While scrolling through Spiceworks (an online community where IT professionals can collaborate and seek advice from one another), we found a post requesting options for offsite backups. We see questions like this (below) frequently and wanted to provide a thoughtful and helpful response. If you’re looking for offsite backup options, please take our response into consideration.
Nathan Golden – CloudBackupGuy https://community.spiceworks.com/people/nathan-managecast
Hey there C.J.
I don’t think you are going to find anything that absolutely prevents bad stuff from being included on the backups as 0-day attacks are often not detected until it’s too late. I do know Sophos makes a great end-point protection product and combined with their firewall offers pretty good defense, but it is not perfect. Nothing is. However, it is wise to do everything possible to keep from being infected such as regularly training your users not to click on bad things (knowb4.com), as well as advanced firewalls and end-point protection, etc. Backup is the last line of defense!
As others mentioned, with Veeam it is possible to run the restore through an AV engine. The idea is that once you’ve found you’ve been compromised you will hopefully find a way to detect the bad stuff. Maybe you need to wait for an updated AV signature, but the idea is once the AV has been updated you can run your restore through it and not restore infected files. Hopefully, only a few files had bad stuff and hopefully, you are restoring to a point in time before the malware has executed and done its thing.
The other issue that some are eluding to is how do you protect your past backups from being corrupted/deleted by the malware. A lot of folks will talk about “air gap”, meaning you physically separate your media from the network, which is a great way to protect your data from being compromised by ransomware – though realize air gap does nothing to stop you from backing up malware. However, I see a lot of people do the air gap but then don’t get data offsite frequently. So while negating one threat (ransomware), they are actually introducing additional risk. Personally, I think anything that relies on human intervention (like rotating media, etc) is prone to error and failure.
Our solution is to use a Veeam certified immutable object-store. Yes, it’s still connected to the network, but protected by a different set of credentials and is a solution that is designed to provide unchanging read-only data, even by the network administrator. This maintains full automation and what I call a “virtual airgap”. This is on top of the protections offered by Veeam Insider Protection, etc., so you are really minimizing any risks.
As you said there are thousands of companies out there offering these types of services. My suggestion is to ask these questions when choosing an offsite solution:
1) Is the company 100% dedicated to backup and DR, or is it 1 of many different offerings?
2) Is the company a utility-type provider doing their best to keep their humans from interacting with you? They may provide a service, but little to no expertise – so know what you are doing.
3) Does the company offer Veeam (or other) certified immutable backup capabilities?
4) If you needed your data quickly, how fast can you get it? Is it download only or will they quick ship your data? Do they offer failover/DR services?
Hope this was helpful in your search.