George Crump

by

Once ransomware breaks through an organization’s defenses, time is of the essence, and IT must execute 5 steps to rapid ransomware recovery. The need for rapid recovery and minimal data loss was the top concern of 75% of the IT professionals responding to the survey we conducted during our recent webinar, “Creating a Holistic Ransomware Recovery Strategy,” now available on-demand.

There are 5 steps to rapid ransomware recovery with minimal data loss:

StepReason
Frequent ProtectionRansomware can strike at any moment, protection copies should be made, at least every few hours.
Long RetentionSome ransomware variants strike slowly to avoid detection. Recovery may require pulling data from multiple backup copies.
Rapid AlertingThe sooner you can detect you are under attack, the sooner you can stop the attack at its source and limit the damage
Mount Don’t RestoreTraditional restoration means copying data from an alternate storage medium, which takes time.
Practice, Practice, PracticeRansomware recovery is unlike any other. Find a safe way to “infect” your data center and practice.

Rapid Ransomware Recovery Step 1: Frequent Protection

While it may seem the most obvious of the 5 steps to ransomware recovery, it is missing from most response strategies. In an ideal ransomware protection scheme, protection events should occur every hour but at least every three hours. This necessary frequency of protection creates a challenge for many data protection approaches.

For example, most snapshot technologies, especially VMware’s built-in snapshots, will degrade performance significantly if the number of managed snapshots grows beyond a handful. However, even dedicated storage systems like all-flash arrays struggle when managing many snapshots. They may perform acceptably but can’t manage a sophisticated retention schedule. The intricacies of the snapshot metadata make deleting a snapshot, which is what a retention schedule does, egregiously slow. Because of its high metadata overhead, it takes the storage system time to “unwind” an intermixed snapshot, and its deletion means updating the metadata for all other snapshots. One result of this is that snapshots consume far more capacity than they should because they are so slow to give back the space used by old snapshots.

For these reasons, most organizations can’t tap into the full theoretical potential of ideal snapshot technology and, as a result, must count on backup and recovery solutions that significantly increase costs and slow recovery efforts.

Frequent Protection with VergeOS

VergeOS is different. At the core of VergeOS is global inline deduplication. Because VergeIO started with deduplication instead of bolting it on years after shipping a product, it delivers maximum data efficiency without impacting performance. Our IOclone capability leverages global deduplication to enable the creation of full clones of virtual machine data or even entire data centers in milliseconds. These clones are space efficient and independent of each other. You can have thousands of them without impacting performance. More importantly, you can delete them, even via a sophisticated retention schedule, in seconds, meaning any space they consume is instantly returned to the environment.

Rapid Ransomware Recovery Step 2: Long-Term Retention

Ransomware can take two attack vectors. The most common is, it will try to encrypt every file it can get to as soon as it breaks into the environment. The second attack vector is more sophisticated, slowly encrypting data to avoid detection. While the second vector is more sinister, most Bad Actors don’t have the patience to let the malware sit and slowly encrypt for months. They want the money now! Frankly, given the success rate of attacks once landing their malware payload, they don’t have to be sophisticated.

While the second attack vector is not as expected, it is wise to prepare for it. Long-term and granular data retention is the key to recovering from a slow-crawl ransomware attack. Again, because of performance concerns, snapshots are unsuitable for long-term retention in most cases. Backup software is excellent at the long-term recovery aspect but, because of the infrequency mentioned above, cannot provide a lot of granularity.

Solving the Retention Problem with VergeOS

Once again, VergeOS’ IOclone provides an ideal solution for long-term data retention, providing complete clones which are independent of each other. Retaining thousands of them doesn’t impact performance, and you can maintain as granular a history as you feel necessary. Getting rid of old files is another important step in limiting ransomware damage.

As mentioned, you can develop a sophisticated retention schedule to meet these requirements. For example, you can execute hourly clones and retain each for 24 hours. You can then execute a daily clone and retain that for seven days and a weekly clone that you retain for two months, and a monthly clone for a year. This type of schedule means a lot of deletion of older copies to reclaim space. It would cause significant performance problems for traditional snapshot techniques and take weeks to return the capacity reserved by those snapshots. IOclone has no performance impact, and reserved capacity is returned almost instantly.

Rapid Ransomware Recovery Step 3: Rapid Alerting

Knowing you are under attack is a critical part of 5 Steps to Rapid Ransomware Recovery because it addresses the other part of IT concerns, “with minimal data loss.” The sooner you know your environment is under attack, the sooner you can shut down the virtual machine under attack and limit the spread. The early warning also enables IT to better identify which protected copy they should turn to when starting their data recovery.

A few storage systems will provide an alert of a potential ransomware attack. Most of these will monitor for an increase in capacity utilization. The problem is that these alerting methods often miss an attack because capacity doesn’t necessarily grow. When malware works through your environment, it typically encrypts one file at a time, and during encrypting, those files will increase in size. After encryption, the file will be almost the same size as the unencrypted file. In other words, these methods will miss the attack. You’d much rather have a false positive than a missed attack.

IOfortify Delivers Reliable Attack Alerting

5 Steps to Rapid Ransomware Recovery

VergeOS’ IOfortify capability delivers reliable attack alerting by monitoring a change in deduplication ratios instead of changes in capacity utilization which is far more accurate. Encryption may not increase capacity utilization, but those files will look like new files to a deduplication algorithm. During our “Creating a Holistic Ransomware Recovery Strategy”, we demonstrated IOfortify, first identifying and alerting, then recovering a virtual machine whose data was actively being encrypted, in real time.

Rapid Ransomware Recovery Step 4: Mount, Don’t Restore

Mounting your recovery means pointing directly to your protected copy without having to move data. Restoring means copying the data from where it is back to the production volume, which can take dozens of minutes, if not hours, depending on the size of the volume and bandwidth of the network.

Again historically, the problem with directly mounting your recovery volume is how you maintain those copies. A traditional complete clone will consume too much capacity and take too long to create to be practical and violate the other above steps. A traditional snapshot still depends on the original volume; promoting it to production may mean a complete copy/restore.

Some backup solutions have an “instant recovery” solution. The problem with this method is that while you are mounting a volume, you are mounting it from a backup storage target which typically doesn’t have the performance or availability capabilities of production storage.

IOclone instant recovery with no performance impact

IOclone enables IT to point directly at a version of the virtual machine or data center before the ransomware attack. It is online instantly, and because of its independence, it does not need to be “rolled back” to production.

Rapid Ransomware Recovery Step 5: Practice

Ransomware recovery is unlike any other, so IT must practice the recovery process. The problem with practice is risking a “leak” of the practice into production.

Virtual Data Centers Make for Perfect Practice

5 Steps to Rapid Ransomware Recovery

VergeOS’ Virtual Data Center (VDC) capabilities enable IT to create a complete, secure copy of their entire data center and “infect” it with a ransomware simulator or an encryption program. Their isolation ensures the practice attack doesn’t “leak” into production. Verge.IO even has some customers that put their VDC, with anonymized data, out as a publicly addressable honeypot so they can test their attack response against a real foe.

Conclusion

The 5 Steps to Rapid Ransomware Recovery require preplanning, and they also require better infrastructure software. Because of the “bolt-on” approach to all features and protection capabilities, platforms like VMware can’t provide the same level of protection as VergeOS. The good news is you can transition from VMware to VergeOS seamlessly and at your own pace. You’ll have a more resilient environment and reduced costs by 50% or more. To learn more about using VergeOS as a VMware exit ramp, read our VMware Alternative page. You can also start using VergeOS as a Disaster Recovery solution, including for ransomware recovery, for VMware without migration using our IOprotect capability.

Watch Creating a Ransomware Response Strategy

This field is hidden when viewing the form
This field is hidden when viewing the form
Name(Required)

VergeIO’s Inbox Respect Policy: We will send you no more than two e-mails per month

Filed Under: Ransomware Tagged With: ,

by

Ransomware counts on Patch Tuesday to successfully infiltrate an organization. While there is nothing wrong with applying patches on Tuesday, it is which Tuesday the patch is applied that can open the door that ransomware plows through. Ideally, you want to apply the patch the next Tuesday after the release; doing so would eliminate the exploits that most ransomware and other cyber threats use to do their work.

The problem is organizations wait weeks or even months to apply patches. Why? Because the IT team needs to understand how the proposed patch will impact the rest of their environment. They don’t want to apply a patch that suddenly causes other currently working environments to fail.

Today’s infrastructure solutions must enable IT to vet and apply patches quickly and eliminate Patch Tuesday altogether. IT needs a solution that can address these patching challenges:

  1. Difficulty determining where the potential conflict is because of the number of vendors involved in delivering IT services.
  2. Difficulty in assembling and maintaining a lab environment to test patches.
  3. Difficulty rolling back a patch once it is deployed.
Ransomware Counts on Patch Tuesday

Eliminate Patch Tuesday and set yourself up for ransomware recovery success by attending our live TechTalk, “Creating a Ransomware Response Strategy,” this Thursday at 1:00 PM ET.

There are Too Many Vendors to Eliminate Patch Tuesday

One of the biggest challenges facing IT as they attempt to apply patches to prepare for the next ransomware attack is the complexity of the multi-vendor data center and this is why ransomware counts on patch Tuesday. While Hyperconverged Infrastructures (HCI) were supposed to make the multi-vendor data center easier to manage, they have the opposite effect. Traditional HCI is still a vertically layered stack of multiple software solutions. At a minimum, most HCI has software-defined storage (SDS), hypervisor (VMware/Hyper-V), software-defined networking, and software that protects the environment (backup and recovery).

Many environments are only one step down the software-defined path, running a legacy three-tier stack, virtualizing only compute. As a result, legacy data centers and even more “modern” HCI data centers are equally confusing when determining the impact of applying a patch.

Ultraconverged Infrastructure Simplifies Patch Reconciliation

VergeOS rotates the traditionally vertical IT stack into a tightly integrated linear plane that provides all infrastructure services (networking, hypervisor, storage, data protection) as a data center operating system within a singular software code base. We call this ultraconverged infrastructure (UCI), and it moves beyond legacy hyperconverged infrastructure to deliver greater efficiency and scalability at a significantly lower cost.

Reducing the IT stack to a singular, horizontal layer increases efficiency and scalability and simplifies the patching process. Updates for the entire infrastructure come from a single source, and because VergeOS is inherently highly-available, IT can apply patches and updates without disruption. VergeOS applies patches one node at a time, and workloads automatically move between nodes so that applications are unaffected.

You Need a Lab to Eliminate Patch Tuesday

Patches also come from operating systems and application vendors. Properly evaluating the impact of these patches is best done in a lab. IT organizations need a lab for patch testing and various other use cases. The problem is not just the cost to configure and maintain the lab but also making sure the lab has the same settings and data as the production environment. These requirements mean that most organizations don’t have a dedicated lab environment. When one is needed, they have to scramble to put something together. As a result, the lab is nothing like the production environment they are looking to simulate.

Virtual Data Centers: The Always Ready Lab

One of the critical capabilities of VergeOS is Virtual Data Centers (VDC). Virtual Data Centers are to physical data centers, what virtual machines (VM) are to physical servers, an encapsulation. Using another VergeOS capability, IOclone, IT professionals can, within milliseconds, create a space-efficient copy of their entire data center within.

Capturing the entire data center, including the data, networking configuration, storage policies, and application setups, is critical to ensuring that IT does patch verification against an exact replica of production. Since the copy is standalone and not dependent on the original, administrators can apply the patch without concern of impacting the production environment.

IT can implement a single VDC for its entire data center or subdivide it by application or workload. For example, a VergeOS administrator may create a VDC for Oracle, another for MS-SQL, and a “core” VDC for general-purpose VMs. Each VDC can be cloned hundreds of times, and those clones can be used as golden masters, backups, development, and patch verification.

IT Needs to Eliminate Patch Tuesdays AND Surprise Wednesdays

Even with the best testing, sometimes an errant patch slips through. Depending on the level of chaos it causes, IT may have to recover from the backup infrastructure completely. Recoveries from backup, especially large ones, are time-consuming, meaning IT may deal with the Wednesday surprise for the rest of the week. The problem is most infrastructure software is too inefficient to maintain its data protection points, typically traditional snapshots, for more than a few hours. As pointed out in this article, “VMware Storage Challenges,” this problem is especially apparent in VMware environments.

IOclone: Unlimited Clones and Retention

To make surprise Wednesdays less of a concern, IT needs the ability to retain backup copies for more than a few hours. Traditional backup software can meet this need, but the time and nuances in recovering an application with an errant patch are significant. IOclone has the entire state of the VM and the entire data center or workload. No rollback is needed; point to the last known good instance, and the application is running.

Get Ahead of Ransomware

Ransomware Counts on Patch Tuesday

Because ransomware counts on patch Tuesday, applying the latest patches is critical to staying ahead of ransomware. With VergeOS, IT can apply patches almost as soon as they are released without waiting for Tuesday. They can test application patches against a mirror image of their production environment. If an errant patch slips through, they can instantly point to the non-patched version.

Even with the improved patching capabilities within VergeOS, ransomware may still slip through because of user carelessness. Our IOfortify solution takes you the rest of the way by leveraging the hardened VergeOS, IOclone, and new detection capabilities to deliver rapid restoration from an attack. During our TechTalk, “Designing a Ransomware Response Strategy,” we will conduct a live demonstration of IOfortify in action. See if we can recover a VM under attack during the webinar.

Patch Comparison: Traditional Infrastructure Software vs. VergeOS

Rapid Patch RequirementTraditional Infrastructure SoftwareVergeOS
Determining Patch ImpactDifficult – Multiple vendors makes identifying potential conflicts time consumingEasy – One Vendor
Pre-deployment TestingDifficult – Hard to setup, maintain and pay for dedicated labEasy – Virtual Data Centers and Cloning can create “Instant labs.”
Patch RollbackHard – Recovering from a backup copy is very time consumingEasy – No rollback required, just point to pre-patched clone.

Filed Under: Blog, Ransomware Tagged With: ,

by

The best time for IT Professionals to start building a ransomware response checklist is now, before an attack occurs. There are several reasons for creating a checklist:

√ Successful Ransomware Response requires preparation.

√ Stress levels are high during an attack. You might forget a critical element in a rush to get everything back online.

√ A checklist will expose areas where you must practice and test.

√ A checklist provides a framework for comprehensive auditing.

Section One: Build a Ransomware Resilient Foundation

Implement a Prevention Solution
The first step in building a ransomware response checklist is to have the foundational elements covered. The best response is the one you don’t have to conduct because the attack doesn’t get through. While no prevention solution is perfect, and you still need a response strategy, they are effective at preventing many types of attacks.

Simplify Patching
Most patch releases sent to IT professionals today involve closing down potential security exploits. These patches should be applied upon release. The problem is most IT professionals are hesitant to apply patches to the environment because of downtime and the potential for unexpected impact of the patch. This is especially true of infrastructure software since an errant patch or downtime because of a patch can impact dozens of servers instead of just one.

Simplifying patching is a critical item when Building a Ransomware Response Checklist.

Another challenge is that most IT infrastructures are comprised of multiple pieces of software. Instead of a single, cohesive data center operating system (DCOS), IT must run layers of incompatible infrastructure software components, including networking software, virtualization software, storage software, and data protection software. Patches are applied to these layers when the respective vendor for each layer releases a service pack, which rarely coincides with when the vendors of the other layers release their patches.

Look for a vendor that takes a DCOS approach to infrastructure, which is not only critical to simplifying patching but also simplifies the entire ransomware response effort.

A DCOS should provide two deliverables in terms of patching. First, it should be able to simplify the foundational DCOS patching process by integrating the legacy IT stack into a single software element. Second, it should make the patching of guest operating systems and applications running inside VMs simpler by enabling zero-capacity and zero-performance impact clones so that IT can test the released patch for conflicts with other elements within the data center. If there is a problem with the patch, IT can roll back to the prior version, or if the patch works, roll the patched version into production.

▢ Harden the Operating Environment
An essential but often overlooked step is to harden the infrastructure software as much as possible. Suppose the ransomware can infect a part of the core infrastructure, like the hypervisor, the storage software, or the data protection software. The impact is widespread in that case, and recovery is far more complex.

Hardening the Data Center is a critical item when Building a Ransomware Response Checklist

While most mainstream OSs are not resilient to attack, you should ensure your core infrastructure software, like the hypervisor, storage, and networking software, are hardened. Look for infrastructure software that takes special developmental steps to make it act like firmware, loaded into RAM, and can be replaced easily from an unalterable good copy. Again, a DCOS makes these processes easier since only one software component needs to be hardened instead of three or four.

Section Two: Build a Ransomware Resilient Protection Strategy

Increase Protection Frequency and Retention
Protecting data is an obvious inclusion in any attempt at building a ransomware response checklist. Most data centers run into three challenges when creating a ransomware-resilient data protection strategy:

  1. Protection events occur too infrequently to be meaningful.
  2. Protected copies aren’t retained long enough to outlive a prolonged attack.
  3. Too many protection solutions are used, making the process complex and expensive.
    A best practice for a successful ransomware response is to make sure you are capturing all data hourly. Snapshots, on paper, look ideal for this use case, but most solutions experience significant performance problems as the number of snapshots increases, limiting how long those snapshots can be retained.

Consolidate Protection Tools
To get around the limitation of traditional snapshots, most organizations use at least four data protection tools to protect their environment. They may use a combination of hypervisor snapshots, storage system snapshots, replication software, application-level backup utilities (dumps), and enterprise backup software. Using all these applications makes the data protection process more expensive and complex, especially during a ransomware recovery effort. IT may be unsure which part of the process has the best known good copy.

Look for an infrastructure DCOS that enables you to consolidate, preferably down to one, the number of tools used for data protection. In essence, the DCOS will protect itself. It should provide the ability to protect data frequently and retain those protection events indefinitely without suffering performance degradation. It should enable you to restore the entire data center footprint, if need be, including network and storage configurations, with a single click. Lastly, it should enable affordable, high availability so data can be moved off-site and adhere to all aspects of the 3-2-1 rule.

Finding an alternative to traditional snapshots is a critical item when Building a Ransomware Response Checklist

Consider a Snapshot Alternative
Traditional snapshot technology, standard in most storage systems and hypervisors, is ill-suited to meet these requirements. The metadata requirements to maintain a high frequency, long retention snapshot schedule is too great. It impacts performance and makes deleting old snapshots to free up capacity too time-consuming. Clones are a better option for performance and retention because they are independent copies, but without global inline deduplication, frequent clones and long retention will consume too much storage capacity and degrade performance too much to be practical.

Look for an infrastructure that combines the best benefits of both clones and snapshots by implementing DCOS-wide deduplication. If the deduplication technology is built into the core of the DCOS, then it will eliminate concerns about algorithmic performance overhead and capacity consumption while enabling the cloning of PBs of data in milliseconds.

Section Three: Build a Ransomware Resilient Detection Strategy

Alerting to a potential attack is a critical item when Building a Ransomware Response Checklist

Detect Data Anomalies
Detection is a critical component of building a ransomware-resilient checklist. The sooner the DCOS can alert IT to an attack, the faster IT can stop and remedy the situation. Most ransomware attacks take two vectors after the malware finds its way into the environment. First, they start encrypting files as fast as possible, and second, the malware starts replicating itself to encrypt more files in parallel.

Again multiple detection tools are problematic. Look for a DCOS that can deliver in near real-time, a single source of alerting based on data change rates. In a globally deduplicated environment, the DCOS builds an alert off of an unexpected increase in capacity consumption.

Preserve Forensic Data
When ransomware attacks, most IT professionals’ first reaction is to start the recovery response as quickly as possible. The problem with jumping right into recovery is that the process will likely destroy any forensic data available to determine how the attack entered the environment and how it spread. Both data points are crucial to future prevention efforts.

Instead, look for a DCOS that enables quick isolation of the current state. Again using a cloning type of technology powered by global inline deduplication enables these clones to be made in milliseconds without consuming too much capacity. It is also critical that this clone be independent and isolated.

Create Ransomware Honeypots
Another detection strategy is to create Honeypots of the environment and expose them to attack, obviously anonymizing data in them. These honeypots can alert you of a potential wider threat and provide excellent practice for further hardening your data center. Honeypots typically have a lower false positive rate, when compared to most traditional intrusion-detection systems.

Look for a DCOS that can virtualize entire data centers in the same way that virtual machines virtualize servers. Then the DCOS can easily create honeypot data centers that are securely isolated from the production virtual data centers.

Section Four: Build a Rapid Recovery Strategy

Mount the Recovery, Don’t Copy

When ransomware strikes, rapid recovery is critical. Depending on the severity of the attack, IT may need to recover a few VMs or an entire data center. Copying data from another snapshot or a backup process takes too much time. Again, clone the current state for forensic reasons, then start recovery. The key is to be able to mount, in place, the last known good copy of data. That mount still needs isolation so IT can scan it for any malware trigger files before returning it to production.

Look for a DCOS that can in-place mount a previous VM version or an entire data center. An in-place mount provides instant access to the data so IT can scan it to ensure there are no malware remnants and then provide user access.

How’s Your Checklist?

Building a Ransomware Response Checklist is only effective if you tick all the boxes. If your evaluation is missing a couple of marks, then consider attending VergeIO’s next TechTalk, “Creating a Ransomware Response Strategy,” with our CEO, Yan Ness, and SE Director, Aaron Reid. They will dive deep into the elements of this checklist and show you a live demo of our IOfortify solution for recovering from a ransomware attack.

Filed Under: Ransomware Tagged With: , , ,

by

Users receive immediate alerts of an attack to act fast to prevent it and restore their entire system to a secure state within a matter of minutes

Ann Arbor, Mich, June 13, 2023 — VergeIO, the Ultraconverged Infrastructure (UCI) company, today introduced a groundbreaking solution for ransomware protection – IOfortify. This latest innovation combines robust security; unlimited, unchangeable clones; and rapid, complete recovery to fortify data integrity and provide users with true peace of mind.

Combining this data resilience with unlimited and unchangeable, space-efficient clones allows users to effortlessly roll back to an earlier version of its data center architecture to ensure business-critical information remains safe and secure from unwanted changes. Creating a set of space-saving copies takes milliseconds and allows the preservation of an unaffected infrastructure and VM state at any given time as a failsafe to any attempted ransomware attacks.

Recovery is crucial if malicious software is deployed. IOfortify is up to the task of providing quick and thorough restoration of systems, applications, and files. Because of its ability to speed the restoration process, IOfortify enables organizations to get back on track in a matter of moments, reducing downtime and ensuring business continuity with exceptional efficiency.

“VergeIO’s introduction of IOfortify marks an important milestone in ransomware defense. Its ultraconverged infrastructure solves a major hyperconverged infrastructure problem by delivering built-in ransomware defenses, providing users with immediate alerts and swift recoverability neutering ransomware attacks in minutes. This innovative cyber security defense layer fortifies data integrity in the face of evolving cyber threats. A must for any hyperconverged infrastructure.”

Marc Staimer, President of Dragon Slayer Consulting and senior analyst at Wikibon

IOfortify does more than help users recover from an attack, it helps them identify if they are under attack and points them to which clone is the best candidate for rapid recovery with minimal data loss.  Since VergeOS has control over the file system, it is able to detect any anomalies. With IOfortify, customers can receive immediate alerts of an attack, giving them the opportunity to act fast to prevent it and activate our rapid restoration services.

With IOfortify, we’ve redefined ransomware protection. One hundred percent of VergeIO customers who were affected by ransomware have successfully restored their entire system to a secure state within a matter of minutes. Those looking for unbeatable ransomware protection should embrace the future of fortified data integrity by building their infrastructure on VergeOS with IOfortify

Greg Campbell, VergeIO founder and CTO

VergeOS moves beyond legacy HCI configuration with its ultraconverged infrastructure (UCI), which integrates virtualization, storage, and networking into a single piece of software. This integration provides a high degree of efficiency that enables VergeOS to deliver more performance from existing hardware and a wider range of scale. VergeOS can scale up to meet the needs of the most demanding enterprise and scale down to fit the constraints of the edge. IOfortify is integrated into VergeOS and is available now at no additional charge to VergeOS customers. 

For more information, register here for a Tech Talk on New Ransomware Response Strategies, live on June 22nd at 1:00 pm ET

About VergeIO

VergeIO is the Ultraconverged Infrastructure (UCI) company. Unlike hyperconverged infrastructure (HCI), it rotates the traditional IT stack (compute, storage, and networking) into an integrated data center operating system, VergeOS. Its efficiency enables greater workload density on the same hardware with high levels of data resiliency. The result is dramatically lower costs and greatly simplified IT.

Media Contact:
Judy Smith, JPR Communications
818-522-9673
[email protected]

Filed Under: Press Release Tagged With: , , ,

by

While it used to be a project for highly regulated industries, designing a compliant IT infrastructure is now on the project list for many organizations. We saw this evidence in the InBrief session with TruthInIT a few weeks ago. Questions around compliance were some of the most commonly asked.

The top three requirements for designing a compliant IT Infrastructure are:

  1. Security and Privacy
  2. Data Protection and Retention
  3. Disaster Recovery

One of the challenges faced by IT is the varying compliance requirements within an organization, with some departments having stricter needs than others. Addressing the compliance needs of each department can be a significant challenge. Additionally, creating a compliant infrastructure can be both expensive and complex, often requiring multiple products.

Securing a Compliant IT Infrastructure

When designing a compliant IT infrastructure, the initial step is to ensure its security through the implementation of strong authentication mechanisms and robust access controls. Occasionally, a department with stringent compliance requirements may require customized networking or storage configurations.

Certain departments may have unique data privacy needs and must ensure that their data is not accessible to other departments. Privacy measures may include dedicated computing and storage resources for specific departments or ensuring a certain level of performance.

Security without Silos

Many organizations are required to create secure environments by building separate infrastructure silos, each tailored to the unique needs of a department or use case. However, silos of infrastructure are costly and lead to additional compliance requirements for protection, retention, and disaster recovery.

Fortunately, VergeOS offers a solution with its Virtual Data Center (VDC) technology. Similar to how a virtual machine encapsulates a physical server, a VDC encapsulates an entire data center. By utilizing VergeOS, customers can establish a VDC for each department, meeting all the aforementioned needs. Each VDC can have its own access controls, authentication requirements, and user management functions.

Nested VDC makes managing Compliant IT Infrastructure easy
Create multiple nested compliant virtual data centers with VergeOS

The Power of Virtual Data Centers

VDCs also allow for allocating specific computing and storage resources to particular departments, preventing other departments from accessing those assets. IT can effectively create a unique compliant IT Infrastructure for each department as needed. Plus, the VDC provides flexibility to reallocate resources when the department or workload no longer needs them. or IT can allocate more resources as a project ramps up. Organizations can create a highly compliant VDC for regulated functions and a more general-purpose VDC for other use cases.

A key benefit is that IT can manage all VDCs from a single user interface and run on the foundational operating environment, VergeOS. This reduces complexity by using a single piece of software and enables the management of all VDCs through a single interface. It also lowers costs through more efficient resource allocation and higher utilization.

Perfect Compliant IT Infrastructures with Recipe Marketplace

Another key benefit of VergeOS is it also includes a Recipe Marketplace, which enables customers to pre-build complete data centers and then deploy them with the click of a button. This makes quickly deploying HIPAA or PCI-compliant VDCs easy. Also, because of the recipe engine, you can deploy them perfectly every time without worrying about missing that one setting that could otherwise move your VDC from compliant to non-compliance.

The combination of VDCs and the Recipe Marketplace makes IT more agile. Usually, if the organization needs a PCI environment and a HIPAA environment, IT would normally build two separate silos and then have them independently audited for compliance. If the organization needs another compliant environment, then they have to stand up another separate silo and then have that silo audited. IT must resubmit a compliant silos for another round of auditing if it needs to scale by adding additional computing power or storage capacity.

Without VDC and the Recipe Marketplace, IT must build each environment to handle the capacity and throughput of where it will end, which may take years to scale to, if ever. With VDCs and the Recipe Marketplace, IT can share resources across a variety of compliant environments. Once IT creates a“golden” VDC for each use case and it passes the audit (PCI/HIPAA), then IT can spawn nested VDCs each time the organization has a new request. No additional auditing is required.

To learn more, check out this VergeOS Architecture Deep Dive with our CTO, Greg Campbell.

Protecting and Retaining Data for a Compliant IT Infrastructure

It is essential to protect the IT resources of every department within an organization from data loss or hardware failure. When designing a compliant IT infrastructure, however, some departments may have more stringent requirements than others. To meet these needs, IT often has to use multiple products. In most cases, separate backup and retention products are necessary, even if the processes can be applied across departments. It is common for data between departments with different compliance needs not to intermix. As a result, each silo requires a sub-silo of data protection.

Protection and Retention without sub-silos

With VergeOS, you can customize data protection and retention strategies for each VDC, and the platform includes built-in tools to meet the unique needs of every department. While many solutions offer snapshot capabilities, most are limited by performance issues, restricting the number of active snapshots and how long they can be retained. Deleting snapshots to free up disk capacity can also be a tedious and lengthy process.

As a result, many customers opt for data cloning, creating copies for backup and archiving purposes. However, managing multiple copies is time-consuming, costly, and requires additional storage capacity. It also increases the likelihood of errors since IT needs to integrate two or three separate processes.

VergeOS’s IOclone, combines the best capabilities of snapshots and clones by leveraging our unique Global Inline Deduplication technology, which is at the core of VergeOS instead of a bolted-on afterthought. IOclone enables each snapshot to be independent of the VM or Virtual Data Center it is copying. Still, because of the deduplication process, these copies are made in milliseconds and are space efficient. IOclone snapshots are also immutable so that nothing can alter them, which is often another compliance requirement.

Compliant IT Infrastructure must include data protection
IOclone delivers the best of snapshots and clones with no performance impact

The independence of IOclone’s snapshots means that VergeOS customers can have an almost unlimited number of snapshots. IT can repurpose those snapshots for other use cases or applications and can retain them indefinitely without impacting performance.

To learn more about the differences between snapshots, clones, and how IOclone brings the best of both technologies together, watch our on-demand TechTalk, “TechTalk: Deep Dive on Virtual Infrastructure File Systems.”

Recovering a Compliant IT Infrastructure After Disaster

There are strict disaster protection regulations that apply to data centers. Designing a compliant IT infrastructure requires additional measures to ensure preparedness, which can be quite demanding. IT may need to establish a separate DR silo with specific products to meet compliance requirements. Moreover, the DR site must meet the same standards as the primary site, which adds more complexity and cost.

A DR Strategy Minus DR Silos

VergeOS’ IOprotect also leverages our Global Inline Deduplication to provide Wide Area Network (WAN) intelligent data movement between locations. Multiple physical data centers can replicate to a single DR data center, but redundant data between them will not be sent.

Virtual Data Centers (VDCs) play a crucial role in disaster recovery. With each department’s data center encapsulated within a replicated VDC, all the necessary information is readily available for quick recovery in case of a disaster. This makes it possible for IT to bring departments back online within minutes after a site failure without the need to consult a DR runbook or the need for ad-hoc fine-tuning to reconfigure network, security, or storage policies. VergeOS’ IOprotect capability is so cost-effective you can have an on-premises DR and an off-premises DR for 50% less than the cost of your current DR strategy, enabling you to be prepared for both major and minor disasters.

Compliant IT Infrastructure must include DR.
VergeOS-DR is so affordable you can create an on-prem and DR site recovery environment for at least 50% less than your current solution

To dive deep into VMware disaster recovery (DR) Sign up for our Video Learning Guide – Each week, our experts take you through a critical part of making your infrastructure environment more resilient.

Conclusion

Designing a compliant IT infrastructure usually means a significant increase in IT spend and consumption of IT administrative time. Creating separate silos for compliant departments within the organization also leads to increased long-term costs and the inability to adapt the infrastructure to the organization’s future demands flexibly.

VegeOS, through its VDC technology, enables IT to create compliant IT infrastructures while leveraging existing hardware dynamically. It also provides capabilities like IOclone and IOreplicate to meet the data protection, data retention, and disaster recovery requirements for IT.

You can try out the full power of VergeOS right now without having to borrow hardware. Signup for a test drive, and we will create a VDC just for you. You can then create your VMs and even compliant and non-compliant VDCs.

Filed Under: Research Tagged With: ,

by

VMware’s recent price increases, a singular focus on large accounts, and declining support quality have IT professionals within small to medium-sized data centers looking at HCI as a VMware alternative. To provide that alternative hyperconverged infrastructure (HCI), solutions must deliver on a set of crucial requirements, or the organization may find itself in a worse position than putting up with the state of VMware affairs.

Top Three Requirements for HCI as a VMware Alternative

  1. Use a non-VMware Hypervisor at a lower cost
  2. A seamless VMware Exit
  3. Provide a superior data protection experience

    HCI VMware Alternatives Can’t Run VMware

    While it may seem obvious that using HCI as a VMware alternative requires not using VMware as your hypervisor, most HCI solutions on the market require VMware. These HCI products are not HCI at all; they are software-defined storage solutions (SDS) that run as a virtual machine (VM) within VMware.

    These SDS, as HCI solutions and their customers, are still entirely at the mercy of VMware’s pricing and support antics. In addition, by running storage as a VM instead as an equal citizen to the hypervisor, the storage performance on these solutions is subject to the same virtualization tax as any other application running within a VM. This tax can impact I/O performance by as much as 25%. Even HCI solutions that don’t use VMware, if they are running storage as a VM, which most do, are subject to a similar tax.

    The Impact of the Virtualization Tax on Storage

    This tax requires IT professionals to spend more money on hardware. They must configure more nodes with more powerful processors, cores, and the highest possible performance flash drives. The requirement to buy more nodes with more processing power also increases the HCI software license cost. HCI solutions that require VMware, or use an alternate hypervisor, or run storage as a VM may not be cheaper than VMware.

    VergeOS Minimizes the Virtualization Tax

    VergeIO took a different approach than other vendors. Instead of creating a storage solution within a VM, we created a data center operating system (DCOS). This data center operating system, VergeOS, integrates the hypervisor, storage, and networking into a single code base. Storage and networking are equal citizens to the hypervisor. VergeOS is an Ultraconverged Infrastructure (UCI) and is superior to standard HCI solutions.

    The result is a highly efficient operating environment that requires less physical hardware. We repeatedly hear from our customers that they see significantly better performance and can increase VM density after switching to VergeOS, even though they are running on the existing hardware that used to run VMware. To learn more about the efficient VergeOS architecture, watch this on-demand LightBoard session with our Founder and CTO, Greg Campbell.

    HCI VMware Alternatives Require a Seamless Exit

    Using HCI as a VMware alternative to save money and improve performance is very appealing. Still, the project will never take off if the effort to transition the infrastructure is too great. HCI solutions must provide a seamless transition to the new hypervisor. Besides potential performance differences, the user and application experience is mostly unchanged. They still run the same operating system within a VM, now managed by a different hypervisor.

    It is essential, though, that the transition to a VMware alternative is also easy on IT. Most HCI VMware alternatives require a complete shutdown of the VMware environment while migration occurs. Also, since most HCI solutions require that you purchase the vendor’s hardware or they have a rigorous hardware compatibility list (HCL), IT needs to make room for and install new hardware.

    The Impact of Disruptive Migration

    While most organizations can complete this migration over a weekend, there is some significant impact from the process. First, it is, for the most part, an all-or-nothing process, which places much more pressure on pre-purchase evaluation. There is also the impact of being down for a weekend, which an increasing number of organizations can no longer tolerate. Finally, if the conversion does not go according to plan and extends past the weekend maintenance window, IT has to quickly roll back to the VMware environment and try the conversion again next weekend.

    VergeOS Makes VMware Exits Smooth and Gradual

    VergeOS can directly communicate with VMware and make scheduled copies of each VM as frequently as IT chooses. Also, because VergeOS can run on existing hardware, the customer can use VergeOS by using a few extra servers or carving a few nodes out of their VMware environment. The process is so seamless that many customers use VergeOS as a disaster recovery copy of their VMWare environment using our IOprotect capability. Then when you are ready, you can gradually move VMs to be solely hosted in the VergeIO environment. This process takes the pressure off the evaluation phase and provides an extended “test” of the solution while adding value and lowering costs. Most customers that start by using VergeOS for DR realize a 50% cost reduction in the DR process.

    HCI VMware Alternatives Must Improve Resiliency

    Given the ever-increasing risk to and value of data, using HCI as a VMware alternative can not come at the expense of lowering resiliency. Most solutions are surprisingly weak in these terms. The latest DCIG analysis, “Top 5 Rising Vendor HCI Software Solutions,” shows that HCI vendors are all over the place regarding data protection. Most provide some snapshot or clone capability, but not all have VM-level granularity. Most also did not provide any form of immutability to their snapshot capabilities. Finally, many solutions didn’t have asynchronous replication, which is critical for disaster recovery planning and recovery.

    HCI as a VMware Alternative

    Join DCIG and VergeIO tomorrow for our live webinar, “Overcome The Not-So-Magnificent Seven IT Challenges,” to learn how hyperconverged infrastructure (HCI) and ultraconverged infrastructure (UCI) can solve the current challenges IT organizations face, including limited resources, management complexity, and providing IT services at the Edge.

    VergeOS Improves Resiliency

    VergeOS UCI based storage services are built on a foundation of Global Inline Deduplication. Starting with deduplication instead of adding it later means you can get all the benefits without the significant overhead, the deduplication tax, that other solutions impose. As a result, our IOclone, in one feature, delivers the speed and efficiency of snapshots with the independence and resiliency of clones. They are immutable, and IT can retain and repurpose as many of them as they choose.

    HCI as a VMware Alternative

    Global Inline Deduplication combined with VergeOS’ network integration also enables powerful disaster recovery capabilities and Edge protection. Watch our on-demand virtual whiteboard session to learn more about using VergeOS for VMware Disaster recovery.

    Conclusion

    As IT professionals in small to medium-sized data centers explore alternatives to VMware, VergeOS emerges as the compelling choice. With VMware’s recent price increases, focus on large accounts, and declining support quality, organizations seek an HCI solution that meets crucial requirements while providing a seamless transition and superior data protection experience. VergeOS’ UCI design distinguishes itself from other HCI solutions by offering a non-VMware hypervisor at a lower cost, ensuring a smooth exit from VMware, and delivering a superior data protection experience.

    Filed Under: HCI Tagged With: , , ,