According to Cybersecurity Ventures, more than half of the world’s data will be stored in the cloud by 2025.
With this growth comes a new challenge: understanding where your cloud data lives, what it contains, and how to ensure it is properly protected. The mass storage capabilities of the cloud means it’s easy to drop data wherever you want. It’s also easy to forget to clean up that data or set up backups where that data is required.
This is a particularly vexing problem when it comes to sensitive data. Given the proliferation of clouds, it’s easy to lose track of where sensitive data is stored. That means you don’t know how well your sensitive data is being protected at any given time—if it was ever protected in the first place. Not a good place to be!
This sensitive data problem can be addressed with a modern data resilience platform. Rubrik Security Cloud has built a reputation for protecting all data by simply applying global, data protection policies, called SLA domains, to the entire cloud account. In some cases, this can lead to the protection of data that simply doesn’t need to be backed up (test datasets, backups of expired objects, data that could be archived or deleted), which adds to your cloud costs.
Today, Rubrik is proud to introduce Data Protection Insights, a new capability to help protect important data while keeping a close eye on unnecessary data storage costs. Data Protection Insights is available to Rubrik Cloud-Native Protection customers. Data Protection Insights builds on the automatic discovery of cloud workloads by providing extra context on whether all relevant cloud data is backed up, and whether any sensitive data is found in the object.
Let’s take a closer look.
Secure Your Unprotected Data
It may seem obvious that your cloud backup tool should be able to tell you which data it is protecting. Still, many customers use a mix of products to protect their cloud data, including the native backup tools that cloud providers provide such as AWS Backup or Azure Backup. The lack of a single location to manage and monitor data protection activities can lead to gaps in visibility.
Data Protection Insights can fix this, categorizing data protection for objects into several categories:
Protected by Rubrik Security Cloud
Protected by the cloud provider’s native backup tool (like AWS Backup or Azure Backup)
Unprotected or unknown (including where the objects may be protected by a third-party backup tool)
Do not protect - where the object has been explicitly flagged as not protected in Rubrik Security Cloud. This may be applied to sample data sets for testing purposes, or data that can easily be reconstructed from other sources.
Pay Attention to Sensitive Data
As you can see from the screenshot above, your data is then further broken down by sensitivity. In this case we can clearly see that there are 10 sensitive objects that are currently unprotected. By hovering over the “Unprotected” slice, we get a breakdown of the types of objects that have been detected as sensitive.
We can then click on the specific object type to be taken to the inventory, where we can see the details of the specific objects detected as sensitive. In this case, we are looking at our AWS S3 buckets, a frequently used location for sensitive data.
We can now see the buckets' names, including their sensitivity level and the number of high, medium, and low sensitive hits. With this context, we can decide to investigate further; What does the data hold? Should that data be there? Should a Rubrik SLA Domain protect it?
Making a decision about protecting the objects is as simple as clicking “Manage Protection” to assign an SLA Domain. Now that sensitive data is safe.
Air Out Your Stale Data
Unaccessed objects, sometimes referred to as stale data, are objects that have not been touched in 90 days. Stale data are good candidates for removal, which can save you money on cloud storage costs. Where this data is sensitive, removal of this data comes with the added benefit of reducing your risk of sensitive data loss in the event of an attack.
Managing your stale data is also a simple matter of clicking through the details of the specific unaccessed objects. Getting this context allows you to make a decision about retaining or deleting this data.
Deal With Your Relic Data
The bottom card shows relic objects. These are typically snapshots of objects where the source object has been deleted.
This may be intentional, as sometimes there is a requirement to retain a final backup after a system or service has reached end of life. If this is the case, it may make sense to tier these down to a more cost-effective cold storage tier.
Overwhelmingly, however, these tend to be backups that were missed in the cleanup process when an object is deleted. You may have significant cost savings available to you!
How does it work?
The first part of the analysis happens in Rubrik Security Cloud. Rubrik leverages the cloud provider APIs to identify whether objects are being protected by native backup tooling, where these objects are located, and when these objects were accessed.
Once the question of backup is answered, this information is collated with the data protection information that Rubrik Security Cloud holds about its own protection, giving visibility into what is and is not protected.
The second part of the analysis uses serverless technology in a customer Outpost account to perform data sampling of the objects for data sensitivity. This approach means that Rubrik does not move data outside of the customer's environment. Only metadata is transmitted to Rubrik Security Cloud, where it can be seen in the user interface.
How do I enable this?
Sounds exciting, right? Added bonus: enabling this functionality is super simple!
In Rubrik Security Cloud, browse to the Settings page, then to Cloud Accounts, then select AWS.
Click the ellipsis on the right of each onboarded cloud account, then Edit Cloud Account.
At the bottom of the popup that you see, you’ll see a new option to toggle a switch for Data Protection Insights, as in the screen below.
4. Flip this switch, then click Next.
5. You’ll see a summary of the onboarded account, including the regions that Rubrik is automatically discovering workloads in. You can add or remove regions in this screen as required, then click Next.
6. The next screen will ask for your Outpost account details. This account is where the data sensitivity analysis occurs. You can use an existing account or set up a separate one specifically for this purpose. Enter the account number, then click "Generate CFT" to create a CloudFormation Template for configuring the Outpost. Finally, click to log in to the AWS console for your Outpost account.
7. In the AWS account, click through the wizard to apply the CloudFormation Template. The final step of the setup sends notification to Rubrik Security Cloud that the setup is completed. At this point, you can return to Rubrik Security Cloud and finalize the wizard.
Accessing Your Insights
With setup complete, it's time to review your insights. From the main Data Protection page, you’ll find the new Data Protection Insights dashboard under Dashboard > Cloud Workloads. Please note that initial analysis may take a few hours to complete.
After the initial analysis, workloads will be automatically discovered in the same way as previously, and automatically analyzed for Data Protection Insights. This ongoing process helps you stay informed about your cloud data's protection, cost, and sensitivity.
Data Protection Insights is an essential addition to any data protection strategy, supporting compliance with data security regulations and efficiently managing your cloud resources. All of this while potentially reducing unnecessary cloud expenses. Who doesn't want all of that?
And since all of these features are included in the license cost for Rubrik Cloud Native Protection, you get these benefits without deploying any new tooling. Turn it on today!
Frequently Asked Questions
While we’ve tried to address most questions about this new capability above, below are some additional questions and answers which we’d like to share with you.
Q: I’m a Rubrik Cloud Native Protection customer. How can I access this?
A: This feature is generally available now for Rubrik customers with Cloud Native Protection. If you don’t see the option to enable Data Protection Insights as detailed above, please open a ticket with Rubrik Support for investigation.
Q: What cloud providers does this support?
A: As of this blog publish date, Data Protection Insights currently supports data within AWS EC2 instances, EBS volumes, S3 buckets, and RDS instances. We will be supporting Azure workloads very shortly.
Q: Is there an additional charge to gain access?
A: There is no extra cost from Rubrik. Rubrik customers who purchased Cloud Native Protection have Data Protection Insights included. However, the Outpost account is owned and maintained by you as a customer, and there will be costs associated with the Lambda calls and storage associated with running Data Protection Insights across your data.
Q: How can I gain more insights into the nature of my sensitive cloud data and how it is being protected?
A: Beyond the details that Data Protection Insights offers, Rubrik has a complete DSPM solution for cloud workloads that offers more comprehensive visibility into the sensitivity of cloud data. Reach out to your Rubrik account team for more details.
Q: Multiple AWS accounts are protected under my Rubrik Security Cloud instance. How many Outpost accounts do I need?
A: Only one Outpost account is required per Rubrik Security Cloud instance. Once this Outpost account is onboarded, all following AWS accounts will automatically be attached to that Outpost during the onboarding process.
Q: Do I need to onboard my AWS accounts and then enable Data Protection Insights?
A: No, the workflow above is available during the cloud account onboarding wizard.