I woke up this morning, walked outside, stared directly into the sun, and a chill ran down my spine. “World Backup Day is almost here again,” I whispered to myself, freaking out some neighbors and a squirrel. Last year, I attempted to share “Four Tips for Data Backup,” and let me tell you, upon review of this blog, a lot has changed. I’m not saying that backup copies, immutability, testing, and verification are no longer necessary; they absolutely are. Unfortunately, what has changed is that backup admins now require even more time, expertise, and energy to ensure they can always recover from any scenario, no matter what. 

This year, I wanted to enhance some of the tips I shared last year and mix some spicy new ones to help all backup-minded individuals find the peace of mind they deserve. Consider this blog an amendment to the previous World Backup Day constitution.  

Zero Trust: You Need it for Backup 

Zero Trust represents a massive shift in how IT and Ops manage security. Rather than relying on traditional perimeter-based models, zero trust assumes that no user or device should be inherently trusted, regardless of location or network. While this approach is doing the work to make general IT more secure, it hasn’t been appropriately applied to backup. That’s why Veeam and Numberline recently published their Zero Trust Data Resilience research. 

This paper addresses the critical challenge of safeguarding data and networks from malicious actors, particularly in the context of ransomware and data exfiltration attacks. While the widely adopted Zero Trust strategy lacks comprehensive data backup and recovery guidelines, the authors propose a new concept: Zero Trust Data Resilience. This framework emphasizes the need for data backup systems that provide immutable storage, contextual authentication, and strong access controls. By implementing this approach, enterprises can better protect their data, networks, and applications against threats, enhancing overall security and resilience. 

Here’s how Zero Trust Data Resilience levels up security for backups: 

  • Separation: Segmenting backup systems and storage tiers into distinct resilience zones reduces the blast radius in case of breaches. 

  • Immutable Backup Storage: Ensuring backup data cannot be modified—even during a ransomware attack—enhances resilience. 

  • Zero Access: Reducing the attack surface by eliminating access to unneeded services and infrastructure delivers core solution value and eliminates risk.  

Encryption: Shielding Backup Data from Prying Eyes 

Backup data encryption is crucial for maintaining confidentiality. As we have seen, attackers go after the backups and backup storage first. If we assume they have access to everything and are in an actual breach, then it’s also safe to assume they have access to your backup data. Whether they can delete it depends on your immutability (more on that in a minute), but they can exfiltrate and pour over the information housed within the backup. Company secrets, PII, source code, and any number of sensitive and, more importantly, private things are no longer that.  

Implementing end-to-end encryption ensures that from the moment data starts moving into the backup chain, it is encrypted and unrecognizable to those without the key, an essential step for those who might be watching your internal traffic. Furthermore, Zero-Knowledge Encryption can take it to the next level by masking keys and ensuring that the proper access to encryption is maintained, helping stop breaches beyond just software and veer into compromised human behavior.  

Utilizing encryption when backing up data might have seemed overkill ten years ago, but today, it’s mandatory.  

Here’s how using encryption helps data protection: 

  • Data Privacy: Encrypting backup data ensures that even if unauthorized parties gain access, they cannot decipher the content. 

  • End-to-End Encryption: Implement encryption across the entire backup lifecycle—from creation to storage and transmission. 

  • Zero-Knowledge Encryption: With this approach, service providers do not know the encryption keys, enhancing privacy. 

Immutability: Ransomware-proof Your Backups 

Immutable backup storage prevents changes or deletions to data once stored; if you frequent this blog (or this website), you already know how vital immutability is, and we talked about this in last year’s blog. What has changed is that we have heard many different stories about “types of immutability” or “true immutability,” and I thought it’d be worth spending a minute breaking down these claims.  

Immutability comes in two flavors: governance and compliance, and as the name suggests, they are not equal. Immutability with governance mode means that there is still an administrative entity that can alter the data. But who governs the governor? This question may be insulting to ask your local IT admin, but in truth, it’s because immutability often fails a compromised admin, which is the most dangerous entity an IT org could face. Ensure your immutable storage is defaulted to compliance mode. This means that not even the most privileged user can alter the data and will ensure recoverability is guaranteed no matter what.  

  Here’s why immutability matters: 

  • Ransomware Resilience: Immutable backups thwart ransomware attacks by ensuring attackers cannot alter or delete critical data. 

  • Compliance and Audit Trails: Immutability provides an unalterable record of data changes, which is essential for regulatory compliance. 

  • 3-2-1-1 Backup Rule: Consider updating the classic 3-2-1 backup rule by adding an extra ‘1’—immutable storage. This means having three copies of data (on-premises, cloud, and offsite) and one immutable copy. 

Remember, World Backup Day serves as a reminder to prioritize data protection. Implementing zero trust, encryption, and immutability ensures your backups remain resilient against threats and disasters. Ootbi by Object First helps meet all of the principles we discussed today.  

Ootbi was built around the latest zero trust and data security principles, which assume that individuals, devices, and services attempting to access company resources are compromised and should not be trusted. Ootbi utilizes S3 Object Lock in compliance mode to enable immutability and runs its storage software on a hardened Linux operating system with a “zero access” to root policy. Due to its architecture and secure appliance form factor, Ootbi is inherently separated from the Veeam Backup & Replication server, creating the proper segmentation to ensure ransomware resiliency. Ootbi was also designed to empower Veeam Backup & Replication and supports Veeam’s standard block size and encryption by default. 

Request a demo today if you think it’s time to level up your backup storage strategy. If the attackers won't stop attacking, it’s time to establish an unbreakable defense.  

3 Reasons Object First Is Best For Veeam