This article is part of our "Tiger Bridge - Under the hood" series, where we uncover technical details about our product, dive deep into the solutions it offers, and explain which decisions we had to make while designing it.
Dilemma
At some point, every organization has lost data because of malware or other similar threats. We wanted to implement a malware protection mechanism which does not consume too much space, remains invisible, and does not interrupt day-to-day operations.
Background
How do companies protect themselves from malware in general? Like immunostimulants for people, antivirus programs were designed (and evolved) to stop malware from entering a system and infect it. However, even in organizations where security is a top priority, it still happens for malware to bypass well-established measures.
If it gets in and deletes or encrypts your data, you will need a mechanism which allows you to recover (like antibiotics or other medicines). Over the years, backups proved effective for that purpose. If infection infiltrated a system, restoring from a backup ensured data recovery.
In a hybrid environment, malware protection’s main goal is not keeping the system safe from the virus’ entry – this is what antivirus programs do. Rather, the idea is to isolate malware locally before it reaches the cloud; this protects copies of your data from also getting infected.
Pros/Cons Analysis
The strength of antivirus solutions lies in their speed and transparency. On the downside, they sometimes fail to protect the system.
Backup solutions guarantee recovery, but the cost which comes with them is high, and is calculated for the creation, storing, and restoration of data.
With the hybrid approach we’ve taken, we get the best of both worlds and eliminate their cons.
Decision
The hybrid approach helps us achieve our clients’ business continuity goals and needs. We have implemented three main features that enable this: potential longer replication policy configuration, fuse protection and versioning (which acts as better version of a backup, as already discussed).
The longer replication policy can be set in Tiger Bridge. If you set a lengthy wait period like 24 hours, then Bridge will wait for that time before it begins replicating any of your file or folder changes to the cloud. In an event of an attack, you would once again have 24 hours to detect and recover potential corruptions before the cloud copies of your files and folders also start getting infected. This approach does not allow infected data to reach the cloud for a certain time (which you can use to recover), but it requires manual detection as it does not differentiate between good and infected data.
Fuse protections offers a more advanced defense because it knows which data is good and which isn’t. It achieves this by keeping track of change requests. If there are too many simultaneous data change requests, Bridge suspects something is wrong and stops further replication to the cloud. However, with this approach, you can also get “false positives” as well as files that haven’t been replicated for a long period of time. You can configure it by setting a threshold value in the Tiger Bridge settings. When the queue of files to be replicated exceeds this threshold, for example – 10 or 20, automatic replication of potentially encrypted files will be paused until you decide to resume it. After applying the setting, if a virus damages a lot of files at once, Bridge will be paused before damaging any cloud copies.
Versioning, as the name implies, provides versions of all modified files, and you are free to select which one you would like to restore. This method may require more cloud storage in order to keep new versions whenever necessary, but it gives you the best control. It can be applied to a specific file, or more broadly – to an entire folder during the recovery process. With this approach, even if an infected file has reached the cloud, you have the means to recover it.
To make the most out of the three different approaches, you can combine them. They are not mutually exclusive and therefore offer the barrier defense of the fuse protection, the longer replication policy which could protect cloud copies of your files and folders, and the ability to recover an individual one, if needed, with the help of versioning. This gives you the best possible malware protection.