) for malware (including ransomware)Recovery assistance and the ability to export data to a recovery host easilyAutomated recovery options for the NetWorker and PowerProtect Data Manager applicationsOptional multifactor authentication enabled from the UI or command-line interface (CLI) to provideadded protection for the Cyber Recovery software and its resourcesInformative dashboards that show system alerts, the state of the Cyber Recovery vault, and criticaldetailsAbility to transmit alerts through SMTP outside the Cyber Recovery vaultSupport for high availability (HA) on DD series in the Cyber Recovery vaultReplication window enforcement that stops a sync operation if it runs longer than the replication windowAutomatic retention locking feature that allows setting of retention lock with no additional operationAbility to create a Cyber Recovery policy by selecting multiple MTree replication contexts (multipleMTrees are only supported for a PowerProtect Data Manager policy)An evaluation or proof-of-concept license that is valid for 90 daysSheltered Harbor endorsement for achieving compliance with financial institution data vaultingstandards and certification, planning for operational resilience and recovery, and protecting financialcritical dataOn-demand cleanup from the Cyber Recovery UI by clicking the Maintenance tab under the gear iconin the masthead navigationA maximum of three simultaneous login sessions for the Security Office (crso) for enhanced securityNotification if a user's email address is modified or if multifactor authentication is disabledOption to add a virtual Ethernet adapter to configure a separate IP address for SMTP communicationfrom the Cyber Recovery vault if the Postfix mail transfer agent is usedSupport for recovery of PowerProtect Data Manager with Oracle, SQL, and file system workloadsOption to provide the location of the latest bootstrap backup for a faster automated NetWorker recoverySupport for the Cyber Recovery vault on Amazon Web Services (AWS)Support for the Cyber Recovery software on a supported Linux operating system in a Microsoft HyperV environmentStarting with Cyber Recovery v19.8, support for the analyze operation for PowerProtect Data Managerbackups (Filesystem, VMware, and Oracle) is enabledAddition of REST API V6, which is backwards compatible with REST API V5 and V4. REST API V3and earlier versions are no longer supportedThe “crsetup.sh” script to perform a readiness check before upgrading the Cyber Recovery softwareSupport for multiple DDVE appliances for the Cyber Recovery vault on AWS—up to 5 DDVEs aresupportedCyberSense analysis report can be sent to additional email addresses other than the logged inuserCyber Recovery telemetry feature sends telemetry information using one-way email to DellTechnologies for troubleshooting purposesDell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Introduction Cyber Recovery custom certificate support: users can generate a Certificate Signed Request (CSR),submit the CSR to Certificate Authority (CA) to apply for a CA signed certificate, and can add it to theCyber Recovery systemFrom CRCLI and API, option to:- 1.2.2Include/exclude files and file path from the analyze actionThe content format of the MTree to be analyzed can be specified optionally, which is included aspart of the CyberSense report for informational purposesPassword expiration is set to 90 days by default; the value can be changed to a minimum of 30 daysand a maximum of 180 days for all UI usersCyber Recovery support matrixFor details about compatibility, see the Dell EMC PowerProtect Cyber Recovery Simple Support Matrix.8Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Cyber Recovery Architecture2Cyber Recovery ArchitectureProduction environment—For the production side of the solution, it is taken that the data to be protected aspart of the Cyber Recovery solution is available in a format supported by the DD series and CyberSense, andmust be stored on a DD series MTree in the production environment.Vault environment—The Cyber Recovery vault environment contains a DD series and the Cyber Recoverymanagement host that runs the Cyber Recovery software. Data from the production environment enters theCyber Recovery vault environment through DD series MTree replication. This environment can also containvarious recovery and analytics/indexing physical or virtual hosts that integrate with the solution.Cyber Recovery integrates with the Integrated Data Protection backup solution to maintain mission-criticalbusiness data in a secure vault environment for data recovery.Server infrastructure is installed in the vault environment and is not shared with or connected to the productionenvironment. Keeping vault server equipment separate from the production environment ensures that anyongoing issues (cyberattacks, operational issues, and so on) do not propagate into the vault environment.Additional safeguards include an automated operational air gap to provide network isolation and to eliminatemanagement interfaces.The server infrastructure in the Cyber Recovery vault can be deployed in multiple ways:-2.1Discrete physical serversHyper-V, VMware ESXi with or without VSANDell EMC VxRail applianceCyber Recovery solution componentsThe Cyber Recovery solution includes the following components:Production DD series—The source DD series contains the production data that the Cyber Recovery solutionprotects.Vault DD series—The DD series system in the Cyber Recovery vault is the replication target for the source DDseries.Cyber Recovery software—The Cyber Recovery software orchestrates synchronization, manages, and locksthe multiple data copies that are stored on the DD series in the Cyber Recovery vault, and orchestratesrecovery. The software also governs the optional process of performing analytics on the data that is stored onthe DD series in the Cyber Recovery vault using the CyberSense feature.Retention Lock (governance or compliance) software—Data Domain Retention Lock technology providesdata immutability for a specified time. Retention Lock functionality is enabled based on Cyber Recovery policyconfiguration.Cyber Recovery management host—Cyber Recovery software is installed on the management host. Thisserver is installed in the vault environment.9Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Cyber Recovery ArchitectureRecovery hosts—The backup application recovery server is a designated server to which the backupapplication (NetWorker, Avamar, PowerProtect Data Manager, or other applications or combination ofapplications) and backup application catalog are recovered. Multiple servers can be deployed, depen ding onthe recovery requirements of the solution. The backup application recovery server is sized so that all backupapplications that are being protected by the Cyber Recovery solution can be recovered. If the Cyber Recoverysolution is protecting a physical, single-node Avamar system in a production environment, a single-nodeAvamar system must also reside in the vault for recovery purposes.Analytics/indexing host (CyberSense)—Cyber Recovery is the first solution to fully integrate withCyberSense. CyberSense adds an intelligent layer of protection to help find data corruption when an attackpenetrates the data center. CyberSense is deployed on the Cyber Recovery vault environment. This innovativeapproach provides full content indexing. It uses machine learning (ML) to analyze the backup copies in the vaultwith over 100 content-based statistics and detects signs of corruption due to ransomware. CyberSense detectscorruption with up to 99.5 percent confidence, identifies threats, and diagnoses attack vectors while protectingthe business-critical content – all within the security of the vault.2.2Logical air gapThe term “air gap” implies physical isolation from an unsecure system or network. Logical air gap describes aphysical connection but logical isolation from the network. The logical air gap provides another layer of defenseby reducing the surface of attack.Cyber Recovery provides the air-gapped feature to keep the Cyber Recovery vault disconnected from theproduction network. The DD series in the Cyber Recovery vault is disconnected (air-gapped) from theproduction network most of the time and is only connected when Cyber Recovery triggers replication.The DD series in the Cyber Recovery vault is connected to the production DD series only during the datasynchronization operation.10Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Cyber Recovery Architecture2.3Cyber Recovery integration with DD seriesThe reference architecture below represents Cyber Recovery solution integration with DD series. The CyberRecovery solution uses DD series to replicate data from the production system to the Cyber Recovery vaultthrough a dedicated replication data link.11Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Cyber Recovery Architecture2.4Cyber Recovery integration with the IDPA (DP4400)The reference architecture below represents Cyber Recovery solution integration with IDPA.12Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Cyber Recovery Architecture2.5Cyber Recovery vault in Amazon Web Services (AWS)Staring with Cyber Recovery version 19.7, the Cyber Recovery vault is supported on AWS. The Cyber Recoverysoftware manages a virtual air gap between a production environment and the Cyber Recovery vault. It disablesreplication links and replication ports on the production Data Domain system when Cyber Recovery policies areidle.The Cyber Recovery software is made available as an Amazon Machine Image (AMI). To deploy the CyberRecovery software to an Elastic Compute Cloud (EC2) instance in a Virtual Private Cloud (VPC), use anAmazon Web Services (AWS) CloudFormation template.The CloudFormation template deploys all the components that the Cyber Recovery solution requires in the VPCon AWS. The template creates two private subnets: A private subnet that includes the jump host and a privatesubnet that includes the Cyber Recovery management host and DDVE. It also configures security groups,Access Control Lists (ACLs), inbound and outbound rules. The vault jump host can be accessed by using aVPN gateway or AWS Direct Connect.AWS provides VPC security mechanisms that provide additional security measures for the Cyber Recoveryvault: Security groups, which protect the instances deployed in the VPCNetwork access control list (ACL)The Cyber Recovery software enables and disables access to a private subnet through a network accesscontrol list (network ACL) and enables and disables access to an instance through security groups.For more details, see the Dell EMC PowerProtect Cyber Recovery AWS Deployment Guide.13Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Integrating Vault Storage and Applications with Cyber Recovery3Integrating Vault Storage and Applications with CyberRecovery3.1Adding vault storage with Cyber Recovery1. From the Main Menu, select Infrastructure Assets.2. Click VAULT STORAGE at the top of the Assets content pane.3. Click Add.4. Complete the following fields in the dialog box:5. Click Save.The VAULT STORAGE table lists the storage object:14Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Integrating Vault Storage and Applications with Cyber Recovery3.2Adding CyberSense with Cyber Recovery1. From the Main Menu, select Infrastructure Assets.2. Click APPLICATIONS at the top of the Assets content pane.3. Click Add.4. Complete the following fields in the dialog box:5. Click Save.The Applications table lists the CyberSense application:3.3Adding PowerProtect Data Manager with Cyber Recovery3.3.1Adding vCenter1.2.3.4.15From the Main Menu, select Infrastructure Assets.Click vCenters at the top of the Assets content pane.Click Add.Complete the following fields in the dialog box and click Save.Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Integrating Vault Storage and Applications with Cyber Recovery3.3.2Adding PowerProtect Data Manager1. From the Main Menu, select Infrastructure Assets.2. Click APPLICATIONS at the top of the Assets content pane.3. Click Add.4. Complete the following fields in the dialog box and click Save.16Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Integrating Vault Storage and Applications with Cyber Recovery3.4Adding NetWorker with Cyber Recovery1. From the Main Menu, select Infrastructure Assets.2. Click APPLICATIONS at the top of the Assets content pane.3. Click Add.4. Complete the following fields in the dialog box and click Save.3.5Adding Avamar with Cyber Recovery1. From the Main Menu, select Infrastructure Assets.2. Click APPLICATIONS at the top of the Assets content pane.3. Click Add.4. Complete the following fields in the dialog box and click Save.17Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

MTree Replication4MTree ReplicationMTree replication is a DD series feature that copies unique data from the production DD series MTree to theDD series MTree in the Cyber Recovery vault.MTree replication synchronizes data between the production environment and the air-gapped Cyber Recoveryvault. Immutable protection points are created in the Cyber Recovery vault. They can be used for recovery andanalytics after being copied to a read/write DD series MTree.The Cyber Recovery software controls data synchronization from the production environment to the vaultenvironment by DD series MTree replication. After the datasets and associated MTrees to be protected by theCyber Recovery solution are determined, replication contexts are set up between the production and vault DDseries.MTree replication is designed so that all data within an MTree is replicated securely between two DD seriesappliances. After the initial synchronization is completed and all data is copied to the vault DD series, eachsubsequent synchronization operation copies only new and changed data segments.18Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

MTree Replication4.1Creating the MTree replication context on DD seriesReplication contexts must be created and initialized between DD series.The policy for the replication is created on the Cyber Recovery management host:4.1.1Cyber Recovery policies and actionsThe UI displays the available policy types: Standard and PPDMFor backup software other than PowerProtect Data Manager, select the Policy Type as Standard. BecauseSheltered Harbor is not enabled by default, it is not in the Policy Type menu. When Sheltered Harbor is enabledon system, it is then displayed in the menu.19Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

MTree ReplicationThe following actions are available for all policy types except for the Sheltered Harbor policy type: Secure Copy (Sync the data, create a fast copy, put Retention Lock on the copy)Sync Copy (Sync the data and create a fast copy)Sync (Sync the data)Copy (Create a fast copy of data that is already on PowerProtect DD series appliance in the vaultenvironment)Copy Lock (Put Retention Lock on a copy or extend the lock duration)For a Sheltered Harbor policy type, the only action available is Sheltered Harbor Copy (Sync, Verify, Copy,Certify, Lock, Report).20Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Infrastructure Service Recommendations5Infrastructure Service Recommendations5.1.1Recommended network speed for DD series interfacesThe Cyber Recovery software enables and disables the replication Ethernet interface and the replication contexton the DD series in the Cyber Recovery vault to control the flow of data from the production environment to thevault environment. The Cyber Recovery software manages the replication link, and the connection is enabledonly when new data must be ingested by the DD series in the Cyber Recovery vault.The replication link on the DD series in the Cyber Recovery vault uses its own unique Ethernet interface. Forthe replication link that connects the production DD series to the DD series in the Cyber Recovery vault, usingthe fastest link speed possible, preferably 10 Gb/s Ethernet (GbE) is recommended and supported up to 25Gb/s.To secure the network links that connect the vault environment to the production environment, or any othernetwork, installing a firewall or other packet inspection tool on both the DD series replication link and the SMTPlink is recommended. It is recommended not to make use of packet inspection if a firewall is placed in thereplication path. The cost of firewall will be very high, and the deep packet inspection would slow the processdown.If a hyperconverged VMware appliance is installed in the Cyber Recovery vault, the VMware NSX DistributedFirewall (DFW) is a satisfactory firewall option for reducing complexity in the vault environment and protectingVMware-based infrastructure. Additionally, the DFW is a potential software-defined option for protecting theData Domain replication link between production and vault DD series at near wire speed.The Cyber Recovery software does not support adding Ethernet interfaces to a Cyber Recovery virtualappliance deployment.21Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Infrastructure Service Recommendations5.1.2Cyber Recovery network portsThe following figure lists the network ports that Cyber Recovery functions require:5.1.3Recommended connections between DD seriesThe Cyber Recovery software works with a replication data link between the vault-environment and productionenvironment DD series. The Cyber Recovery software communicates with all DD series appliances using SSH.The production and vault environment networks are not directly connected to each other, except for a replicationdata link between the DD series in the two environments. The replication data link can be connected directly orthrough a dedicated switch to the DD series in the vault environment, but it is recommended to use the dedicatedreplication switches.22Dell EMC PowerProtect Cyber Recovery: Reference Architecture H18661

Cyber Recovery Software Limitations6Cyber Recovery Software LimitationsThe following list describes the known limitations with Cyber Recovery software. Cyber Recovery supports up to five DD series in the Cyber Recovery vault and a maximum of tensystems in allEach production DD series MTree that is protected by using a Cyber Recovery policy requires three ormore MTrees on the Cyber Recovery vault DD series for the following pu

data isolation, data forensics, analytics, and, most importantly, data recovery for increased business resiliency. Cyber Recovery combines multiple layers of protection and security into a turnkey solution to provide maximum protection for critical data. The Cyber Recovery solution protects the backed-u