Backup strategy

[PeqX]

Hi Forum.
As described - I would like to know a little bit more regarding the backup strategy others are running.
After 3xCryptolocker attach inside external hostingcenters - we have decidet to move all infra structure back inhouse hosting, and for backing up - We're thinking about using Veeam.

Allthough I have several questions - on how to build the best secure setup.

1. When encrypting the backups - is it possible to export the encryptionkey to a external server - so if the Veeam Machine gets infected - It will not have access to the backups without the encryptionkeys. (I'm thinking setting up a share for these encryptionskeys - with a timebased sharing - so the keys are only availæable in the timeframe of the backup window)

2. Instead of using SMB share - is it possible to use Rsync server instead or other protocols that are not as open as SMB/NFS - for cryptolocker attacks ?

Hopefully you can help me with these querstions

[HannesK]

Hello,
in general, you will find many hints and ideas about creating a secure backup by searching the forum for "ransomware" and "air gap". Also veeam.com -> resources -> webinars -> search for ransomware has some interesting stuff.

You might also want to read the best practices: https://www.veeambp.com/infrastructure_hardening

And not to forget S3 object lock https://www.veeam.com/blog/air-gapped-o ... ility.html with V10

To answer your questions.
1. having external encryption keys will not stop ransomware to encrypt your backups. So I don't see that as protection.
2. yes, you can use "other protocols" (SMB is the worst anyway). I would go with the default Veeam data mover protocol and use a Linux or Window repository instead of an SMB share. Also Veeam Cloud Connect (requires Veeam Cloud Service provider) or object storage (Amazon S3, Amazon S3 compatible, Azure blob) which uses HTTPS

Best regards,
Hannes