Reviewing my backup strategy

Currently reading
Reviewing my backup strategy

Hi all,
I am currently reviewing my backup strategy, and I am not sure if it is OK or not. I also suspect myself to be over-thinking it. Would someone help me to review this strategy and challenge it?

Local setup
  • Several “clients” to back-up: Windows, MacOS, iOS, Android. Both local and remote.
  • DS920+ with 3*4Tb, Raid 5 configuration. “Production device”.
  • External 4To USB disk, permanently plugged to the DS920+.
  • DS115J for off-site backups (at my sister’s home), and for local Time Machine backups (sister’s Apple devices).
  • Cold DS115 (but functional, could run if needed)
Identified threats
ThreatMitigation strategy
TheftKensington locks...well, better than nothing.
Fire / Other destructive eventsSee backup strategy hereunder
Disk failure (up to one)RAID 5 configuration
Client failure (PC, Mac, Android, iOS, …)Using ABB, Time Machine, Moments
Ransomware or other file corruption problemSee backup strategy hereunder

Not required: “
high availability”. That's all for home use only. This includes valuable data for sure, but recovery can wait a few days if required.

Backup strategy:
  • Daily backups:
    • Local and remote devices to DS920+ using ABB, TimeMachine and Moments. (Remark: not using Drive’s backup service for now. Should I?).
    • DS920+ to external USB disk, using HB. Includes all folders and applications.
  • Weekly backups:
    • DS920+ to off-site DS115j with HB : all folders and applications.
    • Off-site DS115j to local DS920+ with HB : sister's off-site Time Machine folder only.
1619984236312.png


Remarks / Questions:
  • Most of my important documents are stored on Drive, using Team folders. It allows me to keep them synced between several devices. I consider them as safe thank's to the HB back-ups. Is that right?
  • All backups are encrypted (in case of theft). Encryption keys are kept securely, including off-site (in case of fire or other destructive event).
  • Biggest question mark for me is Ransomware mitigation: does the above-mentioned strategy protect me against that threat? I am not sure how they function, and Synology’s last video on that topic did not convince me completely. The question is: are HB-backups ransom-proof? Considering all my back-up devices are permanently hot (somehow connected to the internet), I am not sure to be fully protected. If a well designed ransomware would attack my DS920, couldn’t it spread to all my back-up disks and lock them too? How can I avoid that?
    I understand Snapshots would be the way to go, but the older DSs are not able to handle them. I could consider a C2 subscription, but I would prefer not if that's possible. Is HB really ransom-proof?
Thank's a lot for your time and help!
Looking forward to read your comments!
 

Telos

Subscriber
1,485
500
NAS
DS418play, DS213j, DS3622+, DSM 7.1.4-11091
My word is to consider Veeam instead of ABB. I've read of far too many ABB restore failures, and, its dependency on Synology is a "no go" for me ... in addition to the fact that Synology still has no static encryption capability (this has been in closed beta for quite some time).
 
Upvote 0

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
Most of my important documents are stored on Drive, using Team folders. It allows me to keep them synced between several devices. I consider them as safe thank's to the HB back-ups. Is that right?
HB will do the job here so no problem there.

The question is: are HB-backups ransom-proof?
Considering that versioning is one feature that HB offers, that's the element that will save you. True HB will backup encrypted files as well but that doesn't mean it will kill the previous version (unless you have specified a small number of versions), so even if you are hit with ransomware, you will be able to restore back from a specific version and conquer ransomware that way.

If a well designed ransomware would attack my DS920, couldn’t it spread to all my back-up disks and lock them too?
If your USB connection to your NAS is an active volume/mount point it will infect it as well. Also, any SMB mount from any other device on the network towards your NAS will also be encrypted if detected as a viable point from the ransomware perspective.

I understand Snapshots would be the way to go, but the older DSs are not able to handle them
This is correct on both counts. Still, having a local snap on your 920 will make a huge impact on your data an in case ransomware hits, you can use snaps to restore anything that was protected by it from 920 device without using the HB restore. Also, even though 115 cant use snaps, it still sends HB backups to your 920. So protecting that backup on your 920 with snaps will also be an added bonus, because even if data on 115 gets corrupted, HB restore from 920 will cover it, and on top of that, snaps will protect that HB backup as well.

So, you are covered from that front.

So again, the only potential "weak" point here is getting your 920 backups encrypted or damaged. Even though your 920 data is getting backed up to your 115, if 115 gets in any major trouble you lose that recovery point. So your local backups will have to cover you. That means USB backup and snaps.

One recommendation on that would be either to use one more USB backup that will hit a weekly backup and then disconnect that device from 920, or use that same method plus snaps. Unhooked USB will be your ultimate disaster solution in case your 115 is in major trouble and your 920 data is corrupt as well. In a less problematic scenario, snapshots will cover 99% of your problems as long as there is no fire/multiple drives fails, etc happening at the same time. HB will be second in line in case there is something major wrong with 920, and in the end, USB (and unhooked USB) will be your final resort (in case you don't want C2 as one more "offsite" backup location).

I would suggest C2 for that absolute minimum of critical data to be used via HB as well, but that's just me.
 
Upvote 0
Thank's a lot for your feedbacks!

Just two complementary questions:
having a local snap on your 920 will make a huge impact on your data an in case ransomware hits
Do you mean a snap of the most critical 920's folders, stored on the 920 itself ? How would that help? If my DS920 would be hit by a ransomware, wouldn't it encrypt the entire device and make that snap unusable? I either missunderstood your point, or misunderstand how ransomware and snaps work...

And any comment about Telos's input? I was looking forward to welcome the Mac client for ABB, as I am not a big fan of Time Machine (backups are not overwritting themselves when the disk is full, some backups got corrupted and had to be renewed from scratch), etc. But Telos' arguments are interesting.

Thank's again and BR!
 
Upvote 0

Rusty

Moderator
NAS Support
3,636
1,049
www.blackvoid.club
NAS
DS718+, DS918+, 2x RS3614RPxs+
Router
  1. RT1900ac
  2. RT2600ac
  3. MR2200ac
Operating system
  1. macOS
Mobile operating system
  1. iOS
How would that help? If my DS920 would be hit by a ransomware, wouldn't it encrypt the entire device and make that snap unusable? I either missunderstood your point, or misunderstand how ransomware and snaps work...
Correct on the 920 itself. Snaps are read-only.
I was looking forward to welcome the Mac client for ABB, as I am not a big fan of Time Machine
Mac client is coming along (last info). I use Veeam professionally, but in a closed (local backup) never with encryption anyways. Still, ABB might include encryption at some point, so that will be a bonus.
 
Upvote 0
Snaps are read-only.
Ok. That's where my understanding stops. I thought a ransomware would actually be able to "take control of the device", in a way allowing it to encrypt entire disks, without considering if the folders are read-only or read-write. For the same reason I cannot imagine how the recovery process could find the snaps in an entirely encrypted disk.

Anyway. Everyone says and writes Snaps are read-only and ransom-proof. So I'll juste have to be confident and go for it. The other option would be to learn a new job, until I understand all these details ;)

Thank's again!
 
Upvote 0

Create an account or login to comment

You must be a member in order to leave a comment

Create account

Create an account on our community. It's easy!

Log in

Already have an account? Log in here.

Similar threads

Welcome to SynoForum.com!

SynoForum.com is an unofficial Synology forum for NAS owners and enthusiasts.

Registration is free, easy and fast!

Trending threads

Top