Cloud Backup Options

[psicodude]

AWS and MS Azure (irony, heh) are both great at this and really inexpensive. The costly part comes if you ever need to restore something: upload is cheap, download is not. The 30mbps upload is a concern, but you could either script it to run overnight or buy an app that handles it for you.

[Azure]

Not sure I need something like that. CrashPlan or Backblaze looks pretty good.

No problem running overnight or on weekends. 500 GB will take a while, but nothing we can't handle.

[psicodude]

There is nothing wrong with either of those services, and something is way better than nothing. I suggested AWS and Azure because their per GB price is way cheaper than anyone else.

I suppose the real question is: what level of backup are you looking for? If you get a machine infected by ransomware, are you cool with reinstalling the OS and apps from scratch and then restoring data, or do you want to take an image and do a bare metal restore? What sort of files are you wanting to backup? If it's just standard Word and Excel docs, why don't you consider Office 365 and getting people comfortable with using OneDrive?

There are a dozen ways to do this, and none of them are necessarily wrong. Just get a solid idea of what your business requirements are and find a service that matches.

[Azure]

I was actually thinking about that yesterday. Reinstalling the OS would require popping in a new hard drive, installing OS and all required programs, and copying data. The data is already backed up, so that would be the easiest part.

However, reinstalling OS, our CAD software, Office, and other essential programs would take maybe 3-4 hours. Is it really worth keeping a disk image for 15 computers so I don't have to do that?

As for what files, they are mainly Excel Files, PDF, Word, and CAD drawings. Our email is all on Office 365, but we haven't upgraded to the cloud for anything beyond that.

Our CAD files and quotes for projects are the most important. Thousands of drawings, with sizes ranging from 30 MB, to 1 GB per drawing. The quotes are PDF files smaller than 30 MB, but often 10-20 quotes per project. Not being able to access those would cripple our business.

Currently for those files everything is accessed from a file server. We back that up every hour in case someone messes up a drawing and needs to go back and retrieve the old one. From there it is backed up to a Synology on site, and then to another Synology off site. The cloud backup would be another backup similar to the off site Synology.

My biggest concern is stopping ransomeware from getting into the cloud backup. The whole ransomware idea is new so I'm trying to figure out what the best practices are, but my understanding is that it needs admin privileges to get into the files. For the sake of argument, say it infects a work station, which in turn infects the file server, which in turn infects the Synology on site, then the Synology off site, etc, etc....what is supposed to stop it from spreading short of actually have one of the backups plugged out?

The off site Synology is still on the same network. Just off site in case of fire or theft.

[Rathji]

Quote:

Originally Posted by Azure

I was actually thinking about that yesterday. Reinstalling the OS would require popping in a new hard drive, installing OS and all required programs, and copying data. The data is already backed up, so that would be the easiest part.

However, reinstalling OS, our CAD software, Office, and other essential programs would take maybe 3-4 hours. Is it really worth keeping a disk image for 15 computers so I don't have to do that?

As for what files, they are mainly Excel Files, PDF, Word, and CAD drawings. Our email is all on Office 365, but we haven't upgraded to the cloud for anything beyond that.

Our CAD files and quotes for projects are the most important. Thousands of drawings, with sizes ranging from 30 MB, to 1 GB per drawing. The quotes are PDF files smaller than 30 MB, but often 10-20 quotes per project. Not being able to access those would cripple our business.

Currently for those files everything is accessed from a file server. We back that up every hour in case someone messes up a drawing and needs to go back and retrieve the old one. From there it is backed up to a Synology on site, and then to another Synology off site. The cloud backup would be another backup similar to the off site Synology.

My biggest concern is stopping ransomeware from getting into the cloud backup. The whole ransomware idea is new so I'm trying to figure out what the best practices are, but my understanding is that it needs admin privileges to get into the files. For the sake of argument, say it infects a work station, which in turn infects the file server, which in turn infects the Synology on site, then the Synology off site, etc, etc....what is supposed to stop it from spreading short of actually have one of the backups plugged out?

The off site Synology is still on the same network. Just off site in case of fire or theft.

The offsite (edit: Cloud) backup should have versioning, which prevents the encrypted file from overwriting the good data.

Otherwise, unless the virus is stealing your credentials for your backup and logging into the backup site and actually deleting your old versions, there is no way for the virus to encrypt those versions. They simply don't exist in a form that they can be accessed like a Network share does

[psicodude]

It sounds like you are in that really tough place between SMB backup and enterprise backup. Enterprise would include a backup solution like Commvault, but it gets expensive, complex, and pretty much requires someone to manage it on a daily basis. A backup solution would solve the ransomware issue though. It comes down to risk acceptance. Ask the people in charge what they are willing to tolerate for downtime, restore costs, paying the ransom. An enterprise grade backup solution may cost you $20k, but maybe that is worth it to them? Are the staff there tech savvy and would know how to avoid getting infected? Ideally, you should go to the person that signs the cheques and tell him: here are the chances of us getting hit, here is what would happen, here is how long we will be down and what it will cost to get us back. Let them decide.

I would run a test of your current solution, as I believe Rathji to be correct. Create a few test files and ensure that versioning is turned on and working as expected. Honestly, it's probably good enough. Just verify it for yourself. Don't trust a sales person.

And yes, ransomware will infect the workstation, file server, and anything else that it can get write access to. That includes CIFS shares, which is terrifying. And it happens really quickly. You are toast in an hour or two.

[Azure]

Quote:

Originally Posted by Rathji

The offsite (edit: Cloud) backup should have versioning, which prevents the encrypted file from overwriting the good data.

Otherwise, unless the virus is stealing your credentials for your backup and logging into the backup site and actually deleting your old versions, there is no way for the virus to encrypt those versions. They simply don't exist in a form that they can be accessed like a Network share does

In that case if you require a set of credentials to access the Synology that are not used anywhere else to login, the ransomware shouldn't be able to get there either. I think that is what we are doing as of a couple weeks ago. Before the person looking after the backups had access to the synology on his workstation with his own login but we have since removed that.

Our workstations have sharing rights to the main file server, so should one of those stations be infected, obviously it would spread over to those mapped network drives as well.

Just wondering how it all works in our situation.

[Azure]

Quote:

Originally Posted by psicodude

It sounds like you are in that really tough place between SMB backup and enterprise backup. Enterprise would include a backup solution like Commvault, but it gets expensive, complex, and pretty much requires someone to manage it on a daily basis. A backup solution would solve the ransomware issue though. It comes down to risk acceptance. Ask the people in charge what they are willing to tolerate for downtime, restore costs, paying the ransom. An enterprise grade backup solution may cost you $20k, but maybe that is worth it to them? Are the staff there tech savvy and would know how to avoid getting infected? Ideally, you should go to the person that signs the cheques and tell him: here are the chances of us getting hit, here is what would happen, here is how long we will be down and what it will cost to get us back. Let them decide.

I would run a test of your current solution, as I believe Rathji to be correct. Create a few test files and ensure that versioning is turned on and working as expected. Honestly, it's probably good enough. Just verify it for yourself. Don't trust a sales person.

And yes, ransomware will infect the workstation, file server, and anything else that it can get write access to. That includes CIFS shares, which is terrifying. And it happens really quickly. You are toast in an hour or two.

That is what we are in the process of doing.

I don't think it is necessary to take constant disk images and back them up to the cloud. Once a month should be fine to an offsite that is plugged out.

We have a highly virtual setup, and I can actually get a user with an infected workstation up and running in about 20 min with email and the CAD program while I rebuild his computer using one of the virtual workstations we have running.

I think its more important to keep the files properly protected so that I can take the latest disk image from a workstation, rebuild the computer, and update to the latest day.

Just worried about how the ransomware spreads.