Simplest (almost) air-gapped backup options

[Blue407]

We currently backup to local disk, tape and a remote server.
Our primary backup server is getting low on disk capacity, I need to add some more external storage.

What are the sensible options that can provide an (almost) air-gapped backup?

Initial connectivity options for storage seem to be USB3, eSATA, iSCSI with direct Ethernet cable between storage and backup server, CIFS etc.

Are any of these easier to secure than the other? Can be configured to provide better security?
It seems the obvious time to consider this, when needing to purchase more capacity.

I am more concerned with somebody inadvertently getting Ransomeware onto their PC and it spreading on the network, than a hacker directly targeting us. We have tape backup physically out of the tape drive to cover that eventuality.

[PTide]

Hi,

USB3, eSATA, iSCSI with direct Ethernet cable between storage and backup server, CIFS etc.

Non of those will help if a malware gains admin privileges. As a temporary measure until you get your tape device set up I'd suggest to try the following:

- Use either a shared folder or iSCSI target with authentication.
- Schedule a script in windows task scheduler that will:

1. automatically mount the target location in 5 minutes before the backup copy job interval is supposed to start
2. enable the BCJ
3. once the job is finished, the script should disable BCJ and unmount the target

Provided that the malware is not smart enough to actually parse scripts defined in a task scheduler and understand how to mount the remote storage, your secondary backups will be safe in the time period when the job is not working. However, if the malware activity kicks in while the job is working then you're probably screwed.

Thanks!