Over the last year, ransomware attacks have become more and more sophisticated in their approach. We have seen normalities such as deletion of backup files and encryption of all other files in an organisations systems.

This poses the question whether it is enough to have one back up and data protection vendor in your environment, or do you need to be looking at a more comprehensive data protection and disaster recovery strategy.

Data Protection

A well thought out data protection strategy relies upon multiple layers to help protect data at the core of a business’s infrastructure. As a business, you can no longer rely solely on a local back up that is always online and readily available. This could potentially lead to a complete loss of data.

There are however different methods that could help to better protect your data, or even other methods of duplicating said data. Each layer should have its own security and hardening in place to protect the data further.

As we know, your data is normally the ultimate target of any ransomware attack. If we start from the inside out, you can normally adjust some minor aspects to assist in protecting the data.

  • There should be appropriate permissions in place to ensure that only users that need access to the data, have the permissions to do so. This will then limit the attack surface, should a ransomware attack take place
  • Ensure that you avoid making all users a global admin
  • Follow principles such as, read-only groups, read and modify and full control

Netwrix for example is one of many products that could assist with all of the above.

Near-Line Storage/Back-Up

Near-line storage or back up is a target that is quick to recover from and is always online. This could range from a server, to a NAS or a purpose-built platform that offers benefits such as hardware compression or deduplication. The use case for near-line back up is typically used if someone deletes a file and needs to recover said data quickly.

Physically securing these devices is sensible, and like the data at the core, you should follow similar principles.

  • Access to the backup repository should always be configured
  • Do not use default admin accounts
  • Lock down firewalls
  • Avoid domain joining devices to limit the number of accounts that could log onto the device

Offsite Backup

Offsite backup targets could be considered as cloud-based object storage, for example another building hosting a backup target or rotated hard drives.

This offsite backup is classed as your insurance policy should anything happen to your data and the near-line backups mentioned previously.

Depending on where this data is stored, this can offer additional protection from ransomware and malicious attacks. If you find that someone has compromised your server and deletes the backups, what do you do?

You could use a third party back up target. These targets can help to protect your data, even from a ransomware attack, or internal threat. Many vendors offer this type or service which is normally shortened to BaaS, or backup as a service. Vendors that we use include Veeam and Datto.

Air-Gap Backups

Air-gapped back-ups are those that are completely off the network and not online, so there is no way that anyone could log onto the device and delete the data on it. Tape is the most common example of this and something that is still used frequently today.

However, with tape backups you still need to consider how these are going to be stored should the worst happen. At a minimum they should be stored in a fireproof safe, and preferably off-site.

Also remember that tape doesn’t last forever should you consider using it for archiving purposes, and each LTO generation is only compatible with the most two prior versions.

Snapshots

SAN snapshots are not back-ups; however, many SANS now offer the ability to create a snapshot of their volumes for a quick rollback. If the worst happens, and as the last resort, a SAN can roll back to a volume that is in a known good state and could be exactly what is needed. The volumes on a SAN where many servers run from are typically not exposed to a production environment where an attacker could manipulate them and delete data.

Securing access to the SAN should also still follow the same precautions as mentioned previously.

Remember, a backup is only as good as the last time it was tested, so make sure that this is done as often as necessary.

For more information on Data Protection and the services that TruStack can provide, please feel free to call us on 0191 250 3000 or email on [email protected]

You can also contact us by clicking here.