Introduction
This blog describes the protection of backup data using Write Once Read Many (WORM) feature on Hitachi Virtual Storage Platform One File (VSP One File) and Hitachi Data Protection Suite (HDPS).
- VSP One File supports WORM file systems, widely used to store critical data in an unalterable state for a specific duration.
In this scenario, we validate WORM protection by running test cases.
Test cases
Table 1 lists the test cases and evaluation types:
Test Environment
Figure 1 shows the test environment layout:
Figure 1: Test environment layout
Table 2 lists the products and their versions used in this test:
Table 2: Products and versions
Table 3 lists the server configurations:
Table 3: Server configurations
Configuration
The following setups must be configured for this test environment:
VSP One File
VSP One File offers two types of WORM file systems:
Create a WORM file system, either strict or non-strict, from VSP One File to use the WORM feature. In this scenario, a non-strict WORM file system is used to allow reformatting after testing.
File System Creation and WORM Enablement:
1. Log in to the VSP One File CLI using the vSMU IP.
2. Run the following command, to create a WORM file system:
evssel 1 filesystem-create --block-size 32 --non-strict-worm SP_dedup FS-nonstrict-dedup 300 500
The flag parameter shows that WORM is enabled for the created file systems:
Note: You must create WORM file systems from the VSP One File CLI.
Hitachi Data Protection Suite
Storage Pool Creation and WORM Enablement:
1. Configure a disk storage pool, and add the Hitachi NAS CIFS share as a backup location.
For more information, see: Configuring Disk Storage
2. After creating the storage pool, enable WORM and set a retention period during the configuration. In this scenario, two WORM-enabled storage pools are created: one with deduplication and another without deduplication.
Server Backup Plan Creation:
Create two server backup plans for dedup and non-dedup backup data by performing the steps in the following link: Creating Server Plan.
Test Case Validation and Results
After configuring the test environment, store backups in two different CIFS shares of VSP One File and validated the results according to the test cases described in Table 1.
Validation (1): Verify that objects have retention set (access time should be a future date based on worm lock days). In this scenario, we set the 1-day retention period for both dedup and non-dedup backups.
Expectation: Dedup backup copies are accessible only after 8 days (7 days for DDB seal + 1 day for WORM lock retention).
Note: WORM lock retention is the sum of the retention of the storage policy pool copy and the DDB seal frequency. For more information, see: Configuring WORM Storage Lock (commvault.com). Non-dedup backup copies are accessible only after 1 day from VSP One File.
- The following screenshot shows the access time of deduplicated backup data. The backup was created on June 12, 2024; as expected, the access time is June 20, 2024.
- The following screenshot shows the access time of non-deduplicated backup data. The backup was created on June 12, 2024; as expected, the access time is June 13, 2024.
Validation (2): Verify that the storage side prevents deleting objects before retention time. We tried to delete the backup data from VSP One File and HDPS before the retention period.
Expectation: Backup data cannot be accessible or deleted before the retention period.
Results: The following screenshots show that the data remains protected and inaccessible within the WORM retention period.
- The following shows the accessibility of deduplicated backup data within the retention period from HDPS. Access to WORM-locked data is prevented as expected.
- The following shows the accessibility of deduplicated backup data within the retention period from the VSP One File Share path. As expected, access to WORM-locked data remains prevented.
- The following shows the accessibility of non-deduplicated backup data within the retention period from HDPS. As expected, access to WORM-locked data remains inaccessible.
- The following shows the accessibility of non-deduplicated backup data within the retention period from the VSP One File Share path. As expected, access to WORM-locked data remains inaccessible.
Validation (3): Verify that objects get purged after retention on Commvault side for dedup or non-dedup when the store is sealed and all jobs have met retention and data aging is run.
Expectation: The backup data does not remain on HDPS and VSP One File after the retention period is over.
- Deduplicated Backup Data:
We reviewed the backup data from HDPS both within the retention period and after the retention period expired. The following screenshots show the dedup backup data before and after the retention period, confirming that the job ID 2508 is not present after the retention period has expired. In this scenario, the WORM lock of dedup backup data is (1 day + 7 days for DDB seal).
The job ID is 2508, and it remains until the retention period is over.
As expected, job ID 2507 is automatically removed when the retention period is over.
- Non-deduplicated Backup Data:
We reviewed the backup data from HDPS both within the retention period and after the retention period is over. The following screenshots show the non-dedup backup data before and after the retention period, confirming that the job ID 2507 is not present after the retention period has expired.
The job ID is 2507, and it remains until the retention period is over.
As expected, job ID 2507 is automatically removed when the retention period is over.
Conclusion
In conclusion, the WORM lock validation between HDPS and VSP One File enhances cybersecurity by safeguarding backup data from ransomware. This proactive approach strengthens data resilience and builds stakeholder confidence in data security, and maintain operational integrity.