What’s the Diff: 3-2-1 vs. 3-2-1-1-0 vs. 4-3-2
Backblaze recently released a great article discussing the differences between different data protection strategies that our CEO, Gregory R. Tellone, recently discussed with Backblaze’s VP of Sales, Nilay Patel, in this VeeamON 2021 video.
The traditional 3-2-1 rule for protecting your backup data has been the industry standard for decades, and proved sufficient for protecting against media failure and regional disasters. It no longer suffices, however, in the days of ransomware attacks. Today, we must not only protect against natural disasters and corruption of production data, but we must also protect our backups from threat actors, who intentionally target your backups along with your production data, when they launch a ransomware campaign.
Network isolated and immutable backups with Veeam and Continuity Centers ensure such protection.
Here are some additional tips on how to protect your backups:
- Whether you use Veeam or Continuity Centers or any other backup product or service, unjoin your backup servers from your Active Directory domain, ensuring threat actors cannot access your backups with your compromised domain credentials.
- Veeam v11 backup operators do not require the server administrator role on the Veeam management server. Create unique, non-administrator local accounts on the Veeam server for each of your IT staff to manage backups.
- Disable RDP on your Veeam server. Have your IT staff install the Veeam Management Console locally on each of their workstations.
- Put your Veeam server(s) on an isolated network, allowing only the required inbound/outbound ports, i.e. management port 9392 from your IT staff’s desktops.
- Enable the Firewall on your Veeam server(s), allowing only the required inbound/outbound ports.
- Enable 2fa on your Veeam repositories.
- If you are using a Windows repository for Veeam, switch to a Linux Security Hardened Repository with immutability. IMMEDIATELY.
- At a minimum, make sure you are sending backups offsite to a Veeam Service Provider who stores multiple, geographically diverse, immutable backup copies. Especially if you are still using a Windows repository for your local backups.