Ransomware - Immutable Backups Guide for Alibaba Object Storage Service (OSS)

Ransomware


Alibaba Object Storage Service (OSS) provides a low-cost, scalable cloud storage location for secure off-site data protection. With its Bucket Lock retention policy, Alibaba Object Storage Service enables customers to lock files that are under a certain age in that bucket. PDF version also available.

This per-bucket policy approach differs from Amazon S3’s per-object policy approach, such that Retrospect Backup cannot set the retention policies for individual files that make up a backup. However, setting a bucket policy enables customers to lock the files for a certain period of time, so this is a great ransomware solution for Alibaba Cloud customers.


Overview

Ransomware attacks are increasingly sophisticated, having the capability of watching for cloud account credentials, deleting backups and cloud storage, then encrypting everything and demanding a ransom. It’s imperative to build defenses against this escalating attack. SMBs and large businesses need a backup target that allows them to lock backups for a designated time period. Many of the major cloud providers now support object locking, also referred to as Write-Once-Read-Many (WORM) storage or immutable storage. Users can mark objects as locked for a designated period of time, preventing them from being deleted or altered by any user.

Backups made to a Alibaba Object Storage Service bucket with a retention period are immutable backups, with a retention period that prevents deletion by anyone accessing the bucket.

Note that customers are responsible for keeping track of the retention period and modifying it accordingly to ensure all of the backups inside the bucket continue to be marked as immutable backups.


Step-by-Step Guide

Retrospect Backup makes it easy to back up to Alibaba Object Storage Service. Let’s walk through the steps for creating a bucket with a Bucket Lock retention policy.

  1. Alibaba Cloud: Create an Alibaba Cloud Account if you have not already.

  2. Alibaba Cloud: Click "Create Bucket".

  3. Alibaba Cloud: Enter a bucket name, select the appropriate options, and create the bucket. Note that you cannot enable versioning at the same time as retention (KB).

  4. Alibaba Cloud: Under "Basic Settings", you’ll see "Retention Policy". Select "Configure" then click "Create Policy".

  5. Alibaba Cloud: Set the appropriate amount of time for your retention policy. Keep in mind that this must cover the entire lifetime of the backup set. Alibaba Cloud does not support Retrospect inspecting the retention times of individual backups, so Retrospect cannot know when one is leaving the retention policy, exposing itself to ransomware. For more details, see Configure retention policies on Alibaba User Guide.

  6. Alibaba Cloud: Save the new policy. You’ll see the policy you set up.

  7. Alibaba Cloud: Note that you need to click "Lock" to make the retention policy effective. Once you lock it, you cannot unlock it until all objects are out of the retention period.

  8. Retrospect: Add a destination. On Windows, select "Backup Sets" then "Create". On Mac, select "Media Sets" and click "Add". Select type "Cloud".

  9. Retrospect: Type in the appropriate path (oss-us-west-1.aliyuncs.com/bucket_name) and credentials under the "Amazon S3 Compatible" dropdown. Note that the "Immutable Retention Policy" checkbox is not relevant because you’ll use the Alibaba Object Storage bucket with the bucket-level retention policy, so do not enable that option, as Retrospect would incorrectly attempt to set per-file retention locks.

  10. Retrospect: Add the destination to a script and start protecting your data in Alibaba Object Storage Service.

  11. To calculate the retention policy of an object, add the retention days to the last modified date for the object. Neither the OSS interface nor Cyberduck lists the retention date on a per-file granularity.


Under The Hood

Every backup within the retention period is an immutable backup with point-in-time restore capabilities. Because each backup is incremental, Retrospect only transfers the files that are new or have changed since the last backup. However, you can always restore any part of a backup in Retrospect.

Alibaba Object Storage Service will mark every new backup file with the specified retention policy, protecting your backups from any accidental or malicious deletion. However, you are responsible for ensuring none of the backup files fall out of the retention period, as Alibaba Object Storage Service does not provide the ability to change individual file’s retention periods.


Last Update: 22 mars 2022