Every organization’s CISO knows that a malware attack on their watch is a question of when, not if. A quick Google search of “recent ransomware outbreaks” brings up a sobering list of both large and small enterprises whose defenses were breached, and who suffered a varied list of consequences: lost data, stolen data, loss of revenue, ransomware payments.
Depending on the scope of the attack, the effects may impact more than just the company’s own bottom line. The theft of employee or customer data – including sensitive financial or medical records – creates downstream risk and consequences beyond the company’s balance sheet. Even worse, in the event of ransomware attacks on hospitals, medical treatments can be delayed or denied.
Beyond the loss of revenue and business, in some industries the failure to secure critical business systems and data may incur additional regulatory and legal penalties: fines, settlements, and even criminal liability. As if that weren’t enough, the reputational impact for any storage administrator, IT director, and CSO could be long-lasting or even permanent.
How does ransomware get in? Let me count the ways…
Cyber criminals use clever tactics to infiltrate a company’s environment at multiple layers and deploy ransomware. One of the most common is social engineering – maybe a phishing email where a company insider is tricked into sharing credentials or downloading malware and letting the threat in.
USB drives, partner networks, unpatched vulnerabilities, and easy-to-obtain passwords are all potential threat vectors for malware to gain entry. Hybrid work models create more. This is why it’s important to take a holistic approach to security to prevent entry, detect and contain ransomware when it happens, and have a recovery plan in place.
Ransomware: The Anatomy of an Attack
Ransomware can infect just about any device with an operating system or digital connection: network devices, IoT devices, desktop computers, servers, digital cameras, printers, and external USB drives. The goal of most ransomware attacks is to exfiltrate data and / or encrypt data to force organizations to pay for the keys to decrypt their data. Attacks typically happen in phases:
- Gain access to the network and at least one initial device
- Infect as many additional devices as possible to gather information
- Exfiltrate data
- Deploy additional modules that; for example, encrypt data
- Encrypt data for extortion
In the first phase, the intruders continue to gather more information about the infrastructure (users, data flows, network topologies, devices). Then, at a later stage, they start to exfiltrate data and / or load additional malware to start other threads that can access data and encrypt files.
This is why an efficient risk management strategy is needed that focuses on attack vectors to prevent infection or detect early phases at the point on the network and compute devices where the infection occurred. Data storage is at the end of the infection cycle. The longer the malware runs, the further the infection spreads, complicating disaster recovery and resumption of operations.
Qumulo’s holistic security architecture: overview
A holistic security approach to ransomware detection captures data from as many devices as possible to identify suspicious events at the entry point(s) for analysis and correlation. Upon detection, action is taken to stop the ransomware from gaining access to subsequent layers including your file storage.
Implementing a holistic security approach that includes network, compute, device and event-monitoring techniques, together with data correlation and analysis, is preferable over siloed security solutions that are embedded in the storage system. The goal is to keep the ransomware from getting anywhere near your file data.
Every Qumulo system is engineered with security at its core and includes a broad spectrum of modern technologies and data services designed to keep data safe. Qumulo’s software architecture is a purpose-built file system with a natively developed protocol stack. It uses no third-party code for file data access protocols. Regular non-disruptive software updates include Qumulo image updates and bug fixes, and address known vulnerability and exposure (CVE) issues as they are discovered.
For these reasons and more, Qumulo is able to support a holistic security strategy across three domains. Prevention is covered in this post. Intrusion detection is the topic of the second in the series, and the third post will address data recovery and business resumption in the second article of this three-part series.
The inherent security of the Qumulo software stack
The first objective of ransomware is to get behind your firewall and into your network, where the bad actor can watch, move around, and plan a deeper attack. Qumulo’s software architecture includes specific protection at every level of the stack to reduce the threat surface available to ransomware and other exploits, including:
Secure system architecture
The Qumulo software stack was engineered from the very beginning for the tightest possible system security. Many of these measures are inherent in the operating environment itself – automatically made available to all Qumulo customers in all deployments.
Linux environment adaptations
While Qumulo’s software runs on standard, enterprise-grade hardware paired with an Ubuntu Long-Term Support release in on-prem deployments, the underlying Linux operating system is locked down, allowing only the operations needed to perform the required supporting tasks of the Qumulo software stack. Other standard Linux services have been disabled in order to further reduce the risk surface for an attack.
Fully native software stack
Although Linux includes open-source components to provide both NFS and SMB client and server services (e.g. Samba, Ganesha, etc.), these services are not included in the hardened Ubuntu image that supports the Qumulo software stack. Qumulo develops and controls all code used for data-access protocols NFS, SMB, FTP, and S3 – in the Qumulo operating environment. Any risks that might arise from known or discovered vulnerabilities in third-party components are effectively neutralized by Qumulo’s control of its proprietary code.
User-space application execution
Not only is Qumulo software developed in accordance with secure coding best practices – further reducing the potential attack surface and the risk of exploitable vulnerabilities – but it is also completely contained within the user-space of the underlying Linux operating system. Even if a Linux vulnerability is discovered and exploited, the attacker might seize user privileges on the underlying appliance, but would still not be able to access Qumulo’s proprietary management controls or file-system data.
Level of separation from the operating system
There is no possible pathway or means for sharing users or privileges in the underlying operating system with users and privileges within the Qumulo operating environment: any user accounts in the base Linux image are not recognized by the Qumulo platform, whose user base is typically maintained either in Active Directory or in a local database within the cluster. This is a different approach from other file-storage platforms, where an admin- or root-level user with local access to any of the storage nodes or controllers can easily access and manipulate all data, including within the file system or on any local volume.
Instant upgrades
Qumulo’s container-based architecture enables a unique upgrade process that minimizes disruption to users and workflows. On a rolling, node-by-node basis, the new operating software is deployed in a parallel container to the old version. Once the new instance has initialized, the old environment is gracefully shut down and the upgrade proceeds to the next node until the entire cluster has been upgraded.
This process compares favorably to that of other storage platforms, who may release minor updates every few months and major updates annually, leading to less-frequent opportunities to close any new security holes.
Software-based data encryption at rest
All data on an on-premises Qumulo cluster is automatically encrypted as it’s written to disk using an AES 256-bit compliant algorithm, ensuring that all data on a Qumulo system is secured against bad actors even if they are able to gain access to the system’s physical media itself.
For on-premises deployments, software encryption is part of the file system stack. The encryption algorithm initializes as part of the initial cluster build process, and compasses all file system data and metadata at the block level.
Qumulo clusters in the cloud rely on block-level encryption within the cloud-storage layer, thereby ensuring that all at-rest data on any Qumulo instance is fully encrypted.
Protecting and securing Qumulo systems and data
Beyond just the security features inherent in Qumulo’s architecture, however, is a layer of configurable controls and services for securing data on your Qumulo instance, as well as the instance itself.
Administrative security
This section outlines available options as well as other recommended practices for maintaining a high level of security.
Active Directory integration
Beyond the need for restricting system access to only authorized accounts and securing data at the disk level via encryption, the next layer of data protection requires a secure directory of user accounts from which storage and data access rights and permissions can be managed.
Qumulo software was engineered to leverage Microsoft Active Directory (AD) for both administrative and user rights and permissions. AD accounts can be configured for both cluster management and client access.
Role-based Access Control
Role-based access control (RBAC) allows admins to assign fine-grained privileges to regular users or groups and to alleviate their privileges where needed while keeping them as minimal as possible. This allows for delegation of system administrative and management tasks to users without granting them full administrative rights.
In addition to the built-in Administrators group, who have full access to and control of the Qumulo cluster, there are currently two more predefined roles:
- Data Administrators: The Data Administrators role is ideal for API / CLI user accounts. With this role, a user or group will not have access to the Web UI but will have the same file privileges as the Administrators role along with some others
- Observers: With the Observers role, a user or group will have the privilege to access the Web UI and read-only APIs with a few exceptions (debug APIs and authentication settings).
As with the local Administrators, these groups can be populated with the appropriate Active Directory user accounts to grant the necessary privileges while ensuring a verifiable audit trail of access and privilege use.
Single sign-on with multi-factor authentication
Single sign-on (SSO) eliminates the need for an administrator to re-enter their login credentials to gain access to the system. Enterprises want SSO not just because it streamlines the login process, making it more convenient for admins to authenticate, but also because it reduces the risk of account theft via keystroke loggers or interception as the login attempt traverses the network.
Multiple-factor authentication (MFA) adds another layer of security to the login process, requiring that admin users retrieve a one-time code from either a key token or a challenge request on a separate device, neither of which would be in the possession of an intruder. Qumulo supports any Identity Provider (IdP) that integrates with the AD domain registered on the cluster, including but not limited to OneLogin, Okta, Duo, and Azure AD.
Management traffic restrictions
Requiring administrative users to use their Active Directory accounts and authenticate via SSO with MFA eliminates much of the risk of access from a compromised administrator account. Some organizations, however, have additional security policies that require that admin access for enterprise systems be restricted to one or more specific networks, or VLANs.
By offering the ability to block specific TCP ports at an individual VLAN level, Qumulo allows for the segmentation of management traffic – e.g. API, SSH, and web UI, and replication – from client traffic – e.g. SMB and NFS.
File-system and data security
For all Qumulo’s built-in security controls, it still falls on enterprise administrators to configure their systems and data according to industry standards, Qumulo best practices, and their own internal security policies.
Securing shares and exports
For scenarios in which multi-tenancy isn’t feasible – such as cloud-based clusters or shares / exports that need to be accessed by some (but not all) users within a single tenant VLAN – Qumulo offers additional options to limit the visibility of shares and exports.
Access-based enumeration
Qumulo allows hiding SMB Shares from unauthorized users. In addition, access-based enumeration (ABE) can be enabled for every share. By doing so, only the files and folders that a user has permission to access will be displayed to that user. If a user does not have read or equivalent permissions for a folder, the folder is hidden from the user’s view.
Share Permissions (SMB)
Access levels to SMB shares can also be managed at an individual level or based on group membership. Permissions models are simpler than the directory and file-level ACLs, offering only Read, Write, and Change permissions, as well as the option to allow or deny those permissions to individual users or groups.
SMB shares can also be hidden from all users, whether granted access or not. Mounting a hidden share requires explicit knowledge of the share path to block potential intruders from browsing shares.
Export restrictions and host access rules
Host restrictions by client IP address range provide a good way to reduce attack surfaces by limiting share / export access to specific hosts, independent of the User / Group permissions of that share. Versions of this control are currently available for both SMBv3 and NFSv3.
File-system and network-level security
In addition to the controls described above, all of which focused on securing access to shares and exports, Qumulo also supports a number of security measures for managing access to the directories and files within each share or export.
While the Qumulo operating environment complies with the security standards defined by the different file-access protocols, and while Qumulo has also engineered a number of custom crossover features to simplify the process for maximizing data security in cross-protocol environments, there are still some protocol level differences when it comes to managing data security.
Access Control Lists
For workloads accessed via SMB and NFSv4, Qumulo supports authentication via Active Directory and Windows-style Access Control Lists (ACLs) that can be shared across both protocols.
Over-the-wire data encryption
Even with the appropriate share and data-level security settings in place, some enterprises need an additional layer of data security to protect data from unauthorized access. Share encryption can be implemented cluster-wide for all SMB shares if needed, or per-share if only required for some data. For NFSv4.1 workloads that require it, Qumulo supports krb5i packet security to ensure data integrity, and krb5p packet encryption to prevent data from being intercepted and read in transit.
A holistic protection strategy
Despite all the available precautions, policies, and best practices designed to protect data and minimize risk, there is no fail-safe guarantee against the possibility of a malware attack, or an intruder gaining unauthorized access to critical systems and data.
This blog post has provided a high-level overview of Qumulo’s inherent and configurable security features and controls. A holistic protection strategy needs additional strategies and practices to ensure that any attack that occurs can be quickly discovered and contained, and that any lost data or impacted services can be quickly restored.
Learn more
- Part 2: Detecting Ransomware Attacks in Real Time with Qumulo
- Part 3: Recovering from Ransomware Attacks
- Download the latest Security Architecture and Practices white paper
Contact Us
- Click here to schedule a meeting.
- Subscribe to the Qumulo blog for customer stories, technical insights, and product news.
