Protecting Backup Targets and Data

This is the first, and arguably most important, article in our four-topic series about

‍Securing Your Backup Data and Safeguarding Against Ransomware.

Generating and utilizing a robust backup, copy and archival strategy is a great way to get started in protecting your most critical data and systems from data loss, corruption and cyber threats. Traditionally, the 3-2-1 rule (3 copies of your data, on a minimum of 2 separate storage solutions, and 1 medium being offsite/alternate location or in the cloud) has been considered the common best practice for a backup strategy. While this is still a very good approach, it’s now becoming more and more critical to carefully select the types of backup targets you use with this kind of approach. HYCU can achieve this standard with our backup policies and we work with many customers to recommend backup storage and disaster recovery (DR) options that can further enhance that strategy. Some are described below.

One of the most useful ways to safeguard backup data is to implement a copy or archival strategy that incorporates the use of a Write Once, Read Many (WORM) capability.

Nearly every Object Storage solution in the cloud or created for on-premises environments offers a WORM (or data immutability) capability. The term immutable simply means unchangeable. WORM technologies implement a form of a retention policy that makes data unchangeable (cannot be overwritten or deleted) for a period of time specified by your storage/backup administrator. In practice, an Object Storage bucket or BLOB container, makes for a great copy or archival backup option. HYCU works with storage providers that use S3 compatible Object Storage and others that offer BLOB containers. Most of those cloud storage providers also offer additional security measures, as well, like Data-at-rest-encryption (DARE), secured transport technologies (VPN’s and HTTPS/TLS), and with the latest HYCU 4.1 release, the option to encrypt data (with AES 256 encryption) destined for cloud targets.

Additionally, there are other on-premises NAS (block) storage options to consider for initial backups (before copy and archival).

NAS appliances typically employ the use of standards like NFS or SMB. Without additional product/feature enhancements and/or network safeguards, these standards can be vulnerable to attack. A best practice, especially in light of the recent increase in ransomware intrusions is to ensure primary storage targets are dedicated for backups and are not used and mounted to other systems. Storage and software vendors have also been responding by offering features and preventative measures. Now, HYCU customers can choose from backup storage solutions that offer detection (attempts to alter data files or save crypto-locker files), notification (audits and emails viewable by or sent to backup admins), and protection/prevention (backup versioning and self-healing) feature sets. Our HYCU Engineers can make recommendations around these kinds of solutions and help you protect your initial round of backups (before copy and archival jobs are run). Some are available for purchase and others may already be available within your existing infrastructure.

We work with many customers to address their fears, concerns, and planning efforts. In the next series, we will focus on actions that can be taken to protect your virtual and physical server sources. We welcome your feedback and comments!