Backup Security

[Gerard]

With all the ransomware going on in the world, how can we protect our backups even more? I have two NAS systems in two different physical locations. They both utilize hyper backup and send a complete backup to the opposing NAS. For each hyper backup task, you need to specify the target and a user name and password. I use a separate user name and password for my hyper backup task, although this user name and password is the same at both locations. This HB user's permissions is deny all folders and applications, with the exception of the shared folder of where the backups are going to and access to hyper backup vault.

I'm not sure how hyper backup is coded, but I would assume this user needs read/write permission to the destination shared folder. If that is the case, and this HB user is ever compromised, doesn't it have the authority to delete the backups too? If the HB was ever compromised, since it has read/write permission, couldn't a ransomware attack also take down the backup?

How are you set up?

 

[EAZ1964]

You are right With the observations.
my 10cents:
Using the same name and password does increase the risk of hacking both systems.
I do shut down both sides according to schedule in hours that NAS are not used.
I do run a cloud based backup as 3rd layer of redundancy.

 

[Rusty]

How are you set up?

Snapshot Replication. Its backups are read-only.

 

[jeyare]

How do I replicate snapshots to a remote Synology NAS? - Synology Knowledge Center

Synology Knowledge Center offers comprehensive support, providing answers to frequently asked questions, troubleshooting steps, software tutorials, and all the technical documentation you may need.

kb.synology.com

 

[Gerard]

Snapshot Replication. Its backups are read-only.

So on top of doing a hyper backup offsite task, include snapshot replication as well. I get it, but then isn’t the space used being occupied twice by the shared folders; once in HB and once in SR?

 

[Rusty]

isn’t the space used being occupied twice

Indeed. But then again, are we saving data here or NAS space ?

 

[Gerard]

Indeed. But then again, are we saving data here or NAS space ?

True, but it’s as if you’re doing double the work. Just wish if I was making a backup, it’s one backup and not have to circumvent and add additional measure just to get a safe backup. For instance why can’t they make the hb a read only, then you have it all in one spot. Or use snapshot replication but take a snapshot of the whole nas including configuration, packages and other settings.

 

[Rusty]

Just wish if I was making a backup, it’s one backup and not have to circumvent and add additional measure just to get a safe backup.

I hear you.

why can’t they make the hb a read only

One way to do it is to push that back up to their C2 cloud (maybe an option for you)?

take a snapshot of the whole nas including configuration, packages and other settings

Coming with DSM7.1 as part of Active Backup for Business.

 

[Gerard]

Coming with DSM7.1 as part of Active Backup for Business.

I knew it was coming in 7.1, but is this really in active backup? Or did you mean hyper backup?

One way to do it is to push that back up to their C2 cloud (maybe an option for you)?

I’m not a fan of leveraging the cloud and rather store, house, and manage the data on my level. This is even more evident with the recent Kronos cloud ransomeware attack. Some of these employers/organizations have everything in the cloud and it’s essentially gone now. I’m also not a fan of paying the reoccurring subscription service fee. Despite the data being encrypted at rest, who has access to those files, what rogue employee can take it with them upon separation.

 

[Rusty]

I knew it was coming in 7.1, but is this really in active backup? Or did you mean hyper backup?

I didn't mean HB, its ABB.

You can read on it a bit in the article here (Data Protection section). There are screens of the recovery process and in the last image in the fine print, you will see that the wizard is connected to the ABB instance.

’m not a fan of leveraging the cloud and rather store, house, and manage the data on my level. This is even more evident with the recent Kronos cloud ransomeware attack. Some of these employers/organizations have everything in the cloud and it’s essentially gone now. I’m also not a fan of paying the reoccurring subscription service fee. Despite the data being encrypted at rest, who has access to those files, what rogue employee can take it with them upon separation.

All fair points. It was just an idea. Guess you will have to compromise then.

 

[Gerard]

I didn't mean HB, its ABB.

You can read on it a bit in the article here (Data Protection section). There are screens of the recovery process and in the last image in the fine print, you will see that the wizard is connected to the ABB instance.

I guess it’s in ABB because they’re leveraging bare metal restore.

 

[Gerard]

I guess it’s in ABB because they’re leveraging bare metal restore.

This will actually be interesting to see when it rolls out. ABB images can only be stored to the local nas abb folder (I believe). If you use hb or even snapshot rep to ship this backup offsite, can you restore your nas using that offsite backup file?

 

[Rusty]

If you use hb or even snapshot rep to ship this backup offsite, can you restore your nas using that offsite backup file?

If the mechanics of ABB will remain the same, then you will be able to use SR to replicate the content and restore as needed from a secondary location as well. SR with AB4M365 or ABB works that way as well.