Transcription

TECHNICAL NOTERubrik Cloud VaultIsolated, off-site cloud archival of your data

TABLE OF CONTENTS410RUBRIK CLOUD VAULT ARCHITECTURE4Rubrik CDM4Rubrik SaaS Platform4Microsoft Azure Blob StorageRUBRIK CLOUD VAULT FEATURES10 Zero Trust Data Security10 Global Control Plane10 Declarative SLA-driven automation10 Readily available data10CUSTOMER-OWNED ARCHIVES VS. RUBRIK CLOUD VAULT10 Secure Access for Logically air-gapped storage1111Fully-managed service11Predictable costCONCLUSION

Rubrik Cloud Vault is a fully-managed cloud service built on Azure storage, enabling organizations to have completelyisolated, immutable copies of their protected data in the cloud to support recovery from cyber-attacks and natural disasters.Organizations can now have a logically air-gapped copy of their data stored in the cloud to be accessed quickly for recovery.Once the customer configures Rubrik Cloud Vault, adds it to an SLA, and then protects data with the same SLA, Rubrikautomatically manages the process of taking the backup data from the on-premises Rubrik’s CDM primary storage locationto the secondary Rubrik Cloud Vault Storage location managed by Rubrik. This tight integration extends Rubrik Zero Trustarchitecture to the cloud, provides a predictable cost that includes all storage and egress charges, and provides managedredundant backup and archived data. The backup data resides in a Rubrik-managed tenant, where data is immutable andeasily accessible when needed.Rubrik Cloud Vault DashboardLet’s dive deeper into Rubrik Cloud Vault with an architectural overview.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA3

RUBRIK CLOUD VAULT ARCHITECTUREBelow is a high-level architecture of the different components involved in Rubrik Cloud Vault.RUBRIK CDM Rubrik is a Data Security platform providing data protection and point-in-time inspection of critical applications forCyber resilience and Disaster recovery Many Rubrik customers strategically deploy CDM to ensure their ability to recover data and meet their applicationrecovery point and recovery time objectives (RPO/ RTO). The CDM appliance has many physical and virtual deployment options and can be deployed in data centers, remoteoffices, and the cloud.RUBRIK SAAS PLATFORM The Rubrik SaaS platform acts as a control plane for managing multiple distributed Rubrik CDM deployments along withproviding Cloud-Native Data Protection capabilities and advanced security analytics. It also automates the creation and management of the Rubrik Cloud Vault location.MICROSOFT AZURE BLOB STORAGE Azure Blob Storage helps you create data lakes for your analytics needs and provides storage to build powerful cloudnative and mobile apps. Azure Blob Storage optimizes costs with tiered storage for your long-term data and flexibly scales up for highperformance computing and machine learning workloads.Now that we know more about all the components, let’s see how it all comes together in a few steps to create a Rubrik CloudVault location.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA4

1. Once you purchase the Rubrik Cloud Value, it is available through your Rubrik SaaS Platform. Login to the Rubrik SaaSPlatform, navigate to Cloud Settings and click the RUBRIK CLOUD VAULT tab. Click ADD ARCHIVAL LOCATION forkickstarting the setup wizard.Rubrik Cloud Vault Page2. Add a name for the Archival Location, select Backup or archival tier, add Immutability Period in terms of days, select theRegion from the available ones in your city, add the private RSA keys and lastly, select the Rubrik CDM cluster which youwould like to add the Rubrik Cloud Vault location to.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA5

Add Rubrik Cloud Vault Location Wizard3. Confirm the changes and click CREATE.Add Rubrik Cloud Vault Location Wizard Confirm Changes4. Rubrik now automatically creates and provisions a fully-managed Azure Blob Storage account for the Rubrik CDM.5. The new Archival Location will be available on the Rubrik Cloud Vault dashboard.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA6

6. Customers can now access their Rubrik CDM cluster and create a single-use SLA to use the Rubrik Cloud Vault as thearchive location. Customers must ensure to toggle the Archive button after entering the frequency of the snapshots.They can select the location from the drop-down menu.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA7

7. Review all the changes and click create.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA8

8. This SLA can now protect the objects.All this goodness does not limit customers to only one tier of storage. In fact, Rubrik Cloud vault offers two storage tiers: Abackup tier and an Archive tier. A backup tier is generally used for daily backups. This storage is easily accessible, and downloads to CDM canbegin quickly. For ransomware recovery, the backup tier is most useful and effective. The Archival tier is for long-term archival, and getting the data ready for download may take up to 20 hours. The Archival tier is cheaper than the backup tier and, in turn, more cost-effective. For longer retention with slower recoveries, the archive tier is most beneficial. The following table compares these storage tiers.Backup TierArchive TierDaily backupsLong-term archivalRestore AvailabilityImmediateUp to 20 hoursMinimum Retention30 days180 daysYes, for up to 100 daysNoLocally-redundant storageLocally-redundant storageUse CaseImmutability OfferedRedundancyMicrosoft has listed and compared the features of the Microsoft storage tier. The table summarizes the features of the Hot,Cool, and Archive access tiers.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA9

RUBRIK CLOUD VAULT FEATURESRubrik Cloud Vault is a safe, simple, and predictably priced way to replicate and archive backups in the cloud, leavingcustomers with a secure and isolated copy of their data to recover from in the event of malicious attacks or natural disasters.Rubrik Cloud Vault is a fully-managed service built using Microsoft Azure Blob Storage, offering the following features:ZERO TRUST DATA SECURITY Zero Trust Architecture assures data is available, immutable, and logically air-gapped, so it cannot be modified,encrypted, or deleted by ransomware. Fine-Grained Role-Based Control allows for least privilege permissions, giving users access to only what they require,thereby decreasing the risk of bad actors or compromised accounts accessing things they shouldn’t. Retention lock prohibits a single person from clearing or shortening retention policies governing archiving.GLOBAL CONTROL PLANE Unifies the management of on-premises and cloud data.DECLARATIVE SLA-DRIVEN AUTOMATION Rubrik allows administrators to abstract away much of the low-end fuss required to build and maintain data protectionto focus on adding value at a more strategic level across the organization. Rubrik’s policy engine is robust but simple to interact with because many of the imperative details are handled byinternal best practices. Additionally, the SLA can be configured while creating the initial data protection SLA simply by adding the replicationand archive details, i.e., they are not separate tasks that must be configured.READILY AVAILABLE DATA Point in time snapshots is available only from Rubrik Cloud Vault that can easily be downloaded to Rubrik CDM, whereall the recovery options are available.CUSTOMER-OWNED ARCHIVES VS. RUBRIK CLOUD VAULTOrganizations recognize the benefits of cloud-based storage services. However, they have concerns regarding data securityand exposure risks, cloud administration, security misconfiguration, and cloud costs. Rubrik Cloud Vault offers organizationsthe ability to have pristine data protected off-site with little administration, predictable costs, and restricted access to supportrecovery from cyber-attacks and natural disasters.Rubrik Cloud Vault provides customers a core set of benefits that set Rubrik apart from the self-service model.SECURE ACCESS FOR LOGICALLY AIR-GAPPED STORAGE Many enterprises require authentication and authorization to be centralized to make it easy for users and IT to manageand enforce. Rubrik utilizes SAML 2.0, which means it integrates with identity providers such as Azure Active Directory(Azure AD), meeting customer’s requirements for centralization and providing robust MFA for data protectionoperations across their entire enterprise.Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA10

Additionally, Rubrik offers a native Multi-Factor Authentication (MFA) solution using Time-based One Time Passwords(TOTP) that is not dependent on any external systems. Each of the storage accounts in Rubrik Cloud Vault is not connected to the customer’s existing Azure accounts orenterprise authentication and authorization solutions. This removes the chances of data in Rubrik Cloud Vault beingcompromised when the customer’s authentication or authorization solution is compromised. Rubrik ensures that a copy of the customer’s protected data exists outside of the customer’s environment, ensuring thatrecovery can occur in a ransomware attack or other event. Above all Rubrik SaaS platform is SOC-2 compliant.FULLY-MANAGED SERVICE Being a fully managed service means that with few steps, customers can put their protected data in a cloud bunker, i.e.,there is no need to select a vendor, procure their storage (with the help of legal and purchasing), design your config, getit vetted by infosec, build it and provide on-going management. Rubrik Cloud Vault reduces operational complexities, time to deliver, and requirements for staff to have cloud expertise Consumed from and managed by RubrikPREDICTABLE COST A single bill, covering all costs: storage, API interactions, and egress charges that help organizations stay within budget. Customers can forecast usage growth and predict this cost with more reliability than other cloud storage offerings.CONCLUSIONThe volume and sophistication of ransomware attacks are growing and have become a cross-sector existential threat that allorganizations must be prepared to address. At the same time, natural disasters can strike anytime. As your data protectionstrategy evolves, having recoverable copies of organizations’ data in a secure and isolated off-site location is essential for acomprehensive strategy. Rubrik Cloud Vault provides all this, plus being a fully managed service in the cloud, reduces theoperations and capital costs versus customers building it themselves.Rubrik Cloud Vault offers customers the benefits of Rubrik Zero Trust Security, logical air-gap, and a predictable TCO.For more information, please visit https://www.rubrik.com /products/rubrik-cloud-vaultGlobal HQ3495 Deer Creek RoadPalo Alto, CA 94304United comRubrik, the Zero Trust Data Security Company , delivers data security and operational resilience for enterprises.Rubrik’s big idea is to provide data security and data protection on a single platform, including: Zero TrustData Protection, ransomware investigation, incident containment, sensitive data discovery, and orchestratedapplication recovery. This means data is ready at all times so you can recover the data you need, and avoid payinga ransom. Because when you secure your data, you secure your applications, and you secure your business.For more information please visit www.rubrik.com and follow @rubrikInc on Twitter and Rubrik, Inc. on LinkedIn.Rubrik is a registered trademark of Rubrik, Inc. Other marks may be trademarks of their respective owners.tn-rubrik-cloud-vault / 20220414Technical Note Rubrik Cloud Vault: ISOLATED, OFF-SITE CLOUD ARCHIVAL OF YOUR DATA11

Technical noTe RubRIk Cloud Vault: ISolatEd, oFF-SItE Cloud aRCHIVal oF YouR data 3 Rubrik Cloud Vault is a fully-managed cloud service built on Azure storage, enabling organizations to have completely isolated, immutable copies of their protected data in the cloud to support recovery from cyber-attacks and natural disasters.