Enterprises today generate and store colossal volumes of data in Azure Blob Storage and Data Lake Gen 2, leveraging these services for cloud-native workloads, archives, and artificial intelligence (AI) training models. However, with the deluge of information comes the amplified risk of exposure to security blind spots and the potential compromise of sensitive, mission-critical data. In response to this growing concern, Rubrik is pioneering a cyber resilient solution specifically architected for Microsoft Azure Blob Storage.
Unprecedented Protection with Rubrik's Zero Trust Data Security
A recent survey by Rubrik Zero Labs revealed a staggering 70% of all data observed by Rubrik within cloud environments is in object storage, with an alarming lack of security coverage—a fact that is exacerbated by the 88% of data that has not been confirmed as machine-readable or shielded by preeminent security technologies. Rubrik's Zero Trust architecture confronts this security void head-on by introducing an unmatched level of protection and recovery services for Azure Blob Storage and Data Lake Gen 2.
Rubrik's solution is grounded in the principle of Zero Trust, emphasizing the 'never trust, always verify' mantra. The approach it employs is multi-faceted and solves key customer challenges that arise when protecting Azure Blob data including:
Inconsistent Data Protection: Because of the large scale of data, it is very difficult for a customer to have similar protection policies set up across their (potentially) hundreds of accounts and ensure consistency. This often results in users maintaining backup plans in every Azure account where Blob storage accounts exist. Rubrik provides automatic discovery and protection of all Blob Storage Accounts across all onboarded Tenants, Subscriptions, and Regions.
Slow Granular Recovery: Organizations need the ability to quickly search for and restore specific blobs, rather than depending on full storage account restores. This is essential because restoring an entire storage account can be a time-intensive process, particularly with large datasets or when recovering data from multiple storage accounts is necessary. Rubrik provides the ability to recover an entire storage account, or to simply restore individual blobs.
Lack of Visibility into Sensitive Data: Half of all organizations say they suffered loss of sensitive data in 2023. IT and security teams don’t have the tools to understand where sensitive data lives in the cloud and whether it is properly secured. Rubrik delivers true Data Security Posture Management by identifying and classifying sensitive data across supported workloads.
Azure Backup does not support blob: Azure Backup protection of Blob is still in public preview. This results in the solution not being available to all customers and/or regions and exclusion from SLA warranties.
Expensive to Backup: With Azure Backup, Blob data is backed up into the hot or cool tier and does not currently support archiving backups to lower cost storage tiers. Rubrik allows customers to backup Azure Storage accounts located on hot, cool and cold tiers, and subsequently store those backups on any storage access tier such as hot,cool,cold and archive, allowing customers to tune their TCO based on recovery requirements.
How Rubrik protects Azure Blob
Rubrik's protection for Azure Blob is delivered through 4 main pillars delivering complete cyber resilience; Automatic Discovery and Onboarding with least permission model, Global Policy-Driven Protection, Efficient, Immutable and air-gapped Backups and Rapid Granular Restore. Let's dive into each in more detail
Automatic Discovery and Onboarding
Onboarding Azure Blob Storage Accounts to Rubrik Security Cloud is a simple process that starts with customers logging into their Azure subscription with one-time, global administrator credentials. Once authenticated, Rubrik will automatically deploy the necessary resources to allow RSC to perform backup and recovery processes. On top of this, Rubrik ensures robust data protection with the least privileges by operating with read-only permissions at the subscription level. This approach eliminates the need for extensive over-reaching permissions for daily operations such as backup, indexing, replication, and archiving. When Rubrik requires higher level permissions to perform restores, they can be temporarily elevated in order to complete the process, reverting back to the least permission model upon completion.
During the onboarding process Rubrik automatically configures a couple resources. These include Rubrik's exocompute, a scalable Azure Kubernetes Service cluster to perform data movement and indexing processes and an Enterprise Application/Service Principal to handle subsequent authorization into the Azure subscription. Once complete, customer credentials are immediately deleted from memory and not saved anywhere within the Rubrik platform.
Rubrik Security Cloud automatically then discovers and inventories all of the Storage Accounts across your Azure tenants, delivering a single interface to manage data protection for all your tenants and subscriptions.
Global Policy-Driven Protection
As with all other workloads, Azure Blob/Data Lake Gen 2 storage accounts are protected utilizing Rubrik's Global SLA Domains. Rubrik’s policy driven engine has many advantages over the legacy approach to data protection by replacing the legacy concept of "jobs'' with a single policy that can simply be assigned to your Azure Storage Accounts.
For instance, an SLA Domain takes multiple data protection constructs, such as RPO (How often you want to back up) and Retention (How long to keep those backups), and converges them into a single data protection policy. There is no need to create and manage the nightmare of having a job that performs backup, a job that performs replication, a job that performs indexing, etc.
Once configured, SLA Domains are simply assigned to our Azure Storage Accounts, either on the:
Subscription Level: Assigning an SLA Domain to an entire Azure subscription ensures that any existing Storage Accounts, as well as any newly created Storage Accounts within the subscription will automatically inherit the policy and automatically be protected by Rubrik. No longer is data protection an afterthought!
Resource Group Level: Similar to Subscription Level assignments, SLA Domains can also be applied on the Resource Group hierarchy, again, delivering blanket level protection across all existing and new Storage Accounts within the Resource Group.
Storage Account Level: SLA Domains can also be assigned directly on the Storage Account. Any direct Storage Account assignments automatically override any assignments at the Subscription/Resource Group level. This allows organizations to provide blanket-level protection across their entire Azure subscription, while still assigning SLA Domains with more aggressive RPOs to their mission-critical Storage Accounts.
Any Storage Account hosting Azure Block Blobs are supported, including all tiers, Hot, Cold, Cool and Archive.
Efficient, Immutable Backups
Rubrik employs an Incremental Forever approach as it pertains to Azure Blob protection, meaning the first backup is a full backup, processing the entire data set within the Storage Account, while subsequent backups are processed in increments, backing up only changed data since the last point in time. This not only provides an efficient way to ensure Azure Blob is backed up in a timely manner, but coupled with compression, lowers the overall cost of storing the data.
Rubrik Exocompute, a short-lived compute instance is utilized to perform the backup and restore processes, along with indexing and the transfer of metadata to Rubrik Security Cloud to deliver lightning-fast granular search capabilities. The need for Exocompute is only run during backup, restore, indexing, and other Rubrik processes, and is promptly powered down when not in use.
The backups themselves are stored within Azure Storage Accounts, configured within the Hot, Cold, Cool, or Archive storage tier. Air-gap is provided by allowing organizations to place their backups within different regions, or, even different Azure subscriptions than that of their source data. To achieve complete cyber resiliency, Rubrik also ensures that backups are immutable and protected from bad actors by leveraging Azure WORM technologies. This allows organizations to properly recover from accidental or malicious deletion or encryption.
Rapid Granular Restore
Rubrik's Azure Blob protection enables restorations on both the Storage Account and the individual blob. For an entire Storage Account restoration, customers select the account they would like to recover and specify the target to restore to, an entirely different Storage Account.
In terms of blob-level restore, customers can search based on their name from within a point-in-time, select the individual blobs to recover, and again, restore to the original storage account (in-place) or a different storage account (export).
Both entire Storage Accounts and individual blobs can be restored to any region, within any onboarded Azure Tenant, no matter where the original backups exist, providing complete flexibility to maintain business continuity.
The Road Ahead with Rubrik and Azure Blob Storage
The strategic expansion of Rubirk's partnership with Microsoft manifests in our Azure Blob protection capabilities, bringing cyber resilience and zero trust concepts to protect your most sensitive and critical unstructured data.
As object storage adoption rises within the cloud ecosystems, it's imperative that data security and data protection paradigms evolve correspondingly. Rubrik's holistic approach of protecting Azure Blob and Azure Data Lake Gen 2 exemplifies how data security should be accomplished, providing customers with a proactive method of securing and protecting their unstructured data - truly becoming cyber resilient.
For further information on implementing and taking full advantage of Rubrik's cyber resilience solution within your Azure infrastructure, contact our sales or technical support team. Together, we can build a resilient framework to secure your cloud data landscape both now and into the future