Ransomware viruses are an always increasing threat. Being able to protect your systems increases your company security and gives you peace of mind.
While there are a number of solutions to protect valuable data from ransomwares, I’ll focus this article on how to leverage modern CI/CD deployment modes to protect your production systems.
This approach leverages:
- Containerization
- Database as a Service
- Storage as a Service
Containerization
Docker and Kubernetes are widely used in modern application development. Containers run in an isolated environment, this isolation guarantees that no action being executed on a container spans other containers, even if they’re running on top of the same virtual or physical node. This approach minimizes the risk to spread a ransomware across multiple systems, but there’s more.
Containers are based on images. Those images are usually compiled by CI/CD pipelines starting from code. Given the building and execution environment are not managed (and not manageable by IT admins), the compilation and execution are safe from any kind of external attack, event if the attack uses a legitimate machine as a vector.
Database as a Service
Ransomwares usually crypt disk files. Those files may include database files used to store the state of production systems. While there are numerous approaches to mitigate the risk of data deletion using standard backups, the modern way of development consists in leveraging on managed database services that offer performance scale and enhanced security as a service. The DBaaS model involves in granting access to a DB via a connection string but denies any kind of administrative access to the underlying machines running the database itself. This means that a malicious attacker will not be able to gain RDP or SSH access to the machines where data is stored.
For enhanced security, typically in enterprise contexts, database instances are isolated from other networks via firewall rules to limit external exposure. Those two measures shall be extended by managed identities in the cloud. Managed identities grant access to specific resources (such as a database) eliminating the need to store DBMS passwords that might be leaked.
Moreover, DBaaS gives many backup options letting you choose the best combination of RPO and RTO based on the criticality of your application.
Storage as a Service
Protecting the execution environment and the database tier is not enough when the system uses on binary data. Binary data is typically persisted in block storage devices accessible via the filesystem. While this approach has many advantages, it is easier for a ransomware to attack. Leveraging bucket based persistence strictly reduces the attack surface as the access to the objects in the bucket is only granted to the principal (user or application) that is legitimate to access it, at that given time. This means that a ransomware, in order to crypt data in this scenario, shall access the console web interface of the IT admin who has been granted access to the bucket to perform web scraping to delete objects. Even if a malicious attacker uses such approach, cloud providers typically provide redundancy for data across multiple disks and multiple regions, using versioning to prevent malicious or unintended deletion of objects.
By combining modern development techniques with managed services you can successfully protect your system from ransomware attacks.
Luca Pisano,
Multi-Cloud Solution Architect