In the world of IT, having backups are critical to a successful business continuity plan. Whether you are dealing with an accidentally deleted file or folder, a server going down, or a full scale ransomware attack, you are going to reach for your backups to get things up and running again. Simply having backups is not enough. Attackers are not only targeting production servers, but they are also going as far as to seek out backup infrastructure and trying to delete and encrypt when possible, forcing companies to pay for encryption keys in order to unlock their files again. Here are a few additional measures to consider that can better protect your precious backups from would be attackers.
Follow the 3-2-1 rule
Best practices for backups should at the very least follow the 3-2-1 rule.
- Keep 3 sets of your backup data (1 primary, 2 copies)
- 2 different storage medium (separate storage devices, disk vs tape, cloud repo, etc.) should be used to house backup data
- 1 offsite copy
Having a multiple destination approach for your backup data is the best way to allow your company to recover rapidly. Offline, air gapped and immutability further protect your data from attackers. For a deep diver into the 3-2-1 rule, check out Ideen’s blog.
Have a Retention Policy
Cyber-attacks can lay dormant before being executed. Simply having a few weeks or months of backup data may not be sufficient if there is malicious software in your environment lying in wait. Carefully review jobs in place today, ensuring the amount of retention on your jobs meet or exceed industry/business requirements. Storage is inexpensive and estimating storage requirements for your specific retention needs can be easily populated using tools like the Veeam Capacity Calculator. Taking advantage of the native deduplication and compression settings within software like Veeam and using efficient storage formats like ReFS can also make the most of your existing storage space.
Test Your Backups
Just having backups is not enough. You should not assume your backups are known good restore point unless you have fully tested and verified functionality. Restoring individual files is also not a substitute for a full VM restore. At a bare minimum, you should be doing a yearly large scale spin up of all your critical VMs to confirm they successfully boot, services come online and are accessible, and file sets appear as they should. For Veeam environments, consider setting up SureBackup to allow for testing in an isolated virtual environment.
Practice the “Least Privileged” Model
As an IT admin, you have the keys to the kingdom, but that doesn’t mean you should just leave all the doors unlocked. There are many things you can do to further protect your backups and backup application from unwanted parties.
- Consider removing backup applications and storage from your domain. This will remove the risk of privileged accounts being used to traverse the network and delete backup data. Unique local accounts with very strong credentials should be used to access backup servers/applications and to interface with storage appliances.
- Segment your network so that backup infrastructure does not sit on the same subnet as workstations, servers or other network devices. Utilized firewall rules or access control lists to limit which devices can talk to your backup infrastructure via the network.
Protection, Protection, Protection
There is always room for improvement when it comes to security of your data. Now that you have a solid set of backups, here are a few additional layers that can be added to better protect that data so that it can be utilized in a disaster scenario”
- Encrypt your backup jobs
- Utilize MFA for Veeam Backup and Recovery console
- On your backup servers, require MFA at the OS login prompt by leveraging solutions like Duo
- Consider disabling all remote access to the backup server (RDP, iDRAC ports, uninstall RMM tools, etc.). If a backup server is running as it should, there should be no need to regularly access the device. Limiting access to physical interaction is dramatically controls the exposure vectors.
- Consider immutability for backups. Leveraging solutions like Veeam, Wasabi and hardened Linux repositories can allow for greater protection by creating a backup set that cannot be deleted for a period of time that you specify.
If you still have questions or are feeling overwhelmed by all the potential changes, please contact us and one of our Engineers can setup a call to better discuss the process and how it can be implemented in your environment.