Cyber recovery with Bring Your Own appliances
Cyber recovery is one of five functions that are described in the NIST Cybersecurity framework. It is defined as the development and implementation of appropriate activities to maintain plans for resilience and to restore any capabilities or services that are impaired due to a cybersecurity incident. The other four functions are identify, protect, detect, and respond.
This documentation describes a high-level architecture that can be used to assist with your custom cyber-recovery requirements. The solution architecture uses a VMware Cloud Foundation for Classic - Automated instance, and your choice of bring your own data mover with immutable data storage.
This solution is suitable if you want to extend your own backup solution with an isolated recovery environment while you minimize costs.
Key elements of the solution architecture include:
-
A VCF for Classic - Automated instance used for cyber-recovery tasks only, deployed in an IBM Cloud account restricted to cyber-recovery activities. For more information, see Overview of VMware Solutions.
-
The VCF for Classic - Automated instance can use VMware vSAN or use NFS datastores, see Physical storage design.
-
The VCF for Classic - Automated instance does not host production or disaster recovery workloads.
-
The VCF for Classic - Automated instance includes a gateway cluster to host your choice of one of the following appliances to protect the VCF for Classic - Automated instance networks. It also provides a network air gap between the production environment and the isolated recovery environment:
- Juniper® vSRX appliances
- FortiGate® Security Appliance
- FortiGate® Virtual Appliance
- Bring your own gateway appliance
-
The solution architecture does not preclude any of the vCenter Server options, such as Caveonix, Entrust, and VMware Aria® Operations™.
-
Optionally, you can use encryption with Hyper Protect Crypto Services, Key Protect, and the VMware KMIP service. For more information, see KMIP for VMware overview.
-
The BYO (Bring Your Own) data mover and immutable repository is your backup technology that you want to instantiate within the isolated recovery environment.
-
The management VM is your automation server that can be used to automate a number of cybertasks such as:
- Opening and closing the air-gap
- Automate the mounting of backups and scanning by your cybertoolsets
- Creating sandboxes
-
Sandboxes can be provisioned by using VMware NSX-T™ overlay segments, logical routing, distributed firewall, and network address translation to provide network-isolated zones to mount cyber-recovery backups for inspection by your cybertoolsets.
-
Cybertoolsets are customer-supplied tools that run as virtual machines in the isolated recovery environment and access your cyberbackups for verification and analysis.
-
Cyberadmins are customer personnel who are authorized to access the isolated recovery environment and should be different than admins that manage the production and disaster recovery environments to promote separation of duties.
-
Jump servers are used by your cyberadmins to access the isolated recovery environment.
-
The air gap enables network connectivity between the production environment and the isolated recovery environment only when required.
-
The solution architecture is independent of the location of the production environment. However, network connectivity is required between the production environment and the cyber-recovery site.
How to
Consider using a separate IBM Cloud® account to deploy your cyber-recovery instance into. This process promotes separation of duties between ownership of any other production or disaster recovery solution that you might host in IBM Cloud.
To create your custom cyber-recovery solution based on a VMware Cloud Foundation for Classic - Automated instance, follow the procedure to order VCF for Classic - Automated instances:
- In Step 4, select Primary.
- In Step 7, order a gateway cluster with your preferred firewall option:
- If you select Juniper vSRX, see Ordering Juniper vSRX.
- If you select FortiGate, see Ordering FortiGate Virtual Appliance.
- If you select Bring Your Own gateway appliance, see the installation instructions that are provided by your firewall vendor.
- If you select FortiGate Security Appliance, see Create FortiGate Security Appliance 10 Gbps.
After your VCF for Classic - Automated instance is provisioned:
-
Configure your firewalls by using the vendor’s documentation as a guide and the following information:
-
To understand how to use Ansible on your management VM to open and close firewall ports, see Creating the airgap by using Juniper vSRX.
-
Deploy your jump hosts. For more information, see Deploying virtual machines.
-
Deploy your custom data mover and immutable repository by following the vendor’s instructions.
-
Deploy your cybertoolset by following the vendor’s instructions.
-
To understand how to use the scripting capabilities of your Bring Your Own data mover and immutable repository solution to be more automated, see Instant restore and Creating a Veeam Linux managed server.
Review the following information about network connectivity for your cyber-recover instance:
- Architecture pattern for using Transit Gateway with a VCF for Classic - Automated instance
- Architecture pattern for using IPsec over Direct Link with a VCF for Classic - Automated instance
- Architecture pattern for using Direct Link with NSX-T edge cluster in colocation
- Architecture pattern for using Direct Link with NSX-T and EVPN
- Virtual Private Network (VPN)
- Adding a cross-account connection