Properly architecting and designing solutions for clean room recovery is a crucial step for any organization looking to become more resilient to cyber threats. Clean rooms provide organizations with an isolated environment where data integrity and recovery processes are insulated from external threats. By providing a clean room environment, organizations can expedite security investigations and recovery timelines in the event of a cyber attack.
As of late there has been a lot of buzz surrounding clean rooms and data protection vendors, but the fact remains that Rubrik has supported clean room recovery since the introduction of Isolated Recovery with our Cyber Recovery product. Contrasting to solutions that claim clean room support, Rubrik provides an efficient, and holistic approach for any organization looking to leverage clean rooms to enhance their cyber resilience. Coupling a time-series history of data points and automatic Data Threat Analytics, Rubrik expedites the process of cyber recovery to clean rooms, getting to the root of the cause faster, and reducing the amount of downtime following a cyber event.
Clean Rooms & Rubrik - A vital partnership for enhanced security
If you take a look at some of the core architectural design principles of a clean room you’ll be sure to see key decisions that need to be made in order to provide isolation, controlled access, identity separation, and of course, security toolsets. If you are a current Rubrik customer, you’ll be sure to recognize some of these principles. That’s because the core architecture of Rubrik aligns with many of the same design principles, and automates many of the same processes that may be performed within a clean room. Due to this, Rubrik greatly expedites the three phases of clean room recovery; from Isolation and Containment, Forensic Analysis and Investigation, and Recovery and Restoration.
Let’s explore the ways Rubrik sets itself apart from others when it comes to enhancing your organization’s clean room and performing cyber recovery:
Out of band management/data hub: Rubrik Security Cloud, coupled with Rubrik Secure Vault and Rubrik Cloud Vault acts as an out-of-band data hub allowing organizations to rapidly instantiate data and systems into the clean room with ease. Backups are air gapped, access controlled, and immutable. Rubrik Security Cloud, the management plane, is also delivered out-of-band through a SaaS-based global interface allowing organizations to manage their environments and data, be it SaaS, Cloud, or on-premises.
Automated Data Security Posture Management: Rubrik not only identifies and classifies sensitive data within your environment, but also gleans valuable insights into the users and identities that have access to this data, and what they are trying to do with it. This allows organizations to take a proactive approach as it relates to forensic investigations - understanding what users did what, over a period of time, can be the difference between understanding how an attacker initially breached your environment versus wasting time attempting to reproduce user related logs within the clean room.
Powerful Data Threat Analytics: A clean room's purpose is for security teams to analyze and investigate the threat so it can be mitigated. This involves ensuring the ability to recover point-in-time snapshots into the clean room is available. With Rubrik, not only can you provide this ability, but you can eliminate much of the time it takes to get to a clean restore point. Rubrik Anomaly Detection allows organizations to understand the blast radius of the attack with a 2 stage machine learning model that identifies workloads and data potentially compromised by an encryption attack. This detection capability not only works on unstructured data, but also at the virtual machine and hypervisor level. On top of this, Rubrik’s Threat Monitoring allows organizations to ensure that no stagnant malware or other Indicators of Compromise remain undetected on the backup data, causing a reinfection once restored. Additionally, Threat Monitoring happens automatically on all supported data with no user intervention and no additional hardware - once data has landed on the Rubrik platform the scan automatically happens and results are available. Since both of these technologies handle large datasets and intense processing, they are designed to leverage incremental scans and are distributed in parallel across the Rubrik Secure Vault cluster for optimal performance. This not only eliminates much of the work that needs to be done within the clean room, but also expedites recovery as only the data that needs to be recovered to the clean room is restored - There are no more guessing games.
Isolated Recovery: As mentioned earlier, Rubrik’s isolated recovery was built for integration with a clean room. Through the use of recovery plans, organizations can be proactive and ready to respond when an attack occurs. Furthermore, Cyber Recovery enables organizations to easily automate recovery validation and testing, ensuring that recovery takes place in the desired order, contains necessary dependencies and prerequisites, runs any pre/post recovery scripts, performs desired network changes/mappings, and leaves no surprises to be had in the event an actual recovery is required.
A myriad of architectures to support your clean room scenarios
The three main phases of clean room processes (Isolation and Containment, Forensic Analysis and Investigation, and Recovery and Restoration) remain consistent across environments, however the scenarios in which you need to prepare for may differ slightly depending on the environments you are looking to recover from. The good news is, Rubrik has an architecture to help you with your cyber recovery no matter where your data lives - let’s dive into a few.
On-Premises Clean Room Architectures
Integrating Rubrik with clean rooms located on-premises can be done in a number of ways depending on how your environment is configured. From employing an entirely physically air-gapped solution to simply isolating VLANs, Rubrik can be configured to ensure data recoverability. Let’s look at a couple of the most popular on-premises clean room architectures leveraging Rubrik Security Cloud.
Rubrik On-Premises Clean Room Architectures
The architecture on the left depicts an on-premises dual-homed Rubrik Secure Vault cluster. With one network adapter connected to the production environment, Rubrik is able to take immutable backups of production workloads, storing them safely on Rubrik Secure Vault. Another network adapter within the Rubrik Secure Vault provides network connectivity to the clean room, allowing for efficient restoration into the isolated environment.
The architecture on the right works much in the same way as the dual-homed architecture, however instead of physically connecting one Rubrik Secure Vault to each network, two Rubrik Secure Vaults are utilized with a firewall between to provide even more separation of duties. Rubrik’s fast and efficient replication is leveraged to synchronize restore points between the two Rubrik Secure Vaults, ensuring data is available within the clean room for recovery. Furthermore, replication is pull-based, initiated from the Rubrik Secure Vault located within the clean room.
In both clean room architectures, Data Threat Analytics and Data Security Posture Management activities and processes run directly on the Rubrik Secure Vault, and since they require no access to production to occur, can continue to run even when production environments have been quarantined after an attack, allowing organizations to recover the latest non-anomalous, non-quarantined, clean point in time restore point.
Cloud Clean Room Architectures
Rubrik can also seamlessly integrate with cloud based clean room technologies, ensuring that strict isolation, out-of-band management, and air-gapping is deployed in order to facilitate recoveries after an attack occurs.
Rubrik Cloud-Based Clean Room Architectures
The architecture on the left depicts a common design for clean rooms within AWS. Unlike on-premises solutions, a clean room within AWS can be instantiated by simply creating another account to host the clean room activities. Rubrik’s Cloud Native Protection can then perform cross-account/cross-region replication to ensure that data resides within the cleanroom itself. A deployed exocompute handles Data Threat Analytics and Data Security Posture Management activities, sending metadata back to Rubrik Security Cloud to expedite clean room processes.
The architecture on the right illustrates a clean room architecture for Azure, using a separate Azure tenant as the clean room. To ensure data is recoverable within the clean room, Rubrik’s archiving capabilities are leveraged to migrate backups to either Rubrik Cloud Vault, a fully hosted, air-gapped, immutable storage solution, or to a customer managed Azure Storage Account located within the clean room. In this case, Data Threat Analytics and Data Security Posture Management processes are performed completely out of band within the fully hosted environment delivering the Rubrik Cloud Vault storage.
Leverage AVS as a Clean Room with Rubrik
Rubrik also supports customers looking to leverage Azure VMware Solution (AVS) as their clean room and/or recovery target. In the above architecture, Rubrik Secure Vault handles taking the backups of an on-premises VMware environment. Once backups have been taken, they are scanned with Data Threat Analytics and Data Security Posture Management processes. Backups are then replicated to a Rubrik Secure Vault instance in Azure, which is attached to an AVS environment. Backups can then be easily recovered into the AVS environment.
Enhance and expedite your clean room today with Rubrik Security Cloud
Architecting a clean room with Rubrik Security Cloud can bolster an organization's overall data resilience while at the same time lowering overall risk. Through its powerful data threat analytics, and comprehensive data security posture management tools Rubrik Security Cloud delivers a unified interface allowing you to detect anomalies, hunt for IoCs, discover and classify sensitive data and understand who and what is happening to your data. These are all crucial processes that are typically performed within the clean room itself, but instead, are automatically executed and performed by Rubrik before a recovery even takes place. And of course, no matter where your clean room is located, Rubrik provides a multitude of restoration options to ensure your data is available for forensics and recovery purposes. Rubrik Security Cloud provides the means to drastically reduce the amount of time it takes for organizations to recover from cyber attacks.
Is it time to be more informed about the state of data security? Have a look at our latest Rubrik Zero Labs report HERE!