Spectrum Protect Plus v10.1.3

Rapid development of IBM’s new data protection for VMware and Hyper-V continues. As well as VM snapshot backups with instant restore, SPP already allows backup and restore of SQL and Oracle Databases on physical or virtual machines. V10.1.3 adds backup and restore of Exchange (Item level recovery too) as well as MongoDB.

The SPP snapshot repositories could already be replicated to give site-loss protection but v10.1.3 adds High availability for the SPP server that manages backup and recovery. This is a major improvement over the current version and should see the product become more widely accepted as a result.

Optimised Offload for long-retention snapshots and backups

Offload of backups to Spectrum Protect is the method that Spectrum Protect Plus uses to store longer retention copies of data on cheaper and slower storage. The previous version used SP for VE to send a copy to Spectrum Protect but this was essentially a parallel full backup and restore process that only supported vSphere.
Now the offload is to S3 object storage and is block level incremental. This supports both vSphere and Hyper-V environments and can be to Spectrum Protect container storage pools via a new S3 connector or to CLOUD object storage (IBM COS, Amazon S3 etc)

Spectrum Protect v8.1.7

As well as a host of client and agent updates to support new versions of /Windows/Exchange/SQL/Oracle and various security enhancements, the Spectrum Protect server now has enhanced diagnostics and tape drive support. The main new feature that users have been waiting keenly for is:

Retention Sets (codename: OneProtect)

Previously, to retain client backups from the same source for different periods (e.g. Daily -30 days, Monthly – 12 Months, yearly – 7 years), it was necessary to configure extra client/TDP instances and perform extra backups to different Spectrum Protect nodes on extra schedules. The initial configuration of this is time-consuming and the resultant duplication of backup data meant extra storage and capacity license cost and database overhead.

Now with RETENTION SETS the blocks/files from existing daily backups can be marked up in the database for longer retention and your long retention requirements are satisfied from a single ingest. Client and server-side configuration is greatly simplified and massive savings in processing time, network bandwidth, server storage, capacity licence and support effort can be expected. The creation of Retention Sets can be automated, and it will run as a scheduled server process, requiring no tape mounts or duplication of data.

It’s very encouraging to see that IBM are quickly addressing some of the features that users are looking for, and hopefully this is indicative that future releases will ramp up support and make the product suite more appealing for enterprise users. Speak to Silverstring to understand how both new releases can benefit you and to learn about our Alchemis Protect Managed Service.

The post Industry stalwart’s latest foray into hybrid cloud data protection appeared first on Silverstring.

Silverstring’s CTO, Steve Miller, has highlighted in a previous blog how GDPR has emphasised the importance of encrypting personal data, both in primary and in secondary storage environments. Failing to take consideration of this places your data at risk and leaves your organisation open to fines and reputation damage. Its now a cost of doing business in the digital age.

Encryption can be performed by applications for data on disk and in transit over IP networks.  Encrypted data is only legible to the parties, applications and devices holding the encryption key, and meaningless to those that do not.  The concept of a key is well: key to the process of encryption.  If you hold the key to the encrypted data, you can access it – if you don’t, you can’t

Hardware devices such as disk arrays and tape drives are capable of encrypting data.  Encryption of tape is a must for any organisation that routinely stores and transports tapes outside of their own premises via a third party.

If you’ve encrypted your tape as it was written so that nobody but yourself can read them with your encryption key – all is well.  But you must ensure that the keys used to encrypt are always available, giving you access to read your data, yet secure from unwanted snoopers.

What is a Key Lifecycle Manager?

This is where encryption key management comes in.  IBM Security Key Lifecycle Manager (ISKLM) – previously Tivoli key Lifecycle Manager (TKLM) is IBM’s solution for management of hardware encryption keys.

ISKLM is an essential component of a hardware encryption solution and serves keys for writing new media as well as previously encrypted media.

It can be configured to be highly available and redundant (pairs, or clusters of key managers) and further protects encryption keys in encrypted key stores, allowing access only to authorised devices. Custom installations can be made to comply with various standards defined by US Government agencies, such as FIPS 140-2, NSA Suite B and NIST SP 800-131

The product has evolved to be more secure and resilient with support for more operating systems and devices being added continually. For an additional layer of security, ISKLM’s own master key encrypting of the data keys and certificates, can be stored in tamper-proof HSMs (Hardware Security Module) since v2.7

Anything below and including version 2.5 is not supported as of 30^th September 2018. The current version is 3.0.0.1, so users on an earlier version should consider upgrading.

Interested?

Silverstring has experience of successfully implementing and upgrading ISKLM-based hardware encryption solutions and is IBM’s first-choice partner for ISKLM services. Silverstring’s three core capabilities are Data Security, Data Availability and Data Preservation. If your organisation is not encrypting offsite tapes, or if your ISKLM/TKLM key managers are out of support, please contact us for more information.

The post Who holds the keys? appeared first on Silverstring.

So rather than examining Squishy McCleverBackup v7.1.5 let’s take a look at Spectrum Protect’s new features.

Spectrum Protect v7.1.5 is now on General Availability and was released on March 11th.

Cleversafe Integration.

Several weeks ago I wrote about CleverSafe object storage: https://www.silverstring.com/blog/cleversafe-is-safe-and-clever but had to hold back on the exciting news that Cleversafe can now be introduced as a cloud backup target for the Spectrum Protect container storage pools, because 7.1.5 had yet to be officially announced.

Container pools were introduced with v7.1.3, offering next-generation inline deduplication (as opposed to the post-process deduplication on FILE storage pools) and supporting a new way of replicating node data from source server to target server pool via ‘protect stgpool’ command with metadata only being replicated by the ‘replicate node’ command.

As we learned in the Cleversafe blog post the performance, particularly for restore, from Cleversafe container pools will not be brilliant so carefully consider what type of data will be placed in them. Under ideal lab conditions (10Gb network/3x Cleversafe accessors/many backup sessions), ingest rates of up to 3.6TB per hour have been achieved but real world performance, especially for off-premise/cloud Cleversafe pools will fall well short of that.

The Spectrum Protect server will access Cleversafe storage via the 3 protocol as with Amazon S3 storage. Setup is easy with some pretty simple configuration of a Cleversafe Vault and account at the storage end and supplying the URL(s) of the accessor(s) and an ID and password on the pool definition server-side.

Compression!

Perhaps of greater impact/importance is the introduction of Spectrum Protect Server compression. Again this applies to container storage pools. The LZ4 lossless compression algorithm is applied to data as it is ingested into the storage pools via either client backup or replication from another server. So, like deduplication, it is performed INLINE with no post processing required or extra space to ‘land’ the data in before it is reduced.

Tests indicate that 2:1 compression can be reasonably expected ON TOP of any deduplication reduction you already achieve. So for data that doesn’t deduplicate better than 2:1 you can still get 4:1 data reduction. Extra CPU power should be provided for compression (around 30% more) but existing Spectrum Protect server blueprint specifications should cope with compression.

Like deduplication, inline compression will greatly reduce the amount of disk/cloud storage required for backup storage as well as reduce the bandwidth required for replicating data between servers/sites. This could potentially translate to money savings on the following:

• WAN bandwidth.
• Back end disk storage.
• TSM licensed capacity. (YES! licensed capacity is calculated post Deduplication AND compression)

Protect Stgpool repair of damaged target extents

Continuing the development focus on container storage pools there is an enhancement to the Protect Stgpool processing whereby data is replicated from container pool on source server to container pool on a target server.

When damaged data extents are detected on a target pool, via audit container or a failed client retrieval, undamaged extents from the source pool will be sent across to replace the damaged ones on the target pool by protect stgpool.

The post Spectrum Protect V7.1.5 – exciting new features appeared first on Silverstring.

IBM recently acquired Cleversafe as it fits neatly into the software defined storage suite at a performance level somewhere between Spectrum Scale (high performance) and Spectrum Archive (tape). Cleversafe is an object storage system available as hardware appliances or as software only – enabling it to be deployed to public cloud datacentres as well as customer datacentres (typically 3-4 in total) to form a hybrid storage cloud.

CLEVER

Here’s a diagram of how it works at a very high level:

Erasure coding is a very clever and much more space-efficient alternative to RAID and inter-site Mirroring/replication to protect data which can mean you actually use 1/1.3 to 1/1.8 of the physical disk space deployed to store data. This of course translates to money savings on hardware/maintenance/power/cooling and so on.

I’ve had a go on a demo Cleversafe environment and the management UI really is simple to use and one instance can manage up to 3000 devices – 100s of Petabytes of capacity through a single pane of glass (sigh).

Objects are created and accessed by users and VMs/applications through Accessor devices via a URL using Swift, S3 and Simple Object APIs.

Cleversafe is massively scalable and there are already deployments of 100s of Petabyte out there today in production

SAFE

Security

Objects are ‘sliced’ – encrypted – encoded and then distributed over multiple ‘Slicestor’ storage devices (ideally) over multiple sites. So to reconstruct an object a hacker would potentially have to access several sites, several devices – know which slices constitute an object and then de-encrypt those individual slices. There are no external encryption keys to manage/lose/be compromised.

Resilience

The erasure coding and slicing means that its only necessary to read a subset of the total slices per object to reconstruct the object. How many depends on the level of resilience configured but the upshot is you can lose multiple ‘Slicestor’ storage nodes or entire sites without losing access to the data and the ‘missing’ slices can be rebuilt from the survivors to restore the resilience. Cleversafe object storage environments are constantly monitored for data integrity to protect against disk failures and rebuild corrupt or missing data slices and the rebuild processing actually becomes faster/more efficient as the system scales up.

“Cleversafe systems can be designed with over 10 9’s of permanent reliability.

0.0000000029% of data loss in any given year

That’s 34,633,083,744.1 years mean time to data loss”

(Source – IBM presentation)

That’s 34 billion years! The Earth is 4.5 billion years old and the universe is about 14 billion years.

The data security and resilience is such that the CIA’s investment branch has invested in Cleversafe with a view to storing the VERY sensitive data for government agencies.

http://www.computerworld.com/article/2512893/data-center/cloud-storage-vendor-cleversafe-gets-cia-funding.html

ECONOMICS

Cleversafe is not a storage panacea for all ills as it is not for performance applications/databases & works out expensive for less than 500TB of storage. After that, as you get into multiple Petabytes, Cleversafe can work out 60% cheaper than Amazon AWS S3 cloud object storage and 80% cheaper than equivalent mirrored/replicated NAS storage.

USE CASES

We’ve established that Cleversafe is not for everyone so here are some areas where IBM think Cleversafe will be the right choice.

• Object storage deployments of 500TB and beyond.
• Businesses with demanding data storage needs: Video, Imagery, Sensor Data, Archives…
• Service providers requiring large scale reliable object storage.
• Target for Backup/Archive Software – Future integration with Spectrum Protect
• Businesses who are considering Public, Private, or Hybrid Cloud
• Businesses who need to refresh large NAS environments

The post IBM Cloud Object Storage – It IS big and it IS clever…and Safe. appeared first on Silverstring.