Ransomware is changing everyone’s thoughts about how backups should work. Put another way, many of the old ideas about backups are now back in vogue. One of those ideas is the 3-2-1 rule. It says enterprises should have three copies of backups on two different media types, one of which is kept offsite. What this describes is what many of us call an “air gap”.
An “air gap” is a disconnected copy of data preventing rolling disasters. It prevents things like ransomware from getting to your all your backups. The worst thing that could happen to a ransomware victim is if the ransomware continues on to their backup server and on to their backup system – especially if that backup system is replicated.
Backup corruption can easily happen if you are running a modern data protection backup system that runs on Windows and backs up to local storage or a backup target mounted via NFS/SMB. If that backup server is compromised with malware that creeps around your data center – like the one that used RDP for instance – your backup server could become compromised. If that happens and your backups are accessible as a directory, then they can easily be deleted or encrypted. If the backups on your backup appliance are encrypted, those changes will most likely be replicated to the replicated copy of that data.
An air gap can stop this, and there are two ways to have an air gap: electronic and physical. You can put an electronic air gap between your backup server and backup storage by making sure that the latter is not accessible via NFS or SMB. The only way to do this is to use special APIs designed by the backup software companies. These APIs were typically made for performance, but they also have this going for them. If the backup storage uses a different authentication mechanism – and hopefully an operating system not based on Windows – and the data on it cannot be accessed via a network search for open file shares, then you have created an electronic air gap between your backup data and the attackers. Perhaps you could place the backup storage in a VPN that only allows communication via the ports the backup software APIs use and perhaps the HTTP port to allow remote management, and you disable RDP. The more you can secure that connection, the better.
But the only way to create a physical air gap is to copy something to removable media and send that media offsite. Generally speaking, this means tape. Unfortunately, not all backup appliances are capable of producing that tape.
Some would say that an electronic air gap isn’t really an air gap, and they’d be right because if it’s electronic there’s always the chance that someone could access it digitally and damage it. Although technically, there is also a risk that someone could compromise your tape-based offline copy as well, using advanced social engineering techniques to get into your vault and access the tape. One could argue that this risk is lower than the risk to an online copy, and they’d be right. But there’s still a risk. These risks can be mitigated, but they cannot be removed.
We discuss all these issues in this video….
To learn more about a back-up plan to protect against ransomware, view this whitepaper: