Kubernetes Ransomware Protection with Kasten K10 v4.0
Kasten K10 has been recognized as the Kubernetes backup leader and the product of the year, amongst many other accolades. Now, as a part of Veeam, Kasten has further increased our pace of innovation, and today we’re introducing the industry’s first ransomware protection solution for Kubernetes with Kasten K10 version 4.0!
Let's dive under the hood to see why we are so excited about this announcement, and why Kasten is indispensable to scaling and protecting your Kubernetes deployments.
As Kubernetes deployments scale – so does the threat of ransomware
Kubernetes deploymentsare on a tear – both in the number of containerized applications deployed as well as the growing footprint of those applications. Increasingly, organizations have critical applications on thousands of Kubernetes worker nodes, spread across multiple clusters spanning on-premises and public clouds. This growth in Kubernetes and cloud-native applications has led to immense benefits for organizations, including developer productivity, improved availability, and cost savings.
However, this growth is also catching the attention of another modern-day scourge – perpetrators of ransomware attacks. Hardly a day goes by without a news item highlighting yet another organization falling prey to a ransomware attack. In fact, there is a ransomware attack every 11 seconds!
While you were thinking about that shocking statistic, yet another organization was attacked!
The sharp rise in ransomware attacks is affecting organizations of all sizes across the globe – enterprises, municipal governments, and even healthcare and first responders. In fact, ransomware attacks are so prevalent, companies now exist just to handle ransomware negotiations for enterprises.
Taking the Ransom Out of Ransomware
As I covered in a previous blog post, data protection for Kubernetes cannot be handled effectively with traditional solutions built to protect hypervisor-based workloads. Kubernetes environments pose a variety of security challenges, including incorporating untrusted open-source packages when building your containerized app, incorrect privilege assignments when deploying your app, malicious privilege escalations during app execution, and not staying up to date with the latest Kubernetes updates.
When it comes to ransomware protection -- you must have a Kubernetes-native solution to protect your Kubernetes applications. And, in addition to employing preventive security safeguards such as container and Kubernetes configuration scanning tools, time-tested backup policies (such as the 3 copies on 2 media types and 1 offsite) must be in place.
Backups serve as the last line of defense, so ensuring that backup and recovery policies are in place from the get-go will provide you peace of mind and an effective recourse when things go wrong.
What Makes a Good Kubernetes-Native Backup Solution?
Let's address what makes a good backup solution to protect your Kubernetes applications, specifically from ransomware:
Data Integrity: It is critical to ensure that the original Kubernetes application is backed up efficiently and when needed, that the restored application data is unmodified. A good backup and recovery solution needs to protect against content deletion, corruption, and non-availability.
Timely Recovery: Time is of the essence during a ransomware attack. In addition to lost productivity and data exposure, there are cases where the ransom amount goes up with the passage of time. A good solution must restore the entire Kubernetes application efficiently to a known good state - fast!
Easy Operations: Organizational IT and DevOps teams are also under immense pressure during a ransomware attack, as the effects of such an attack are not just financial but also reputational. The backup and recovery solution must work effortlessly to minimize the risk of human error, and it must operate at scale across multiple clusters and deployments.
Cost-Effective: The point of a ransomware solution would be lost if the solution itself costs you more than the ransom! Organizations also need to be mindful that they are not getting locked into particular storage, infrastructure, or Kubernetes distribution vendor, as costs can be indirect and accrue over time. A good backup and recovery solution will provide application mobility so that you maintain control of where your data lives and where applications execute.
Kasten K10’s Approach to Ransomware Protection
Security has always been a foundational tenet for Kasten K10. With every release, we have continued to innovate to ensure that enterprises can encrypt data both at rest and in motion using their own keys. We’ve provided Role Based Access Control (RBAC) to secure self-service portals, and integrated tightly with Identity and Access Management (IAM) constructs. So that Kasten K10 itself operates within its designated bounds. And, we’ve worked with AWS Bottlerocket, a container-optimized OS that further reduces attack surfaces.
With this latest release of Kasten K10, we have taken this focus on security and application protection to the next level and incorporated all the key solution attributes highlighted earlier to provide the best Kubernetes-native ransomware protection solution:
Immutability: Kasten K10 introduces immutable object storage backups, enabling you to specify the retention period. The retention setting ensures that the backed-up content cannot be altered during that time period. This powerful capability works to protect you not only from ransomware attacks that commonly try to destroy your backups but from human error, governance, and compliance, as well.
Policy-based Automation: Kasten K10 uses policies to automate your data management workflows. To achieve this, policies combine actions you want to take (e.g., snapshot), a frequency or schedule for how often you want to take that action, and the retention period for object immutability. This automation ensures that not only are your backup and recovery actions performed regularly when the time comes for restores but there is also an “easy button” to restore your applications in a timely manner.
Simplicity: Kasten K10 is very easy to use via a state-of-the-art management interface or a cloud-native API. It has the versatility to accommodate complex applications and policies easily, so you can work efficiently even under tight timelines. Secure self-service portals that work across multiple clusters allow authorized users to perform backup and recovery actions on just their applications, without going through lengthy approval processes.
Freedom of Choice: Kasten K10 allows you to choose a variety of target stores, so you have a cost-efficient solution that fits your needs. There is a growing list of vendors, including Amazon S3 and MinIO, that support immutability. Kasten K10 integrations for ransomware protection give you deployment flexibility of cloud and on-premises, and Kasten K10 is integrated with a variety of primary storage and Kubernetes distribution options, so you can control where your applications reside and operate.
What Else Does Kasten K10 v4.0 Include?
In addition to Kubernetes security, Kasten K10 has always been focused on providing a simple way to protect and scale Kubernetes applications. With this release, we have made significant enhancements across the depth of Kubernetes-native data management capabilities and the breadth of cloud-native ecosystem partners.
A subset of the new capabilities include:
Multi-cluster Operations: We have continued to make advancements so that operations can work at the speed of DevOps with secure self-service portals. Authorized users can now manage their own clusters, create backup policies for their own application namespaces and add secondary clusters directly through the multi-cluster manager for easy scalability.
NFS: You can now add NFS for migration and as a backup target in addition to object storage options. Learn more here.
Relational and NoSQL DataServices: Kasten K10 is unique in that it’s not just aware of the data services layer, it provides protection at the data services layer. Because it only gathers incrementals since the previous backup, you benefit from storage space savings. Additionally, there is no dependency on the underlying file/block storage layer to support snapshotting capabilities. With this release, Kasten K10 also supports commonly used data services, including Kafka, Cassandra, and Amazon Aurora using the open-source Kanister framework.
With support for the widest ecosystem, Kasten keeps customers’ freedom of choice at the heart of our approach. You can choose the best storage, Kubernetes distribution, database, and location for your applications. With this release, we have expanded our integrations and partnerships to include:
Red Hat OpenShift: Kasten and Red Hat worked together to certify and make Kasten K10 available in the Red Hat catalog, giving enterprise teams the assurance that Kasten K10 itself is built and tested to exacting standards and ready to deploy in your OpenShift environment.
HPE:In addition to storage integrations with HPE Intelligent Data Platform, HPE Primera, HPE Nimble Storage and HPE Cloud Volumes, Kasten K10 can also protect your applications on HPE Ezmeral.
Gaurav Rishi is the VP of Product and Partnerships at Kasten by Veeam. He is at the forefront of several Kubernetes ecosystem partnerships and has been a frequent speaker and author on cloud-native innovations. He previously led Strategy and Product Management for Cisco's Cloud Media Processing business. In addition to launching multiple products and growing them to >$100M in revenues, he was also instrumental in several M&A transactions. Gaurav is a computer science graduate and has an MBA from the Wharton School.
Kasten, Inc. 8800 Lyra Drive, Suite 450 Columbus, Ohio 43240
We value the critical role that the security community plays in helping us protect the confidentiality, integrity, and availability of our software, services, and information. If you have information about security vulnerabilities that affect Kasten software, services, or information, please report it to us via our HackerOne Vulnerability Disclosure Program, or anonymously via this form.