Content Copyright © 2023 Bloor. All Rights Reserved.
Also posted on: Bloor blogs
Scality historically has provided a high-end on-premises software-defined storage product called RING, which competes effectively with equivalent products from the likes of IBM, Dell, etc. It is a high-performance object storage platform which integrates well with public cloud, native file protocols and so on. However, it is aimed at the sort of large customer that wants to control all aspects of its object storage, and this can make it a bit intimidating to the sort of small/medium (and even some large) customers that just want a backup object store as a backup for protection against, say, ransomware and user error. It is also a bit excessive, if you don’t need all its functionality.
So, Jerome Lecat, Scality’s CEO was telling me about the latest release of its ARTESCA product, ARTESCA 2.0 is a simple, software-defined, commodity, S3 Object Store appliance, which makes Scality’s expertise available more widely. There will be some overlap with its RING product, but the RING customers Scality loses to its cheaper appliance probably weren’t very suited to RING anyway, Lecat says.
An on-premises software-defined appliance isn’t “cloud fashionable” perhaps – but cloud is more of a philosophy than a particular technology, and if it means anything it means that your data is abstracted from the underlying hardware – you just store it wherever is most appropriate. The cost of public cloud can be considerable, especially if people make more “what-if” use of the data, which means that data egress charges mount up (although Lecat points out that the EU is thinking of regulating egress charges) and all that really matters is that you use cloud protocols and aren’t locked in to either an on-premises solution, or into a particular public cloud solution. The optimum place to store data will change as technologies, business imperatives or even vendor politics change, and it is important that people analyse their own workloads and decide on the most appropriate storage platform – or platforms. This is a continuous process, and what is optimum today may not be optimum tomorrow.
Lecat says that a prime driver for ARTESCA purchases is addressing the ransomware threat – if you have a secure backup of your data where nothing is ever deleted but only added to, criminals can’t hold you to ransom by making your data unreadable, by applying their own encryption to it. Of course, perhaps an attack started in “stealth mode”, well before any ransom demand arrived, so it is important that you know (or can work out) how far back to go in your archives, to ensure that you’ve reached uncorrupted data. And that you have some policies you can put into effect to tell the press that you are in control of the situation and when normal service will be resumed; and that you have thought through some way of mollifying customers if any recent transactions are unavoidably lost. You can’t just buy a ransomware solution and forget about the issue.
ARTESCA is a very good basis for ransomware defence but you should still have robust business resilience policies and test them regularly, perhaps with walkthroughs of various attack scenarios. Remember that if the press features you in a ransomware attack story and doesn’t follow it up quickly with a story around how well you mitigated the attack (perhaps because you didn’t tell them, or your customers, that you had), then you could still lose customers very quickly.
The key ransomware protection features of ARTESCA are:
- It runs on a new, minimal, security hardened Linux operating system that is much harder to attack – and many opportunistic ransomware cowboys don’t look much beyond Windows anyway. Although you should always remember that targeted attacks, while comparatively rare, may employ very skilled technicians and are probably going to do the most damage.
- Multi-factor authentication is available for administration logins – which (in our opinion) should be the practice everywhere already (but probably isn’t).
- Attackers can’t change stored data at the API level (using S3 object locking), and the object storage paradigm underneath is intrinsically immutable too.
- Unused network ports are locked down by default, which is good practice generally, in order to reduce the attack surface.
- ARTESCA automatically configures firewall rules on deployment, which is a very good idea (people often forget or delay this) and this simplifies security management, although we think you should probably review these for yourself anyway.
ARTESCA 2.0 also adds more enterprise-grade features while keeping cost of entry (and complexity) low, as one would probably expect. There are also new, and useful, deployment options available:
- A software-defined appliance with automated patch upgrades (including for the Linux OS) – good for security management.
- An OVA virtual appliance in Open Virtualization Format (an OVF Package in a single file archive with the .ova extension) for faster installation on VMware vSphere v7 and later.
- It will be (after Q3, 2023) free for a 90 day evaluation period and, usefully, the trial has unlimited capacity.
We’re sure that this isn’t the only software-defined storage appliance out there, but it does have some very nice enterprise-grade features at a low entry point (under $4000/year) and, presumably, some of the respected RING expertise has transferred over.