Why You Still Need On-Prem Backup in The Cloud Era

Why You Still Need On-Prem Backup in The Cloud Era

by | Sep 28, 2023 | Backup

Cloud technologies have fundamentally altered how we leverage computing resources. From software packages that require no maintenance by the customer to machine learning, the cloud gives us new ways to solve challenges.

Unfortunately, it also introduces new problems, sometimes as surprises. You might expect your cloud providers to automatically provide data protection, but they frequently offer only short-term solutions. Check your provider’s documentation carefully so that you understand what protections they do — and, most importantly, do not — offer.

Recently, cloud “disaster-recovery-as-a-solution” (DRaaS) offerings have appeared. They don’t have the same shock and excitement value as other cloud offerings, but they make up for that in convenience and perhaps cost. They also tend to lack the comprehensiveness of on-premises solutions.

Unprotected Cloud Resources

The Microsoft 365 packages provide subscribers with an impressive array of software and services. Its popularity makes it one of the most successful and widely used cloud products. However, it surprises some people to learn that Microsoft only includes minimal backup, spam, and malware protection.

Microsoft provides geographical redundancy to safeguard against disaster, they allow you to restore mailbox items for a few days after deletion (time varies by product and settings), and they can perform complete restores of mailboxes and SharePoint sites within a limited retention period.

So, they offer some protection, but nothing near what organizations accustomed to on-premises e-mail, file sharing, and SharePoint expect. For anything more, you need add-on solutions.

Hornetsecurity offers Microsoft 365 Backup to enhance backup coverage of your Outlook email and attachments, OneDrive, Teams and cloud-based SharePoint data. Hornetsecurity 365 Total Protection goes beyond that to provide protection against malware and spam. You have other choices in these markets, including some additional offerings from Microsoft.

Microsoft 365 stands out because of its popularity and the importance of the data entrusted to it, but most cloud products have the same lack of comprehensive protection. Consult with your providers to see what they offer, both as part of the product itself and as add-on or separate features.

Cloud Backup

At the simplest, you can leverage your cloud account as a backup target. The cloud provider may offer some agent to run in your datacenter. More probably, you use a cloud-aware backup application, such as Hornetsecurity’s VM Backup, that automatically transfers on-premises backup data to the cloud.

A cloud backup strategy gives you the protection of offsite backup storage without the need to have your own secondary site. Your staff doesn’t need to travel anywhere to drop off or retrieve data. However, you still need to observe safe rotational practices.

If your backup software can reach a particular location without human intervention, then so can any ransomware that hijacks the backup system. Cloud backup provides the best protection in conjunction with a standard offline rotation scheme.

For higher-tech solutions, you can consider establishing separate storage accounts and designing operations that limit access outside of expected backup windows. For instance, you might disable your backup system’s access to a dedicated “Monday” storage account all the other days of the week.

If you needed to restore the “Monday” data, you could manually override the access restriction. Such activities introduce risk and fragility into a critical function, however, and cannot guarantee to keep you safe from a ransomware assault. For the best results, use the cloud as a convenience target with standard offline storage as a failsafe.

Cloud Backup

Advanced Disaster Recovery Using Cloud Services

Using the cloud storage accounts described above, you can perform a restore operation by connecting your backup application to the account and running the same restore process that you would use with on-premises backup data. Other than data connectivity, this requires no special steps on your part.

However, the cloud provides alternative recovery options. With Azure Nested Virtualization, you could use your backup program to restore Hyper-V virtual machines directly into Azure. You would then need to do some work to enable connectivity, but your employees could use Azure as their datacenter.

If you don’t have the technology to directly restore a virtual machine right into Azure, but you like the idea of using Azure as an alternative datacenter, you have options. You could temporarily restore resources to a lower-powered system onsite, then transfer them into Azure’s SaaS and PaaS offerings. That works well for things like SQL Server and file serving.

It does take planning and time to execute but can provide substantial savings over building and operating your own secondary datacenter.

Some SaaS providers may offer enhanced services at a premium. They typically market such solutions as “DRaaS” (Disaster Recovery as a Service) or “BCaaS” (Business Continuity as a Service).

Features and pricing vary widely and change frequently, so you will need to research them and perform comparisons before deciding on anything. Such services will inevitably cost more than doing it yourself but should not cost as much as running an alternative site.

Keep in mind that “DRaaS” solutions frequently act more like replication technology than proper backup. For instance, Azure Site Recovery (ASR) allows you to mirror physical and virtual systems into Azure, where it may keep them or relay them to another of your facilities. However, it has no historical capabilities. Therefore, ASR can serve as a replication solution, but not as backup.

To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.

We ensure the security of your Microsoft 365 environment through our comprehensive 365 Total Protection Enterprise Backup and 365 Total Backup solutions.

For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Considering Cloud-Based Solutions

Considering Cloud-Based Solutions

Someday, we might move to pure cloud-based options for backup and business continuity. We still have several problems to address before that can happen. For one, we do not have any foolproof ways to maintain an always-available data storage location in the cloud that can also provide adequate protection against ransomware.

Cloud backup and disaster recovery also presents the same challenge as every other cloud service: what do we do when we cannot access our cloud provider(s)? While it may seem archaic to keep your tapes and detachable hard drives around, only fully offline solutions provide any real guarantees.

For now, treat cloud-based backup and business continuity solutions as a convenience. Continue creating local copies that you can take completely offline and offsite.

FAQ

What is on-premise backup?

On-premise backup refers to creating and storing data backups on local hardware or servers within an organization’s physical premises. It is a traditional data protection method, ensuring that critical data is available and recoverable in case of data loss or system failures.

Which is the best backup solution?

Hornetsecurity offers a robust backup solution and is recognized as a leading provider on the market.

Does Microsoft have a backup solution?

The solutions offered by Microsoft are designed to help users protect their data and applications hosted on Microsoft platforms. However, choosing the most suitable backup solution should align with an organization’s requirements and preferences. On the other hand, Azure Backup provides a scalable, secure, and cost-efficient backup solution with the convenience of a one-click backup tailored to your storage requirements.

The Biggest Data Loss Risks and How to Address Them

The Biggest Data Loss Risks and How to Address Them

by | Sep 21, 2023 | Backup

The lack of understanding around data protection presents a serious barrier to proper planning. Some organizations fail to adequately plan simply because they do not realize its importance. Others do not feel that the danger justifies the effort. The lack of a plan presents the greatest danger of all. This article helps you to paint a fuller picture of the risks that a disaster recovery strategy can mitigate.

Negative Attitudes Toward Disaster Recovery Planning

No one has conducted in-depth studies into the behaviors and attitudes around disaster planning. We do not know what percentage of organizations minimize or even skip this critical component. Most importantly, we do not conclusively know why system designers tend to reduce the importance of disaster recovery.

We do have common anecdotes from individuals that have worked with companies to plan for or recover from disasters. Some reasons frequently cited:

Success breeds a success mentality

The longer an organization survives without experiencing a catastrophe, the less its members believe in the possibility of it occurring. As is true for humanity in general, few people tend to strongly consider emergencies until one strikes.

Expense

Generally, businesses perform infrastructure computing and storage deployments in bulk. They purchase and install several components all at once. In the case of clusters and replicated storage devices, they may have no other options.

Usually, planners design the functional portions first, then add in the protection schemes. As the capital expenditure sum climbs, the willpower to spend tends to decline. As cloud-style subscription pricing gains popularity, the same behavior shifts to operational expense. Providers show a handful of attractive pricing options upfront, but as you check “optional” boxes, the value proposition loses appeal.

Just as with bulk purchases, each add-on prompts questions of what the organization can live without.

Time

Building and implementing a proper disaster recovery strategy requires time. Much of it requires the involvement of principals and senior staff. They may feel that they have better ways to allot their time than sitting in meetings and filling out questionnaires to prepare for an event that might never occur. They may also feel that their technology teams should focus on other endeavors.

Scope

Frequently, a backup plan does exist but falls short of organizational needs. Taking a nightly backup certainly grants better protection than doing nothing at all, but that cannot represent the entire strategy.

Misunderstanding

Even in today’s world of ubiquitous technology, few people understand the differences between the datacenter and the desktop. Or the difference between a server in your own datacenter, or one located in a public cloud. Consumers rarely back up their personal computers or devices. They simply do not comprehend the risks. Without an experienced guide, they tend to underestimate the hazards.

Short-term thinking

In most cases, improper planning results from innocent ignorance and naiveté. However, not everyone will have the organization’s best interests in mind. A consultant might try to win a contract by providing a cheap solution with little or no backup functionality.

A less-than-scrupulous business manager might decide to check that important “underbudget” box by skimping on backup. Or, a well-meaning principal might adopt a “let’s deal with that later when we have a little more money” stance – but later never comes.

As you work on your disaster recovery plan, keep all of these things in mind. Because backup and disaster recovery have no immediate benefit, you will almost certainly face resistance. You need to remain prepared to answer “why” at any time. The next section can help.

Negative Attitudes Toward Disaster Recovery Planning

Assessing the Risks That Necessitate a Disaster Recovery Strategy

If you study computer security, you will have heard of “threat modeling”. Essentially, it means that security experts first identify potential threats. They can use that list to predict the extent of possible damage from an attack. That in turn helps them to design a clear strategy for defense and mitigation. You can use a similar approach to building backup and disaster recovery systems.

In the case of disaster recovery, the risks consist of a superset of the security threat model. Malicious actors pose one kind of threat out of many. You also must worry about hardware failures, natural disasters, and human error.

With each risk, you must consider its possible impact. What are the ramifications if an attacker steals data? What would happen to the organization if a failed storage system caused complete data loss? What are your prospects if a flood makes your entire building unusable? What if someone deletes a critical e-mail that places your organizations in a legally vulnerable position? Each danger type presents a unique challenge for every organization.

At this point, you may only be able to draft a cursory idea of your risks. A proper assessment includes a detailed analysis. However, in all but the smallest companies, these investigations need more than one person. At this stage, you only need enough to make a solid case for spending time and capital on designing and creating a comprehensive backup and disaster recovery solution.

A List of Common Risks

To help you start your list, consider some of the major risks that all organizations face:

  • Data theft
  • Physical theft
  • Malicious digital attacks
  • Rogue insiders
  • Social instability
  • Power failures
  • Arson
  • Sabotage
  • Natural disaster
  • Departure (or worse) of critical staff
A List of Common Risks
Take some time to research risks particular to your industry. You may not add anything to the list, but you might need to adjust its priorities. For instance, if your organization creates software, then “intellectual property theft” will feature prominently. If you transport commodities, then physical threats will rank higher. This might be the point at which you create and present the business case for undertaking disaster recovery planning. If you need more material, then perform preliminary work on some or all of the other items in the checklist.

Determining Key Stakeholders

Depending on your organization’s size and your position within it, you may not have the authority or knowledge to conduct a deeper investigation on your own. Whatever your role, start with what you consider important. If you’re a systems administrator, you may think of your e-mails or files.

If you have an operational position, you might think of your equipment or inventory. If you handle sales, your mind might dwell on your book of business. To define a fuller plan, you need to adopt a more holistic evaluation.

To gain the necessary perspective, you will likely need the approval of your organization’s executives. Properly analyzing risk requires time and attention. In the absence of an obvious threat or recent catastrophe, you will likely struggle to move this phase of the plan along. Even people that understand the risks tend to consider it a low-priority task.

Set a goal of getting the appropriate people involved in the conversation and ensure that they have sufficient motivation and opportunity to participate.

To start the conversation, use an informal approach. Start asking things like, “Which people would know the most about our risk profile?” and, “Who has the best knowledge of what we need to protect?” Expect to need input from:

  • Executives or principals
  • Head and leads of IT
  • Key stakeholders – these vary greatly between organizations. It might mean department heads or product owners or individuals in major roles
  • Intellectual property creators and proprietors
With a starting list of names, you have options: individual interviews, forms, or group meetings. You may eventually use all these things, but you will likely find that brainstorming meetings will get you the farthest in the beginning. However, the risk discovery task neatly connects with several of the following activities. Therefore, you will likely want to read ahead before scheduling anything.

War Gaming

Every organization has at least one antagonist. For-profit companies have the most obvious: their competitors. Even without a profit motive, the most altruistic charity is formed to handle a problem. Effectively working toward a goal requires a plan. Therefore, everyone should understand the value of strategy. Bring this mentality to your disaster recovery planning.

Of course, you do not need to use the term “war gaming” if it is inappropriate for your audience, industry, or organization. Try out terms such as “threat response simulation” or “disaster exercise”. Whatever you call it, you do need to distinguish this type of activity.

First, do not stop at simple hypotheses. For example, your threat model could list “malicious hack attempts”. A war gaming exercise might flesh out a scenario in which a competitor had successfully compromised a firewall, found an old password repository on an unprotected file share, and was actively deleting your orders database.

The story that you concoct does not matter much – do you have any competitors that would do such a thing? – but could draw more interest and involvement than bland bullet points.

However, the components do matter: unpatched equipment, misplaced sensitive data, improperly secured resources, and unrotated passwords exist in greater numbers than anyone wants to admit. Instead of pretending that they don’t or that you can perfectly fix them all with simple determination, sketch out several “what if?” scenarios.

Second, war gaming involves actual activity. This chapter focuses on identification and prioritization, so we will revisit this later. As a quick introduction, your organization’s teams must practice dealing with problems.

Account for that in your plans. While you may choose to focus such efforts on IT and other teams that will handle the bulk of event responses, don’t forget that the people who use the systems will need some idea of what to do and could use the practice as well.

Bringing the concept of war gaming to disaster recovery will also help to highlight the indispensable part that your backup systems play in your organization’s overall data security posture. Sometimes, and notably in the case of ransomware, your best option means to wipe out some or all your production environment completely.

Your path back looks remarkably like what you would do if those systems burned in a fire or shattered in an earthquake.

Data Prioritization

Meetings and discussions about risk will inevitably cover the vital portions of your organization’s systems. As you outline your exposure, you can take the opportunity to rank your assets. Most disaster recovery plans will encompass everything, but even in the best cases, restoration takes time.

For now, do concern yourself with the rebuild order. Focus on mission-critical applications – what does the organization need for minimal operation?

At this phase, organize your priority list at its highest level. For example, instead of making line items that make sense to administrators, such as “customer database”, use business-oriented labels such as “ERP system”. You can work out the technical details later. Things will necessarily look different once you translate this list into an implementation document.

As you build up this list, ensure that everyone involved remembers that top priority belongs to the systems that your organization requires for operational performance. Try to avoid using terms like “critical”, as not everyone will agree on the definition, and sometimes, you can function for a while without a crucial system.

As an example, consider a company that transports freight. No one can dispute the importance of keeping the electronic customer record system available, but can the operation continue without that longer than it can continue without the system that maintains contact with delivery and pickup drivers?

The question to ask of every system: “What is the business impact of an outage?” For now, you may need to keep those answers short.

Microsoft 365 and Other Cloud-Based Products

Cloud products have taken an enormous burden from datacenter administrators. Vendors assume the responsibility of securing, delivering, and updating servers, software, and underlying hardware.

Thoroughly investigate every solution you utilize or contemplate. At Hornetsecurity, our unwavering commitment to customers is evident, and we provide the following quartet of services tailored for Microsoft 365 users:

365 Total Protection – deliver complete security for Microsoft cloud services, designed exclusively for Microsoft 365. It is seamlessly integrated and offers easy setup and intuitive use, streamlining your IT security management. 365 Total Protection is the all-in-one protection suite for Microsoft 365 security, backup and compliance.

365 Total Protection Enterprise Backup – help safeguard your Microsoft 365 from phishing, ransomware, advanced threats, and data loss using 365 Total Protection Enterprise Backup. This distinctive cloud-based suite combines security and backup.

365 Total Backup – with 365 Total Backup, access a full backup and recovery solution for Microsoft 365 mailboxes, Teams Chats, OneDrive for Business, SharePoint libraries, and endpoints. Effortlessly set up, manage, and restore your company’s Microsoft 365 data with its user-friendly configuration and multi-tenant management capabilities. It is automatic and hassle-free.

365 Total Protection Compliance & Awareness – 365 Total Protection Compliance and Awareness is the 4th plan in the 365 Total Protection Suite. It covers all aspects of an organization’s Microsoft 365 security management and data protection: email security, backup and recovery, compliance, permission management, and security awareness. Features can be managed via one central cloud-based console. The solution protects your company’s digital environment, improves end-customer trust, and guarantees business continuity.

365 Permission Manager – effortlessly oversee Microsoft 365 permissions, ensure compliance policies and track violations using our user-friendly GRC service. It facilitates real-time collaboration and remote work access to business data from anywhere. While working with tools and constructing data infrastructure is straightforward, permission management can be intricate and risky. That’s where 365 Permission Manager steps in.

Widen the Search for Essential Data

Meetings alone will not uncover everything that you need to protect. They serve as a starting point for the attendees. They will need to look within their departments. To complete the data protection model, key staff in each department must create a thorough inventory.

The search should not restrict itself to digital assets. Your organization may predate the advent of digital record keeping, or it may fall under the purview of regulations that require physical copies. Business continuity and disaster recovery will mean protecting those items as well.

Legal and Compliance

Amidst all the doom and gloom talk of fires and security breaches, backup has its mundane purposes. Many organizations fall within the scope of regulatory agencies and industry commissions. Some organizations, such as health care institutions, must abide by rules specific to them. Laws range so widely that almost everyone that gathers data probably has some requirement to keep it.

In most cases, regulators or commission representatives can show up unannounced and demand to examine your data. You will need to prove that you can retrieve data from any point within the regulated time frame. Internal and contracted auditors may do the same to prepare you for compliance verification.

Even if you have no reason to fear mandated reviews, no one has a guaranteed way to avoid civil action. Surviving a lawsuit may depend on your ability to retrieve a specific e-mail or document.

To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.

For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

A List of Common Risks

Wrapping up Risks and Priorities

Business continuity and disaster recovery both mean working through and after major problems, regardless of how they occur. Smaller events need different responses. For instance, you might need to restore a single database after an accidental deletion. So, you need to know how an accidental (or malicious) deletion might happen.

As you and your colleagues work through the discovery phase, you might find mitigation strategies that allow you to reduce exposure to your unique risks. Where possible, choose prevention over response. You will not remove many items from your list of concerns but take every advantage that you can.

Be mindful of course-altering events. For instance, if your organization centers on physical products in a warehouse, and a disaster annihilates the facility and all its contents, then you probably won’t concern yourself as much with a pickup scheduling application.

As your risk and priority models take shape, you will naturally build up an idea for the tolerances and expectations that you have in your disaster and data recovery planning. You might be able to define all of those in the same meetings. However, they often require a more detailed examination of the supporting systems. Department managers may need to break to gather input from daily operators.

FAQ

What are the consequences of data loss to a company?

Aside from regulatory compliance lawsuit costs and lost productivity, data loss can lead to expanded costs in the short to medium term, making day-to-day operations more costly and significantly affecting a company’s growth and profitability.

How do you manage data loss risk?

You should:

  • Back up your files;
  • Protect your hardware;
  • Educate your employees about data leakage;
  • Keep your computer clean;
  • Apply antivirus and anti-malware software;
  • Ensure sensitive data is encrypted;
  • Keep software patches up-to-date;
  • Develop robust security policies for devices and endpoints.

What would happen if data is lost?

Data loss can disrupt productivity timelines and potentially lead to customer loss if associated with security breaches. When sensitive data is hijacked or compromised, your company must inform clients, pushing you to lose their trust and respect.

The Role of Backup in Organizational Security

The Role of Backup in Organizational Security

by | Sep 19, 2023 | Backup

No single security measure will work for every problem or every time. To address that never-ending problem, datacenter administrators depend on a “defense in depth” paradigm. Defense in depth uses a layered approach to security such that multiple items collectively bear the burden of protecting your systems and data. Backup serves a vital role in this model.

This article talks about how to use it effectively.

The Last Line of Defense

Work through a thought experiment: ransomware has scrambled all your data, or a virus has run rampant through your systems. What viable options do you have? Sometimes, ransomware authors provide a decrypt key upon receiving payment. Many times, they don’t; they take the money and leave the organization with nothing.

Whatever motivations virus authors might have, they typically have no way to reverse the damage. Even if you get a decrypt key or find a tool that cleans up the virus, will you ever feel fully confident that you have wiped all traces from your systems?

When we talk about “defense in depth”, backup represents the last layer. First, accept the premise that no system is unhackable. You and your security teams and contractors can take every precaution and still fall victim. You can have all the best tools deployed and someone will circumvent them.

The backup industry and its evangelists initially pushed for offline and off-site backups to protect against natural and physical disasters. Malware added another potent reason. Taking data offline makes it unreachable for an active invasion. Taking data off-site adds barriers against in-person malicious actors, such as rogue employees.

The unchecked spread of ransomware prompted innovation in backup storage technology: immutability. With this feature, written data accepts no changes for a prescribed amount of time. That allows you to maintain an active connection to the backed up data without making it vulnerable to malware. However, treat this as a convenience feature. The “no system is unhackable” adage still applies.

The Role of Backup in Organizational Security

Strategies for Using Backup Defensively

Including backup in your security response does not require major changes. Any security incident that leaves your environment in an unusable or indeterminate state calls for a clean wipe and reload. Essentially, you act much like a natural disaster had destroyed all your equipment. However, since you’re not getting replacement hardware, you need to take the extra step of completely clearing your systems.

Make sure that you understand what “clearing” means. Simply formatting hard drives does not wipe them. Contrary to longstanding belief, even a “full” format does not wipe a drive. It performs the same logical steps as a quick format and then verifies that it can manipulate every sector. Use built-in or software tools that actively zero the storage.

Another persistent myth claims that you need to perform multiple passes in order to truly zero out magnetic storage. No one has showed this as true, and even if it were possible, it would require analog equipment. Your goal is to ensure that traces of malware left behind cannot reinfect the system. A single zeroing pass will accomplish that.

Most modern hypervisors will write zeros to thick-provisioned space when you create a virtual hard disk. They also typically zero the slack area in thin-provisioned space as they add it. That only protects the virtual machine, though.

The management operating system may still read latent data independently of the hypervisor. Therefore, you might choose to skip the manual zeroing process for storage that will only hold virtual hard disks, but it carries some risk.

Zeroing every hard drive in your organization involves significant burdens in time and effort. However, modern malware, especially ransomware, can be pervasive. If you miss a single instance, that might turn all effort into a waste. Make all that clear in your recovery planning.

Your organization might consider alternatives, such as destroying every drive and replacing all of them with new. That still makes for a heavy workload, but it will save time and eliminate some effort. To go a step further, consult with your insurance carrier.

They may consider a malware infestation as a complete loss and allow you to replace all your equipment. Do not assume that you have this coverage. Even if your carrier offers it, it might require an additional purchase above your current policy.

Your drives aren’t the only location where attackers can persist. Over the last few years, different strains of UEFI / firmware malware have been found and whilst not yet being used routinely by ransomware attackers, they are experimenting with it.

If you find that the attackers have hidden in there, the only way to be sure is to replace the hardware. If persistence malware is present in your UEFI, zeroing your drive will accomplish nothing as the attacker will still have access.

Once you have known clean systems, then you can bring out your backup media. Before doing anything else, make a duplicate of your last known good backup on an isolated system. Since you’ve already put in so much work, it wouldn’t add much to duplicate more than one. These duplicates exist as more insurance. You will need to bring an original online to restore from it, which could expose it to any missed malware.

Unless you encounter something of the sort, then you will follow your disaster recovery procedure from this point through final restoration.

For some organizations, size or time constraints will make such a clean procedure impossible. In those situations, you must bring in credentialed security experts before you have any problems to help with design. Use them to build threat containment and define metrics that you can use to consider your system “clean enough” to move to the recovery phase.

Consider the risks of partial cleans thoroughly before deciding that the time or effort saved outweighs them. If performing a full clean once sounds daunting, imagine needing to perform a full clean after a failed partial clean.

To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.

For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Wrap Up

Just as backup provides a foundation for your security response, its safety depends on your security practices. Existing recommended techniques for capturing, transporting, and storing backup data already go a long way toward protecting it from security breaches.

FAQ

What is the purpose of backup in an organization?

The purpose of the backup is to construct a copy of data that can be retrieved in the event of primary data loss. Prior data failures can result from hardware or software failure, data corruption, or a human-caused event, such as a malicious attack (malware or virus) or accidental deletion of data.

What are backups for security?

Data storage refers to keeping data files in a secure location for you to readily and easily access. Data backup, however, refers to saving extra copies of your data in different physical or virtual areas from data files in storage.

What are the roles and responsibilities for backup and recovery?

Here are the three main roles and responsibilities for backup and recovery:

  1. Configuration of backup solution on requested servers
  2. Performing standard and test restores of requested files, folders, databases, and virtual machines, completing disaster recovery tests
  3. Having basic Windows and Unix OS administration knowledge
How to Secure and Protect Backup Data

How to Secure and Protect Backup Data

by | Sep 8, 2023 | Backup

Multiple high-profile breaches have made everyone painfully aware of the need for data security. The theft of unencrypted backup tapes from a few major organizations widened the scope to include backup. Unfortunately, information technology departments have not done much to improve protection of cold data.

Since attackers typically target active data and online systems, technology professionals and data security firms focus efforts there. For many years, businesses have avoided compromise of backup systems more by luck than by effort. In the age of ransomware, that luck will run out in dramatic fashion.

Risk Analysis for Backup

Earlier articles in this series urged you to perform risk analysis for your production systems. If you did that, then you already know the importance of the various items that you back up. Most of that priority transfers directly to the backup copies.

However, treat all your backup data as a collective target. Large organizations often segregate data in backups because of time or capacity constraints, but many coalesce all of it into one place.

If you decide not to encrypt the backups of data that has no value to a thief, such as documents that you make available to the public for free, then an attacker may uncover a way to use it as a chink in your armor to get to your encrypted data.

As you think of risks to your backup data, remember one of the primary reasons that backup belongs to your disaster recovery solution: it can help your data to survive physical loss or damage to your production systems.

Geographical dispersion provides a direct answer to those concerns. A proper protection system places significant distance between at least some of your backup data and its home site.

Different geographical locations face unique threats. Coastal facilities must suffer through hurricanes. Heavily forested areas deal with more fires. Inland plains regions deal with tornadoes. Dense urban areas sometimes go through periods of destructive civil unrest or worse.

Think through how your business continuity system protects you from the realistic dangers that you face. Ransomware has added itself to the list of threats to your backup data. As their authors extend their intelligence and aggressiveness, they can interfere with your backup systems directly.

Ransomware risks to backup

Ransomware creates a unique challenge. Where traditional attacks try to steal or destroy your data, ransomware wants to prevent you from accessing it. Standard disaster recovery technique easily thwarted early ransomware. Administrators would simply wipe out the live system entirely and rebuild from the latest backup.

As ransomware proved itself a uniquely lucrative vector for malicious actors, it received greater development efforts. Where the initial iterations of this type of malware would try to spread following the techniques of viruses and worms, newer programs can specifically target backup software. If uncaught, they will encrypt all data that they can reach. Such a risk should influence your backup deployment.

Security by Redundancy

We use backup primarily because it makes a distinct copy of our live data. To solidify that protection, we need to have further redundancy within our backups. Each unique copy greatly reduces the odds of a permanent loss.

Protecting your backups with multiple tiers

Storage cost per terabyte continually declines as technology advances. You can take advantage of that to create backups of your backups. Whereas your rotation schemes and full backup scheduling schemes will prevent corruption of deduplicated data from causing overwhelming loss, they do little to protect data that only exists on a single backup. You have several ways to address this problem:
  • Multiple copies in separate locations made by your backup software
How to Secure and Protect Backup Data
  • Replication of backup data using built-in NAS/ SAN features
How to Secure and Protect Backup Data
  • Replication of backup data using external software
How to Secure and Protect Backup Data

You can use multiple approaches as suits your needs and the technology available to you. For instance, you might have your backup software place its data on a NAS and then use a storage replication technology to copy it to another system.

An older solution, called disk-to-disk-to-tape, would use backup software to keep recent data on tapes and then transfer it to disk as it aged. Where possible, try to use the capabilities of your backup software. If someone needs to take over your deployment after your departure, you want them to leave them with the fewest complications possible.

While you retain control, you do not want a convoluted system that makes your maintenance activities difficult.

The role of retention and rotation policies in backup security

In and of themselves, retention policies do not impact redundancy. However, they do set how far you can stretch your media. If you have very long retention policies, then you will require more media capacity to achieve the same frequency of full backups.

Prefer to shorten your retention policy rather than sacrifice having sufficient full backups.

To make the most use of your backup media and storage space, you will establish a rotation practice to reuse it. If you have a tape-based system, then you might opt for a scheme that reuses some tapes but keeps others for long periods of time.

If you use a disk-based system, then you might rotate through removable drives or periodically exclude some backups from deduplication. Utilize these techniques in a way that balances the economics of media consumption with the value of multiple full copies.

Rotation can really shine when you leverage it as protection against malware. If malware impacts your backup solution, then it will encrypt anything that the program touches. Only your offline media will remain safe.

You will need to exercise vigilance over your backup solution so that you can catch infections before one makes its way through your rotation.

Using Account Control to Protect Your Backups

Backup has a special role in your information technology environment, but it has the same foundational needs as all your other systems. So, you can apply common security practices to it. Start by creating a unique account to run backups and lock it down. Restrict its permissions to handling backup data.

If your backup application allows it, consider using different accounts in different contexts. Exercise restraint; do not make an unmanageable mess. Follow the same practices that you should for all vital service accounts:

  • Maintain tight control over the account–treat it like a domain administrator account
  • Place the account in an organizational unit that grants control to the fewest people possible
  • Assign viable password rotation and complexity policies to the password
  • Change the password immediately if anyone with access leaves the organization
  • Use a properly secured password vault.

These practices cannot provide much protection against ransomware. If malware recognizes your backup program and attacks it, then you can mitigate the damage somewhat by disabling the special backup accounts. However, if malware has penetrated your organization to that point, then any such action will almost certainly come too late.

You must spend time properly securing accounts, but do not waste time trying to develop overly creative solutions that cause more burden for administrative staff than protection. Later sections of this article series explore ways to build an effective defense against backup-aware ransomware.

Encrypting Your Backup Data

You can easily reduce the risk of your data falling into the wrong hands by employing encryption. If someone steals a tape or cracks into your cloud account, they will not gain much if they find encrypted data for which they have no key. All modern backup software should natively include some form of encryption. Avoid any that does not.
How to Secure and Protect Backup Data

When you try the software, ensure that you understand how it implements encryption. If you intend to rely on an application’s deduplication and other storage saving features, run comparisons to determine how encryption impacts them. While encryption does greatly strengthen the security of your backups, do not rely on it alone. If someone steals an encrypted copy of your data, then they have a copy of your data. If your attacker has the expertise, time, and willingness, they will eventually break even the best ciphers with the longest keys.

We expect to have many years before anyone breaks through current cryptographic schemes, but we cannot know what vulnerabilities remain hidden or how imminent technological advances will impact code-breaking. Employ all available security measures.

Remember to take special care of the keys used to encrypt your backups. They represent the weakest links with this strategy. Use similar techniques to protect them to those that you implement for important account passwords.

Exploring Immutability

The data protection industry has renewed interest in “immutability”. To some, it might appear like a new concept. However, the fundamental intent and technology to achieve immutability has existed for a long time.

If you want to know the history, search for WORM (write once, read many) storage. However, the recent emphasis on immutability by backup solution vendors is not a mere ploy to sell more technology. WORM technology came into existence so long ago because administrators have always needed to protect the integrity of long-term storage. However, most historical threats to static data came from internal sources.

Innocent, accidental overwrites of media caused more damage than malicious attacks. The thing that brought immutability back into focus was the growing thoroughness of malware authors. Ransomware, in particular, has gained the ability to recognize and sabotage specific backup applications and technologies.

Attackers realize just as much as anyone that a restore can downgrade locked systems from an organization-ending catastrophe to an exasperating interruption. Those interruptions ruin days or even weeks for the targeted institution, but they don’t lead to ransom payments. So, threat actors attack backup systems along with the live environment.

Now, not only do you have to worry about reachable data, you also have to worry about it during backup and restore processes. Immutability helps to solve the problem of attacks on backup. Instead of forcing administrators to depend on defensive techniques and tools to safeguard data, immutability tools prevent all modifications to data. That block includes the backup software that created the backup.

Modern immutability solutions

Original WORM solutions used optical discs. Even today, nothing quite matches the permanence of using a laser to alter a material surface. Unfortunately, optical media lacks sufficient capacity for most applications today. To address that problem, vendors have produced multiple alternatives.

Most removable magnetic media has a write-protection mechanism. Tape has emerged as the last media standing in this field. Usually, an operator must physically move a sliding piece of plastic or break off a tab. Some manufacturers provide tape cartridges that can automatically switch to a write-protected state after the first write. Tape drives have their own physical mechanisms to detect write-protect status. Only someone with physical access can defeat or bypass these systems.

Some SAN vendors enable WORM facilities. Usage depends on the device’s architecture. Only someone with administrative access to the SAN can remove the protection.

Ransomware has motivated backup software vendors to innovate. Specifics vary between vendors, but most involve a collaboration between software and a cloud provider. For example, Hornetsecurity VM Backup V9 uses its existing cloud storage mechanism to integrate with cloud immutability offerings. Because policy determines immutability, even administrators cannot change data until the policy’s duration expires. This power gives us the same protection as the original optical WORM solutions without the capacity restrictions.

Isolating Your Backup Systems

Take steps to reduce the surface area of your backup. In some way, backup touches everything in your environment, but the reverse does not need to be true. Isolation techniques range from simple to highly complex; you will need to balance the risk of not employing a method against the effort of implementing it.

To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.

For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Conclusion

In an era dominated by the ever-evolving threat of ransomware, relying on luck to safeguard backup systems is no longer viable. The potential consequences of a compromise can be dire, leading to significant data loss and operational disruptions. Therefore, we at Hornetsecurity urge organizations to adopt a proactive approach in order to secure and protect backup data to ensure comprehensive data security.

FAQ

What is the most secure method of backing up your data?

The only secure method you need to back up your virtual machine data is the comprehensive VM backup solution by Hornetsecurity. Get your trial version now: https://www.hornetsecurity.com/us/services/vm-backup/

What is good security practice with backups?

Safeguarding your data with a strong security protocol is a wise move. One effective practice is the 3-2-1 backup rule, which entails having three copies of your data (including live data and two backups), utilizing two different storage media, and storing one copy offsite. A hybrid backup approach, combining local and cloud destinations, offers an excellent implementation of this rule effectively.

What is security in data backup?

Data security refers to data protection from unauthorized access, use, change, disclosure, and destruction, including network, physical, and file security.

Disaster Recovery Planning: Key Steps to Mitigate Risks and Protect Your Company’s Data

Disaster Recovery Planning: Key Steps to Mitigate Risks and Protect Your Company’s Data

by | Sep 5, 2023 | Backup

A solid disaster recovery (DR) plan needs time and attention to form properly. Usually, the total investment closely coincides with the size and scope of the organization. Due to the level of effort, many businesses need help improving their process beyond regular backups. Some also struggle with finding a logical starting point.

To get started, you need to build a checklist. It should include clear goals and the activities that will achieve them. You will need to create a custom list that fits your particular needs. You will likely need to refine the list of items as you work through it.

Creating Your Backup and Disaster Recovery Checklist

You can use the following example checklist as a starting point. Here are the essential items you will need to include in your backup and disaster recovery checklist:

  • Make the business case for a disaster recovery plan;
  • Identify risks;
  • Determine key stakeholders;
  • Define a data prioritization strategy, including immutable backups;
  • Discover your data protection scope;
  • Define recovery objectives and tolerances (RTOs and RPOs);
  • Determine solutions;
  • Define capital and operating budgets;
  • Create an implementation plan;
  • Create a business continuity plan;
  • Create a disaster recovery plan;
  • Create test plans;
  • Follow the implementation plan;
  • Schedule and follow the review plan.
Your list will grow beyond this one, usually with several sub-items specific to your particular requirements. Out of all these items, the last one, “Schedule and follow the review plan”, may very well be the most important.

To properly protect your virtualization environment and all the data, use Hornetsecurity VM Backup to securely back up and replicate your virtual machine.

For complete guidance, get our comprehensive Backup Bible, which serves as your indispensable resource containing invaluable information on backup and disaster recovery.

To keep up to date with the latest articles and practices, pay a visit to our Hornetsecurity blog now.

Wrap Up

Disaster recovery planning is an ongoing process, not a one-time event. You will do most of the work during the initial planning phase, but your organization cannot simply abandon the plan after implementation. Your first item, making the business case, usually spans a few of the items that follow. You can easily gain acknowledgment of the importance of backup, but you need an organizational commitment to a thorough plan.

FAQs

What is disaster recovery?

Disaster recovery involves an organization’s proactive approach to tackling technology-related disasters. It encompasses preparation for and recovery from events that obstruct a workload or system from fulfilling its primary business objectives at its deployed location. These events may include power outages, natural disasters, or security breaches.

What is an example of a disaster recovery plan?

Certainly, one example of a disaster recovery strategy is data backup. This essential measure aids businesses in recovering lost data caused by accidental deletion or cyberattacks like ransomware. The ultimate goal of disaster recovery is to equip organizations with the necessary tools and procedures to swiftly restore operations after encountering disruptions.

How many phases are there in a disaster?

There are four principal phases of disaster:

  1. Mitigation
  2. Preparedness
  3. Response
  4. Recovery