Multi-Tiered Company Backup in the Ransomware Age

You need to backup your data in more than one place, but choosing which place makes a big difference.

You already know that you need to backup your data. Chances are you're already doing it. For some organizations, that may mean an external hard drive attached to a computer. For others, it may mean a file server or a cloud service. However, the reality of what you need to really protect your organization is more than just one type of backup – you need to store your backup data on multiple devices in different places.

Adding to the urgency is the recent spike in ransomware and organized cyber-crime, so you need a robust backup strategy to provide a reasonable level of protection. That strategy needs to start with a plan.

For many organizations, a multi-tiered backup plan starts with the 3-2-1 strategy proposed by US-CERT (United States Computer Emergency Readiness Team). US-CERT recommends that you keep three copies of your important data, with one being your primary data (probably what's on the computer in daily use), a second using a different media type, and a third copy that's kept offsite.

For many organizations, including the smallest, this could mean the copy on the hard disk (or SSD) of the computer being used. The second copy could be on an attached USB storage device or perhaps on a file server in another room. The third copy could be in the cloud, or it could also be a copy on tape that's picked up regularly and stored in another location. [My colleague David Gewirtz wrote about some of the key considerations for cloud backup here.]

This is certainly a good start for most companies, but the reality is that it's no longer sufficient in the face of today's threats. Instead, what's really needed might best be described as a 3-2-1+1+E. This approach builds on the 3-2-1 approach, but it also protects against physical loss of the backups, and against compromise by ransomware. Here's how that all breaks down.

3 – The idea of having three copies of every important data file is still smart. Of the three, one will be on the primary computer so it can be used, or on a local server so that it has adequate performance.

2 – The second local copy of the file should be in a different place, but still readily available. This could be a local backup server, a local storage area network, or even an external drive. This is where you go when you accidentally delete a file or perhaps an entire folder. You can get the backup copy quickly and easily.

1 – The offsite backup of this third copy of your data needs to be really offsite, not just in another room. This is so your data is protected against a significant event, such as a fire, bad weather, or perhaps a broken pipe in the server room. A cloud service, such as AWS backup, or even something like Dropbox, will do. What matters is that it's not physically close to your office location. 

+1 – You need a second offsite location. This can be accomplished by configuring your cloud service to copy your backup to a second location, or you can have tapes transported to a secure location, along with having a cloud backup. You need this to protect against physical damage or loss to the first cloud location, which, with global warming, is an all-too-real possibility.

+E – All of this needs to be encrypted in transit and at rest. Fortunately, your cloud service may encrypt everything for you, but you need to make sure that the other copies are also encrypted, including the primary copies and the local backup copy. Windows, or another operating system, can do this for you.

While this may seem like a lot of fuss, it's really not that difficult to maintain once you have it set up (except, perhaps, arranging for the physical transport of those tapes). Your server operating system can be set up to perform the backups on a schedule that works for you, and the whole process can be automated.

However, for it all to work, you need to plan it out in advance. That means making sure you have enough local backup capacity, that you have redundancy in your internet access for the offsite backup, and that you're planning for growth in capacity requirements as backups accumulate.

Locally, that means having enough local storage to handle all of your backup files from all of your users. A good NAS server, such as the 40 Terabyte MyCloud available from Dell, is a good start, but be aware that you will probably need more than one. You'll also want to set up your backup so that older files are migrated to 'cold' storage or to the cloud, using a service such as AWS Glacier. Your server operating system can be configured to do this.

In addition, you're going to need to plan how you're going to manage capacity in your cloud storage, unless your budget can expand along with your gigabytes. You'll also need to track files that must be retrievable quickly for compliance reasons or for customer service.

So those are the steps for the plan. Decide how much data you're going to need to backup, how you're going to do the backup, and where all that data is going to be stored. Once you have that determination made, make sure the data is geographically dispersed and protected against ransomware and intruders. Fortunately, you now know the steps to take.