rotating on prem backups

  • Service Provider

    What solutions do people have for rotating on prem backups so that if your system gets hacked or a variant of CryptoLocker like Samas.A can't encrypt your back up files as well? Are we pretty much back to physical tapes/USB drives that get plugged/unplugged?

  • I just airgap my backups. 3-2-1 rule all day long.

    If you had to do USB based backups, your only real option would be to do nightly rotations. Disconnecting the prior nights worth of USB's from the systems that are backing up to them.

    It works, but it sucks.

  • Service Provider

    @DustinB3403 What are you using the airgap your backups? What is your backup target?

  • @Mike-Davis At my prior job the airgap was us physically unplugging the USB drives at the end of the day and taking those home.

    That went away once XS and XO backups to Synology were put into place with B2 offsites.

  • The recommendation I see for this are:

    The backup target should be accessible from only very specific accounts. Those accounts should be used for nothing other than the backup software itself or administration of the backup targets. i.e. no one should ever log in as them, etc.

    So as long as the hack/virus isn't able to compromise your backup software or authentication mechanism, the backup target should be safe.