Encryption, immutability, tape, and third-party key management are among measures to keep data backups safer. You need to see your backups the way bad actors do: an invaluable resource that can be turned against your organization if you don’t protect them correctly. Ransomware attacks focus on backup servers to either encrypt their data so they can’t restore other systems or to capture company IP and use it for extortion. Neither is a good outcome, so do everything you can to protect your backup data. Here’s how. Encrypt backups Encrypted backup data cannot be used to extort your company. Attackers might be able to exfiltrate it, but it will be useless without the keys. Encryption technology has evolved to a point that this can be handled with relative ease, allowing you to encrypt all backups wherever they are stored. Use third-party key management Reduce the likelihood that the bad actors will get their hands on both the encrypted data and the keys necessary to decrypt it by using a third-party key management system. It will likely cost more than key management that’s built into your backup system, but it’s well worth considering, especially if your system stores its keys inside a database that is encrypted only with the Windows machine key. That key is far too easy for adversaries to access once they manage to escalate privileges, and once it is accessed, your encryption keys are vulnerable. Do not store backups as files This recommendation is less obvious than the others but may be the most important. Bad actors can’t encrypt, delete, or exfiltrate backups they cannot see as files, so don’t give them that option. This includes locally attached disk arrays formatted as the F: drive or a deduplication appliance mounted via NFS or SMB. Instead, ask your backup-software or deduplication vendor for a more secure way to connect the two. It’s best to have this conversation before you buy, but most products have a way to do this. Store backups on a different operating system Most backup systems have the concept of media servers or storage servers where backups are stored. They should be running a different operating system, especially if your main backup server is Windows, which is often a target for ransomware attacks. Storing backups on a different OS helps build an air gap to protect the backups. Use immutable on-premises storage If your backup software supports it, use Linux’s immutability flag on your backups. When it’s enabled, nobody—attackers included—can delete backup files once they’re written, so it offers some protection. One important thing to note, however, is that this feature is easily disabled by anyone with root, so a bad actor with escalated privileges can unset the flag and delete backups. Copy to tape or RDX Tape is getting a resurgence in popularity because it is impervious to electronic attacks if it’s offline. The same is true of RDX, the removable disk-drive technology that behaves a little like tape. If you have the time to write a copy to tape and send it offsite, a hacker is going to have a hard time getting ahold of it. Create a copy on immutable cloud storage Unlike tape or on-premises storage with immutable features, cloud storage can be truly immutable. If you set the full immutable flag when copying backups to the cloud, even the cloud admin can’t delete it; the flag will automatically delete itself once the retention period passes. You should also configure your S3 buckets so they can only be written to by your backup application. Related content news Broadcom to lay off over 1,200 VMware employees as deal closes The closing of VMware’s $69 billion acquisition by Broadcom will lead to layoffs, with 1,267 VMware workers set to lose their jobs at the start of the new year. By Jon Gold Dec 01, 2023 3 mins Technology Industry Mergers and Acquisitions news analysis Cisco joins $10M funding round for Aviz Networks' enterprise SONiC drive Investment news follows a partnership between the vendors aimed at delivering an enterprise-grade SONiC offering for customers interested in the open-source network operating system. By Michael Cooney Dec 01, 2023 3 mins Network Management Software Network Management Software Network Management Software news Cisco CCNA and AWS cloud networking rank among highest paying IT certifications Cloud expertise and security know-how remain critical in building today’s networks, and these skills pay top dollar, according to Skillsoft’s annual ranking of the most valuable IT certifications. Demand for talent continues to outweigh s By Denise Dubie Nov 30, 2023 7 mins Certifications Certifications Certifications news Mainframe modernization gets a boost from Kyndryl, AWS collaboration Kyndryl and AWS have expanded their partnership to help enterprise customers simplify and accelerate their mainframe modernization initiatives. By Michael Cooney Nov 30, 2023 4 mins Mainframes Cloud Computing Data Center Podcasts Videos Resources Events NEWSLETTERS Newsletter Promo Module Test Description for newsletter promo module. Please enter a valid email address Subscribe