Backup Security

Currently reading
Backup Security

1,029
233
NAS
DS224+, RS820+, DS718+
Operating system
  1. Windows
Mobile operating system
  1. iOS
With all the ransomware going on in the world, how can we protect our backups even more? I have two NAS systems in two different physical locations. They both utilize hyper backup and send a complete backup to the opposing NAS. For each hyper backup task, you need to specify the target and a user name and password. I use a separate user name and password for my hyper backup task, although this user name and password is the same at both locations. This HB user's permissions is deny all folders and applications, with the exception of the shared folder of where the backups are going to and access to hyper backup vault.

I'm not sure how hyper backup is coded, but I would assume this user needs read/write permission to the destination shared folder. If that is the case, and this HB user is ever compromised, doesn't it have the authority to delete the backups too? If the HB was ever compromised, since it has read/write permission, couldn't a ransomware attack also take down the backup?

How are you set up?
 
You are right With the observations.
my 10cents:
Using the same name and password does increase the risk of hacking both systems.
I do shut down both sides according to schedule in hours that NAS are not used.
I do run a cloud based backup as 3rd layer of redundancy.
 
Upvote 0
Indeed. But then again, are we saving data here or NAS space ;)?

True, but it’s as if you’re doing double the work. Just wish if I was making a backup, it’s one backup and not have to circumvent and add additional measure just to get a safe backup. For instance why can’t they make the hb a read only, then you have it all in one spot. Or use snapshot replication but take a snapshot of the whole nas including configuration, packages and other settings.
 
Upvote 0
Just wish if I was making a backup, it’s one backup and not have to circumvent and add additional measure just to get a safe backup.
I hear you.

why can’t they make the hb a read only
One way to do it is to push that back up to their C2 cloud (maybe an option for you)?

take a snapshot of the whole nas including configuration, packages and other settings
Coming with DSM7.1 as part of Active Backup for Business.
 
Upvote 0
Coming with DSM7.1 as part of Active Backup for Business.

I knew it was coming in 7.1, but is this really in active backup? Or did you mean hyper backup?

One way to do it is to push that back up to their C2 cloud (maybe an option for you)?
I’m not a fan of leveraging the cloud and rather store, house, and manage the data on my level. This is even more evident with the recent Kronos cloud ransomeware attack. Some of these employers/organizations have everything in the cloud and it’s essentially gone now. I’m also not a fan of paying the reoccurring subscription service fee. Despite the data being encrypted at rest, who has access to those files, what rogue employee can take it with them upon separation.
 
Upvote 0
I knew it was coming in 7.1, but is this really in active backup? Or did you mean hyper backup?
I didn't mean HB, its ABB.

You can read on it a bit in the article here (Data Protection section). There are screens of the recovery process and in the last image in the fine print, you will see that the wizard is connected to the ABB instance.

’m not a fan of leveraging the cloud and rather store, house, and manage the data on my level. This is even more evident with the recent Kronos cloud ransomeware attack. Some of these employers/organizations have everything in the cloud and it’s essentially gone now. I’m also not a fan of paying the reoccurring subscription service fee. Despite the data being encrypted at rest, who has access to those files, what rogue employee can take it with them upon separation.
All fair points. It was just an idea. Guess you will have to compromise then.
 
Upvote 0
I didn't mean HB, its ABB.

You can read on it a bit in the article here (Data Protection section). There are screens of the recovery process and in the last image in the fine print, you will see that the wizard is connected to the ABB instance.

I guess it’s in ABB because they’re leveraging bare metal restore.
 
Upvote 0
I guess it’s in ABB because they’re leveraging bare metal restore.

This will actually be interesting to see when it rolls out. ABB images can only be stored to the local nas abb folder (I believe). If you use hb or even snapshot rep to ship this backup offsite, can you restore your nas using that offsite backup file?
 
Upvote 0
If you use hb or even snapshot rep to ship this backup offsite, can you restore your nas using that offsite backup file?
If the mechanics of ABB will remain the same, then you will be able to use SR to replicate the content and restore as needed from a secondary location as well. SR with AB4M365 or ABB works that way as well.
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Try adding them one-at-a-time, saving, logging out, restarting* your computer, then logging back in until...
Replies
12
Views
1,191
I receive the reports monthly, just actually got them on 2/1 and verified for some reason this is still...
Replies
4
Views
707
It took a while to get iOS Syno Drive Client to reset and ask for my 2FA to log back in. It was set up...
Replies
2
Views
573

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Back
Top