You can get clever/complicated (the interpretation could go either way) with ACLs and SELinux but, at the end of the day, nothing beats the air-gap of tape backups, IMHO. You might consider a belt&suspenders approach that includes all of the above plus other controls (2FA, network security, etc.), and in my experience combining multiple solutions gives flexibility in that it can be easier to avoid the higher-cost aspects of one solution taken to an extreme by having one layer mitigate the shortcomings of another layer.
On Thu, May 27, 2021 at 04:10:39PM +0100, Henrik Morsing wrote: > > Hi, > > It struck me that switching a Spectrum Protect solution from tapes to a GPFS > filesystem offers much less protection against ransom encryption should the > SP server be compromised. Same goes really for compromising an ESS node > itself, it is an awful lot of data that can be encrypted very quickly. > > Is there anything that can protect the GPFS filesystem against this kind of > attack? -- -- Skylar Thompson (skyl...@u.washington.edu) -- Genome Sciences Department (UW Medicine), System Administrator -- Foege Building S046, (206)-685-7354 -- Pronouns: He/Him/His _______________________________________________ gpfsug-discuss mailing list gpfsug-discuss at spectrumscale.org http://gpfsug.org/mailman/listinfo/gpfsug-discuss
