Skip to main content
Pure Technical Services

FlashBlade SafeMode for Object Store

Currently viewing public documentation. Please login to access the full scope of documentation.

KP_Ext_Announcement.png

See also Safemode for Files.

Overview

In today’s security and ransomware landscape, advanced protection features like FlashBlade SafeMode are a fundamental requirement. Just as seat belts are necessary for us in cars, it would be risky not to use SafeMode for ransomware mitigation and rapid recovery of your data. (For more information about ransomware, please see How to Harden Your Data Infrastructure Against Ransomware Attacks).

Ransomware is a top-of-mind threat for organizations due to the potentially disastrous impact: days of downtime, unwelcome public visibility, damage to reputation, and the ransom demand itself.

It is difficult to recover from ransomware due to the time it takes to restore a large amount of data and attackers targeting the protected data (replicated data, snapshots, backups, etc.).

Object SafeMode™ on FlashBlade ensures that written objects are immutable, protecting production data while retaining high performance and space efficiency. SafeMode on FlashBlade adds additional protection around objects to address the advanced threat scenario of attackers compromising admin credentials to a storage array.

What is Object SafeMode?

When Object SafeMode™ is enabled, there are changes to array behavior for administrative users and Applications.

When Object SafeMode is enabled, the NTP server(s) cannot be modified.

When Object SafeMode™ is enabled, it:

  • Introduces an adjustable eradication timer from 24 hours up to 400 days.

  • Disables overwrites and deletes to objects within a bucket for the eradication period. 

  • Requires additional layers of authentication and a call to Pure Support before allowing an administrator to destroy a bucket, which protects production buckets from being taken down by compromised admin credentials.

The administrative users can still create new buckets, but the data within them is automatically protected as soon as it is written to them.

Applications can continue to write new data and read from the bucket as before.

Object SafeMode protects the data written by applications to any buckets and prevents manual destruction of the buckets. In this manner, Object SafeMode protects against any malicious overwrites or the destruction of buckets.

Pure1 Manage provides a system-wide view of your protected arrays under the Dashboard->Assessment menu. The example below shows a list of all systems protected by SafeMode with a FlashBlade system highlighted.

Object Data Protection and Why SafeMode

Buckets and Versions in Normal Operations

A bucket is a container in which applications write data using the S3 API. Typically you can protect single versions of objects by turning on versioning at a bucket level. Every time a new object is overwritten, a new version is created, and the old version is also retained.

There are no snapshots for object store buckets, so if multiple objects get overwritten or deleted, there is no way to revert to a consistent point in time. 

Deleting Objects and Buckets in Normal Operations

Deleting an object involves the application using S3 APIs to delete the object. Applications also sometimes overwrite the object with new data, and if versioning is enabled on the bucket, older versions of the object are stored. 

There will be occasions when you may need to delete an entire bucket. Deleting a bucket filled with objects in normal operation is a two-step process of 1) destroying the bucket and 2) eradicating or permanently deleting it. Destroying the bucket moves it to the eradication queue to be permanently removed after 24 hours unless an administrator manually eradicates it sooner.

Deleting Objects and Buckets in SafeMode 

Deleting Objects and Buckets in SafeMode will no longer hold true after Purity//FB 4.4.0.
As of the update, Destroy is allowed for SafeMode buckets (Retention lock: ratcheted). Manual eradication is blocked, but automatic eradication after the array configured timeout will occur. Empty buckets can be destroyed and eradicated anytime.

With Object SafeMode enabled, you cannot destroy a bucket directly. The options to destroy the bucket are grayed out in the menu, as shown below.

Customers have to call Pure support, enabling authorized administrators to “Destroy” the bucket for 24 hours. 

Also, note that the eradication timer is now longer than the normal operation mode of 24 hours. Administrators can eradicate buckets with the assistance of Pure support, or they can wait for the eradication timer to expire and automatically eradicate the bucket.

 

Are There Any Object SafeMode Snapshots?

No. Unlike File SafeMode, Object SafeMode does not have the concept of snapshots, so there are no automatic snapshots created. 

Enabling Object SafeMode

Consider using SafeMode for all production arrays. 

Object SafeMode applies to all buckets on the system and currently (Purity //FB 3.2.x) cannot be set up at an individual bucket level.

Object SafeMode requires:

  • FlashBlade Purity//FB v3.1.x or higher (for optimized security, use the latest version of Purity//FB).

  • Available capacity.

See Space Consumption for guidance on capacity requirements with SafeMode.

Object SafeMode is a feature included with your Purity//FB license. Enabling Object SafeMode is a unique process requiring additional actions by Pure Storage Support and confirmation of the authorized parties. Contact Pure Storage Support to enable Object SafeMode on your FlashBlade. 

Because so much is at stake when you disable SafeMode, there are a few requirements: 

  • Pure Storage Support will need to use conferencing software to verify the array administrator. Include your sales team to confirm identities.

  • You can provide up to five (5) email addresses of associates authorized to make any changes. These should not be people involved in the day-to-day administration of the array, as attackers may focus on those roles.

  • Support will issue a six-digit PIN for your contacts. This PIN will be required to verify authorization and should be stored securely in an offline mechanism to avoid attackers impersonating customer staff when calling Pure Storage Support.

When Object SafeMode is enabled, an eradication timer must be configured between 24 hours and 400 days. Pure Storage Support can change this value upon request by authorized administrators. The timer immediately impacts all objects, including existing ones, as soon as they are written.

Differences between File and Object SafeMode

Object SafeMode works differently than File SafeMode since there is no concept of snapshots and protection is directly on data in buckets.

The following table summarizes the differences between them.

Object SafeMode

File SafeMode

Protects object data in buckets from being deleted for the eradication period. NOTE: Applications must handle the inability to delete objects for the configured duration.

Snapshots protect filesystems. Applications and users with the appropriate access can delete or otherwise modify files in the production filesystem. 

Prevents buckets from being destroyed and allows them to be destroyed and eradicated only with the assistance of Pure Support. 

Allows filesystems and snapshots to be eradicated only with the help of Pure Support. 

Operates on the entire object store on all buckets.

Creates a snapshot of all filesystems in the system as per a predetermined schedule.

Space Consumption

As Object Safemode creates no additional data in the form of snapshots, little extra space is consumed other than the production data.

The only things the applications and storage administrators have to worry about are:

  • How to handle the inability to do deletes until the eradication time expires for objects.

  • How to handle the possibility that a ransomware attacker adds extra objects into the bucket which cannot be distinguished from application-uploaded objects (support migration to an empty bucket).

Objects will be protected until the time set for the eradication timer elapses. For planning purposes, you should account for the possibility of additional capacity. 

Customers can use Lifecycle policies (Purity//FB 3.2.3 onwards) to clean up older data.

Dark Sites

Dark sites can use SafeMode, but customers must internally separate privileges between the storage administrators and act as their own ‘Support’ to change SafeMode parameters.

Replication

Administrators can replicate buckets with SafeMode enabled and perform an emergency or planned failover to the remote system. However, you must contact Pure Storage Support for running baseline in the event of a complete disaster.

The source and destination systems should have the same Object SafeMode setting to ensure clean failover and failback.

How to Make Changes to SafeMode

To make changes:

  1. Call Pure Storage Support, 1 (866) 244-7121, or if you are international, refer to this reference page for contact information.

  2. Be prepared to have two (2) designated administrators attend a conference call with your Pure account team to validate their identities.

  3. Have your assigned PIN ready for authentication with Support.