As much as I love tape (and I really do), I can’t ignore the fact that most operational backup and recovery today happens on disk-based systems. And that’s where we face a serious problem: your backup disk is often the first target when threat actors gain access to your environment. If your backups are sitting in an obvious location like “D:\backups,” you’re practically inviting disaster.
This blog post summarizes the main points of my latest podcast episode. If you’d like, you can listen to it or watch it at https://www.backupwrapup.com/)
Why Your Backup Disk Needs Protection
In my recent conversations with cybersecurity professionals, they’ve confirmed what I’ve been saying for years: threat actors specifically target backup systems first. They look for popular backup products, especially Windows-based ones, and their first move is finding and deleting your backups. Once they’ve eliminated your safety net, they’re free to execute whatever attack they’ve planned.
It’s just like in Battlestar Galactica (as Prasanna helpfully pointed out) – the first thing the Cylons did was take out all the battleships. Don’t let your backup disk become an easy target.
Better Ways to Use Your Backup Disk
Instead of keeping your backups in an easily accessible directory, consider these alternatives:
Use Proprietary Protocols for Your Backup Disk
Products like Veeam offer direct access protocols that bypass traditional file system access. This approach sends backups directly to target storage without using NFS or SMB, which means they don’t appear in user space as an easily deletable directory.
The concept began with Open Storage Technology (OST) and evolved into more modern implementations like Boost (which I used to joke was “OST with BO”). These proprietary protocols create a security barrier that requires more sophistication to breach than simply finding and formatting a mounted drive.
Consider Virtual Tape Libraries for Your Backup Disk
VTLs (Virtual Tape Libraries) emulate tape libraries while storing data on disk. Since they connect via fiber channel and don’t appear as standard file systems, they’re much harder for attackers to locate and manipulate. Though technically still “security by obscurity,” it’s significantly better than having an exposed backup disk with a transparent file structure.
Implement Dedicated Backup Disk Appliances
Using a dedicated backup appliance, especially one running a different operating system than your primary environment, adds another layer of security. For instance, if you’re primarily a Windows shop, having a Linux-based storage system can complicate an attacker’s efforts since it uses different authentication methods.
The key is making your backup disk appliance act like an appliance – not just another server you mount via SMB or NFS. The goal is to keep backups out of user space entirely.
Leverage Object Storage for Your Backup Disk
One of the most secure approaches is ditching file system-based storage altogether in favor of object storage. Object storage offers two major advantages:
- It’s not directly accessible via SMB or NFS
- Most object storage systems include immutability features
Companies like OOTBI (Out Of The Box Immutability) are specifically targeting this space for backup security. Their solution, founded by former Veeam executives, provides object storage designed specifically for backups with built-in immutability.
Add Cloud Copies of Your Backup Disk
Cloud object storage provides all the benefits of on-premises object storage with additional security. Cloud providers like AWS offer immutability features that prevent deletion even by cloud administrators if configured correctly.
When using cloud immutability for your backup disk, you can choose between two modes: compliance and governance. I recommend the stricter compliance mode, which prevents anyone from deleting the data before its retention period expires – even administrators.
The Goal: Make Attackers Work Harder
None of these methods are completely bulletproof, but they’re vastly better than storing your backups in an obvious location. Think of it like bike security – you can’t make stealing impossible, but you can make your bike less appealing than the one next to it.
By implementing these backup disk protection strategies, you force attackers to work much harder to compromise your backups. Even if they gain administrative access to your backup server, they won’t immediately see your backup files sitting there ready to be deleted.
The simple principle is this: don’t keep your backup disk in user space. Don’t have it accessible as files on your backup server. Make attackers hunt for it, and they might just move on to an easier target.
For small businesses and personal use, cloud backup services handle much of this complexity for you. Just make sure to secure your login with strong multi-factor authentication – preferably using FIDO keys and passkeys rather than just SMS codes.
Your backup disk is your last line of defense against ransomware and other attacks. Don’t leave it sitting out in the open.
Written by W. Curtis Preston (@wcpreston), four-time O'Reilly author, and host of The Backup Wrap-up podcast. I am now the Technology Evangelist at S2|DATA, which helps companies manage their legacy data
