Quantum tape library: Partially eject, eject, eject to block ransomware

Quantum has come up with an ingenious low-tech remedy for ransomware getting into its Scalar tape libraries: partially ejecting the tape magazines so the robot can’t move tape cartridges to a drive. It’s effectively a locked-in-place air gap inside the library.

A tape library stores tape cartridges in slots inside a magazine. A robot mechanism extracts a cartridge from a magazine when needed and moves it to a drive for reading or writing data. If the magazine is partially ejected then the robot’s gripper mechanism cannot pick up a cartridge to move it to a drive. Result: I/O to the drive is physically blocked.

Quantum’s chairman and CEO, Jamie Lerner, made an announcement statement, explaining: “The threat of ransomware and other forms of cyber-attacks are one of the chief concerns of our customers. … Even data stored on tapes can be compromised if the tape library itself is hacked, which is why we designed these new features in partnership with a large cloud provider. Quantum Scalar Ransom Block is an industry-first solution that ensures data is protected and secure with a click of a button and provides the ultimate layer of protection for data stored on tape.”  

Quantum Scalar library ransom block diagrams.

The tape magazine is held in a partially-ejected position by a metal bar; refer to the blue arrow labelled items in the picture below:

Partially ejected right side magazine held in place by stay-bar.

In Quantum’s patent-pending Ransom Block design, because a tape magazine is only partially ejected, the robot’s barcode scanner still scan the tape barcodes, so that admin staff can audit the tape system to ensure tapes are still present. The partially ejected tapes are inaccessible until an operator, who must have physical access to the tape library, re-inserts the magazine.

Ransom Block can be initiated remotely, does not require any person to handle tapes, ensures data cannot be accessed over the network even if the tape library is hacked, and preserves the ability to audit the tape library so customers know their data is safe and secure. 

Quantum’s Scalar tape libraries are also getting a Logical Tape Blocking function, which enables admins to use software commands to prevent tapes from being loaded into a drive while the magazine is being filled with tapes, before it is ejected.

Preventing tape content corruption is a concern of tape library manufacturers. Spectra Logic recently introduced a cold partition feature into its Spectra Stack library that locks tape cartridges so that they cannot be loaded into a drive if ransomware takes control of the tape library itself. This is somewhat comparable to a Quantum Active Vault feature in the Scalar libraries which puts tapes logically offline.

Quantum’s Ransom Block and Logical Tape Blocking are expected to be available on new Scalar i6 and Scalar i3 tape libraries in December 2021. A Quantum video explains the Ransom Block concept.