NetApp previews high-end array and adds automatic anti-ransomware weapons to ONTAP

At a virtual Insight 2021 event, NetApp has unveiled planned automated ransomware defences in the latest release of its ONTAP array operating system, along with enhanced data services and a sketchy preview of an upcoming high-end all-flash array: the AFF A900.

The announcements strengthened the on-premises end of its hybrid cloud story, but also saw NetApp emphasising its public cloud credentials with native ONTAP services in AWS, Azure and the Google Cloud Platform.

NetApp’s EVP for its Hybrid Cloud Group, Brad Anderson, provided the main announcement quote: “The promised benefits of migrating to the cloud may be profound, but many IT departments are still working to overcome on-premises challenges like managing the complexity and costs of moving data, protecting against ransomware, and ensuring reliable performance for critical applications.”

Ransomware attack detection

ONTAP, v9.10.1 as we understand it, will be able to protect against ransomware attacks autonomously, based on machine learning with integrated preemptive detection and accelerated data recovery. The system will monitor IO patterns and, if it detects unusual activity, will inform the cloud- and AI-based Active IQ array monitoring system. ONTAP will also make a snapshot of the relevant data as a preventive measure.

A NetApp blog by Matt Trudewind, senior technical marketing engineer (security), says the system: “leverages built-in on-box machine learning (ML) that looks at volume workload activity plus data entropy to automatically detect ransomware. It keeps an eye out for activity that is different from user behavioural analytics (UBA), so it may detect attacks that UBA does not.” UBA is focused on a single user, whereas a ransomware attack could involve multiple user accounts.

Trudewind says: “The anti-ransomware feature starts off in learning mode. NetApp recommends a period of at least 30 days, so that the ML gets a chance to understand the typical workloads on the NAS volumes. Once anti-ransomware is put into active mode, it starts looking for the abnormal volume activity that might potentially be ransomware.”

ONTAP anti-ransomware protection is part of the ONTAP Security and Compliance software bundle, configurable via the ONTAP System Manager, and enabled on a per-volume basis.

The OS has also been given expanded object storage capabilities whereby customers can protect ONTAP S3 data with SnapMirror replication to back up to an on-premises StorageGRID array, to S3 in AWS, or to an ONTAP S3 bucket in AFF and FAS arrays. 

The September announcement of ONTAP’s NVMe/TCP support is now in place. ONTAP admins can automatically update firmware for array hardware components such as disks, shelves, and service processors.

Data services

NetApp’s Cloud Manager console has added a digital wallet capability. It supports pre-payment for credits and provides more information about customers’ data services license usage in hybrid clouds. CloudManager has been given integrations with the Keystone subscription facility and Active IQ deployed array monitoring scheme, so that it can provide a more comprehensive picture of a NetApp customer’s activities.

There are also:

  • Enhancements to NetApp Cloud Backup and Cloud Data Sense services;
  • Simplified deployment of Cloud Volumes ONTAP with new customer-ready templates;
  • Fully embedded Active IQ;
  • Deeper integrations with NetApp Cloud Insights;
  • ONTAP software support for Kubernetes workloads.

NetApp is making it cheaper to use Cloud Volumes ONTAP with a freemium service tier in its Flex subscription scheme — a fully featured, perpetual license to use ONTAP in the cloud for up to 500GB of storage capacity. This could be used for dev-and-test and upgraded to a subscription for more capacity at deployment time.

Two professional services offerings were announced. SupportEdge Advisor for Cloud provides direct access to trained specialists, and Flexible Professional Services (FlexPS) is  available for customers wanting on-demand and ongoing support as they adopt a hybrid cloud strategy.

AFF A900

The A900, due next month, will be faster than the current high-end all-NVMe SSD A800. It is effectively the A700 with a new memory processor controller board. That means it uses the 8U A700 chassis, and not the 4U A800 chassis, meaning more in-chassis capacity. In total the A700 supports 5,760 SSDs with an effective 702.7PB capacity, while the A800 can handle 2,880 SSDs at an effective 316.3 capacity.

Our thinking is that NetApp is crafting an NVMe-supporting version of the A700 with a faster processor than the A800 and more memory as well. If the A900 controllers support SAS and NVMe SSDS then existing A700 systems can be upgraded, potentially, with a main board swap for each controller.

We understand NetApp will use the A900 controller in a hybrid flash/disk FAS 9500 in a few months’ time. The FAS 9500 will probably be an upgrade of the existing FAS 9000 which, like the AFF A700, has an 8U chassis.


We think the proof of ONTAP’s autonomous ransomware defences will lie in: one, ONTAP’s ability to prevent ransomware attacks that get through competing storage system defences; two, not falling prey to ransomware attacks that competing systems repel; and three, telling ONTAP admins how successful it has been at repelling attacks.