How It Works

Built on the cloud, the core of Elastio’s platform is a secure, scale-out and cost optimized secondary storage architecture. Data is globally deduplicated and optimized for fast recoveries and parallel data access in a wide range of use cases.

Security

Elastio storage service is entirely resident in the customer’s AWS accounts.

Elastio secures customer data in the customer account and data is never transferred to or accessible by Elastio. The data is encrypted at-rest using Amazon KMS keys and in-flight and can be air-gapped in a separate account for additional isolation.

Control messages and data encryption.

We enable S3 server-side-encryption (SSE) as an additional layer of protection. All backup data is encrypted with a unique AES key per asset, on the client side, before being uploaded to S3. These keys are in turn protected by a per-vault KMS key, so only IAM roles with permission to access the KMS key are able to decrypt data in the vault.

Because we use a unique AES key per asset, even a malicious client cannot use knowledge of one of these encryption keys to access backup data from another asset, because the other asset uses a different key.

Secure control path.

Elastio uses a lightweight command-and-control pathway between our SaaS and customer AWS accounts, built on SQS queues and Lambda functions. The service requires access to certain AWS APIs, but this can be accomplished via PrivateLink if the VPC is isolated from the Internet. As part of our service deployment, the customer grants an Elastio-controlled tenant-specific IAM role the permissions Elastio needs to deploy the service, read from these queues and invoke these lambdas. Customers can monitor the activity on these resources, and can be assured that only the specific operations granted to our IAM role will be performed. There is never an IP network link between Elastio and the customer’s VPCs; all communication is via SQS messages and Lambda invocations.

The Elastio storage service can operate in complete network isolation.

Our service is self-sufficient and does not depend on the tenant in that it performs its own backup scheduling, and customers can use our CLI run within a Elastio service account to list local recovery points and initiate restores. This means an Elastio SaaS outage doesn’t stop scheduled backups from taking place, and doesn’t prevent customers from restoring from backups.

Data Services

Simple file, stream, and block backup and recoveries

With a simple CLI command in a terminal or a script, files, streams, block devices, databases and tables can be protected and restored on demand. Integrates with serverless compute, containers, VM’s and any Windows or Linux machine.

Application consistent, agentless and host-based block backup and recoveries

For maximum convenience and ease of deployment, Elastio can agentlessly protect and restore entire EC2 instances or specific EBS volumes. For faster RTOs or more flexibility in backup and restore options, we also provide host-based change block tracking backup and recovery capability for Windows, Linux, and macOS. Elastio can even back up the high-speed ephemeral direct-attached NVMe storage on AWS i3, m5d, m6d, and other Nitro instance types with local storage options.

Retention

Recovery points can be retained for as long as you need them and can be customized for any compliance use case.

Ransomware/Malware detection

Multiple point-in-time backups of existing data allow Elastio to perform complex analysis of data changes over time that would be impractical otherwise. Elastio can identify suspicious patterns of changes across the entire system, not just one process or one write operation at a time.

Region replication ( Coming shortly )

Automatically replicates backups between regions for disaster recovery protection.

Live mounts

Agentless and host based EC2, EBS and block backups can be mounted in seconds surfacing the underlying file system for fast file and database recoveries or to provide an application direct access to the data. You can even mount an EBS backup on your local workstation to access individual files and folders!

ScaleZ Storage

Global Deduplication

Our ScaleZ storage engine stores data in a deduplicated and compressed form and tracks everything under protection: files, databases, tables, partitions and block devices. Multiple workflows can access the data concurrently. Our backups are incremental forever for performance and space efficiency.

Cost optimized compute

The Elastio storage service utilizes serverless technologies like Lambda and DynamoDB as much as possible, and our storage service, ScaleZ(™), is carefully engineered to run on ephemeral Spot instances for the lowest cost. We pass our cost savings on to our customers.

Scale out, scale Up, scale to Zero

Scales out based on workload size, scales up on demand for concurrent data access and scales to zero automatically when the job is complete.

Data encryption

We enable S3 server-side-encryption (SSE) as an additional layer of protection. All backup data is encrypted with a unique AES key per asset, on the client side, before being uploaded to S3. These keys are in turn protected by a per-vault KMS key, so only IAM roles with permission to access the KMS key are able to decrypt data in the vault.

Because we use a unique AES key per asset, even a malicious client cannot use knowledge of one of these encryption keys to access backup data from another asset, because the other asset uses a different key.

Vaults

Backup data are organized into vaults. Each vault exists in a separate S3 bucket, has a dedicated KMS key which encrypts all data, and operates in a specific VPC. Because each vault is a separate deduplication domain and has a dedicated key, sensitive data can be completely compartmentalized within a vault, making it easy to secure and easy to account for storage costs.

Multi-Tenant SaaS

Single pane of glass management

Manage protection of all of your assets from one place, with one set of policies, consistent tooling, and backup-as-code spanning all mission critical systems.

RBAC

Assign permissions to users based on their roles within a Tenant. This creates a simple, manageable approach to tenant access management that is less prone to error than assigning permissions to users individually.

Centralized deployment of Elastio service

Deploy the Elastio service securely into your AWS account in a few minutes.

API control ( Coming soon )

Fully leverage the API with its data protection capabilities for protecting, restoring and accessing copies of data from deployment scripts or from within an application.

Our Solutions

Agility
Security
Compliance
Scroll to Top