Even if you haven’t been bitten by ransomware, I bet you know someone who has. It’s an increasing problem for organizations as well. Thankfully more and more are waking up to the fact that the best defense is a copy of data that’s “air-gapped” – not attached to any network. One of the most cost-effective and safest ways to create an air-gapped copy of data is to put it on tape in a vault.
The great thing about a tape on a shelf in a secure location is there is absolutely no way that it can be accessed by a remote attacker. But that doesn’t mean this method is necessarily easy or perfect.
Let me tell you a story.
Back in the early aughts, I was a pre-sales engineer for a little tape company called Advanced Digital Information Corp – ADIC – who later merged with Quantum. I went to visit a company that had called us because their backups were suffering. They could back data up, mostly, but had lots of media problems. The problems extended to restores too, which was really bad. In short, their system was unreliable, and they were desperate.
As we walked to the conference room, we passed a glass wall looking into the data center. What I saw through that window froze me in my tracks. This was a good-sized data center, with a few dozen rows of racks. Each server – had to be hundreds of them – had its own DLT tape drive for nightly backups. But it wasn’t just the fact that these guys hadn’t heard of automated tape libraries that horrified me.
There was an operator, wearing rollerblades, hurriedly pushing a wire grocery cart down the aisles. He’d stop at each rack, yank the eject handle on every tape drive, grab the tapes (sometimes dropping them), and throw them into the grocery cart. Sometimes he’d miss, and a tape would bounce off the cart and land on the floor.
I bet you can guess why the backups were unreliable. Data tapes are reasonably tough, but they are precision mechanical devices. If you toss them around like your Dad’s Led Zeppelin cassettes, you will have problems. I did some education that day, and they eventually bought a robotic tape library from us. Their backups reverted to the normal level of unreliability that we all experienced with DLT, and the operator got to retire his rollerblades. Everyone was happy.
The point of this story is that the biggest problem with vaulting tapes is humans. Humans lose tapes, misfile tapes, drop tapes, and just generally cause problems. Humans are also expensive and paying them to shuffle boxes of tapes from one place to another is a waste. You can pay for more slots and leave all your tapes in a robotic tape library, but then they aren’t offline, so they are exposed to ransomware risk.
Or are they?
Quantum has uniquely solved this problem in our Scalar tape libraries, with an optional feature called Active Vault. Active Vault creates a secure, in-library vault for tapes using unlicensed slots. It uses a dedicated partition in the library that has no tape drives and is totally isolated from external applications. With Active Vault, when tapes are exported the robot moves them into the Active Vault partition, instead of the import/export door. For the application to access them again, an operator must first log into the library remote GUI and move the tapes back from the Active Vault partition into the application partition. But he doesn’t have to leave his chair.
Next to those pesky humans, use and time are the next biggest enemies of tape media. With enough use and time tapes wear out. This is something you don’t want to learn when you suddenly can’t read one. In the Scalar i6 and i6000 libraries, you can have tapes in the Active Vault scanned periodically to ensure they are readable, and you will be alerted if one is getting sketchy before you lose data. Try that with tapes on a dusty closet shelf!
Be nice to your tapes and they will be nice to you. Let the robot handle them, and use Active Vault to lock a copy of your data away where ransomware can’t find it.