Automated Backups - At Scale
Best practices for data protection include periodic backups, done automatically, tested regularly, and stored remotely. But applying these practices is a trade off between security and convenience.
Protection against data loss
Data backup is fundamentally a risk management strategy. Using the swiss cheese analogy, individual flaws act like the holes in a slice of swiss cheese. As you stack them on top of each other, holes in one slice are covered by the adjacent slices.
As long as there isn’t a continuous hole from the top to the bottom, systems continue to perform as expected.
Backup systems were historically designed to prevent accidental loss of data or progress. Security was not generally a big concern and backups were given low priority.
Recently the risk equation has started to change. Malicious actors are deliberately trying to line up the holes in the cheese and cause damage. Security incidents are more common and are increasingly catastrophic to an organization’s ability to operate.
BackUpScale is designed to provide enterprise-grade backups to support legal, regulatory, and strategic needs for data integrity, archiving, and privacy, including protection against data loss due to attack.
Backed up files are:
- isolated from the servers they are protecting,
- encrypted, and
- append-only, preventing either corruption or deletion of archives (whether malicious or accidental).
The entire system is maintained using client software on the protected servers, which retain control of all communications.
Server side management
The software which manages the backups is resident on the servers to be backed up, so that all interactions are initiated on a “push” basis. This prevents attacks from being initiated on the remote end (one possible vector of attack in backup systems).
The client software provides an integrated solution for scheduling, encryption, and configuration.
All connections are made using dedicated security credentials.
Files are:
- selected
- snapshotted
- deduplicated
- encrypted
Backups using this system can also include scheduled dumps of databases.
The entire process is run periodically so that there is no need for manual intervention, except when restoring from backups.
Minimization of size
Deduplication of data minimizes the size of the backups, reducing the cost of storage while maintaining long-term persistence of older data.
As part of the integrity of the system, older backups cannot be deleted (to prevent their loss in the event of an attack on the customer servers). Deduplication is a particularly useful feature, since it prevents the size of the backups from scaling unnecessarily with multiple copies of the same (unchanged) files.
Protection against ransomware
If you experience a ransomware attack, the last thing in the world you want them to tamper with is your backups.
The architecture for BackUpScale is designed to prevent backup tampering. Even if the servers to be backed up are entirely compromised with malicious software, the configuration of BackUpScale prevents any modification of existing backups. They can be counted on to securely restore your servers to the state they were in before the attack.
Because snapshots are saved in append-only mode, they cannot even be altered by compromised customer servers if this were to happen. While these devices can certainly continue pushing new versions of the backup data, they cannot modify existing ones.
Canadian storage
As a Canadian-based company, Consensus Enterprises is keenly aware of the need to provide domestic data solutions for their clients. We include the option of using servers located in Canada for both the BackUpScale server and the remote storage of the back up files.