Showing results for 
Search instead for 
Did you mean: 

Immutable Storage Support for AWS in NetBackup

Level 1

Enterprises are under attack, and the ability to protect against ransomware does not only include defense strategies focused solely on the perimeter. As an attack evolves, it can move laterally across an environment, attacking multiple endpoints to maximize the infection, compromise credentials, and then find and encrypt the backup data to prevent organizations from restoring the infected assets. Most recently, in May 2021, hackers targeted two high-profile organizations - Colonial Pipelines and Ireland's Health Service Executive (HSE). Colonial's impact was reduced availability of petroleum products for the US east coast, and in the case of HSE, the hackers claim they had spent two weeks in the HSE's systems before launching the attack and claimed to have encrypted and stolen 700GB of data. 

With the rise in Ransomware, many organizations attempt to address the problem and are looking for solutions that promise to “eliminate ransomware.” Let us be clear here, there is no way to eliminate ransomware. Ransomware has become more of, not if you are going to be hit, but when, and there is never a suitable time. However, there are best practices such as a 3,2,1 configuration, (Three sets of your data, on two different media storage types, and one-off site), make sure patching is up to date, and looking at your environment holistically for unprotected assets, are great first steps towards creating an environment that minimizes ransomwares impact. 

Many NetBackup customers take the additional step for security reasons (ransomware, rogue actor) or compliance requirements are leveraging immutable storage. As the name implies, immutable storage is that the data storage will remain completely static or unchangeable for its entire life cycle. Immutable storage allows NetBackup users to designate specific data stored in a form that can never be altered. NetBackup has always supported many storage platforms and with NetBackup 9.1 we follow the tradition of heterogenous support for immutable locks across many different vendor storage platforms providing flexibility, cost savings, and coverage from the edge to the core to the cloud. 

To that end, NetBackup 9.1 has added support for AWS S3 Object Lock’s using AWS S3 immutable object storage. Amazon S3 Object Lock is an Amazon S3 feature that allows you to store objects using a write once, read many (WORM) models in the Amazon cloud. This solves the offsite configuration and two different storage platforms as required by a 3,2,1 configuration and provides the added safety to data assets of immutability integrated with NetBackup. You can use WORM protection for scenarios where it is imperative that data is not changed or deleted after it has been written, whether your business has a requirement to satisfy compliance regulations, or you want to protect your data from ransomware. 

With NetBackup 9.1 Object Lock for AWS, the NetBackup Administrator can define the retention period for a WORM NetBackup backup policy using a bucket that has been configured to use S3 Object Lock.  Individual objects may have multiple references from NetBackup, so an object will remain locked until the longest retention period has passed for that bucket. A NetBackup Administrator can configure an object to be copied to another bucket and stored in a locked state on a secondary target. The NetBackup object lock can be applied to any workload data, and a single NBU Media Server can write data in either locked or non-locked state, offering flexibility and greater use of the media server to address locked and un-locked buckets.  

What is available: 

NetBackup 9.1 provides easy to configure support for normal, compliance, and governance modes using a single NetBackup Media Server Deduplication (MSDP) pool supporting WORM and non-WORM Storage Units flexibility to determine the level of resiliency to meet the need of the organization. The Direct Cloud-tiering server can write to the S3 Object Lock Bucket using Backup/Restore/Expire/Opt-Dup of any data written by NetBackup 8.2 or newer, thus providing a path to leverage immutable buckets created under 8.2.

Figure 1 - Storage configuration menu showing AWS-based storage with MSDPFigure 1 - Storage configuration menu showing AWS-based storage with MSDP


NetBackup 9.1 reduces the staggering complexity of enterprise data protection, with a unified solution built on converged infrastructure, that easily scales while providing best-in-class performance for petabyte-level capacity and paves the way to IT as a service through a convenient, self-service operation, ransomware protected environment. S3 Object Lock for AWS offers another level of protection across the Enterprise Data Platform, that addresses cost, scale, and ease of use. 

To learn more about this exciting new feature, visit the NetBackup Ransomware page on