Home > Backup and Recovery Blog > How to Secure Backup Data? A Guide to Secure Backups

How to Secure Backup Data? A Guide to Secure Backups

1 Star2 Stars3 Stars4 Stars5 Stars
(6 votes, average: 4.94 out of 5)
Updated 22nd December 2023, Rob Morrison

Cybersecurity and ransomware

Cybersecurity has become increasingly important in parallel with the widespread popularization and growth of the Internet. It is now more important than ever, with the number of attacks and data breaches consistently increasing on a yearly basis. As a result, cybersecurity is making its way to the fore of a system architect’s strategy, and indeed typically stems from and is closely followed by executives in organizations that understand how critical security is to the safety of their business.

There are plenty of different cyberattack types, but probably the most infamous is ransomware (68.4% of all cyberattacks in 2022, according to Statista). Ransomware has a relatively simple definition by itself – it is a type of malware that seeks sensitive data, encrypts it, and then asks the data owner for a ransom in exchange for data decryption. The concept itself may sound rather simple, but the ransomware itself has become increasingly complex in recent years and is evolving on a regular basis.

Ransomware presents a unique challenge that deviates from traditional data theft or destruction attacks. Ransomware seeks to render data inaccessible, hindering the ability to access and utilize critical information – but it doesn’t have to steal the data in question for that to happen. Traditional disaster recovery techniques were initially effective in countering ransomware, since administrators could simply eradicate the compromised system and restore data from recent backups.

However, as ransomware evolved into a lucrative avenue for malicious actors, its development intensified. While early ransomware variants primarily relied on virus and worm-like propagation methods, newer strains have developed the capability to specifically target backup software and systems. If left undetected, these advanced ransomware attacks can encrypt all accessible data, rendering traditional recovery methods ineffective. This evolving threat landscape necessitates a reassessment of backup deployment strategies to ensure resilience against ransomware attacks.

The basics of protection against ransomware

The cost of data storage has been relatively low for a while now, and it continues to trend down. In this context, one of the most basic approaches to ransomware protection would be to create multiple copies of backed up data. That way, there would be a higher chance to secure data backup if the ransomware attack happens – especially if the backup copy in question is not stored close to its original.

Creating backup copies in this particular context can be achieved using at least three different methods:

  • Backup data replication with the help of external software.
  • Backup data replication performed with features built in most SAN/NAS appliances.
  • Backup data copy creation performed by the backup software to be stored in different locations.

Each option above has its own benefits and disadvantages. It is strongly recommended to use multiple backup copying methods at once for both security and usability reasons. For instance, you could employ backup software to store data on a NAS (Network-Attached Storage) device and then replicate it to another system using storage replication technology.

While maintaining control over your backup system, IT department leaders should also consider levels of simplicity to facilitate maintenance activities. A convoluted system can hinder the ability to effectively manage and maintain data protection measures. As such, a proper balance needs to be found between simplicity and complexity to bring the best possible result overall.

In the context of multiple backup copies, it would be wise to mention that the location of these copies is just as important as their actual existence. Backup copies stored alongside the original are practically useless in most cases, since they are relatively easy for ransomware to locate. As such, diverse backup storage locations are also a requirement in a modern data security environment.

The “3-2-1” rule and immutability

Despite the availability of various data protection tools, there are additional risks beyond that of malicious attack. For example, physical threats such as accidents, mistakes,  fire, flood or other natural disasters can easily destroy hardware and physical files. Backup copies stored together is an easier target for any malware type, not just ransomware – and any company’s goal should be to make backups in in strategic locations and in a strategic range of types.

A well-designed data protection system should ensure that at least some of your backup data is stored far enough away, physically speaking, from its primary location to mitigate the impact of natural disasters or unforeseen events.

The “3-2-1” and “3-2-1-1” rules

One of the most commonly accepted backup strategies, tried and tested successfully through time, is the “3-2-1” rule. This data security best practice advocates maintaining three copies of backup data, stored across two different mediums, with one copy securely stored off-site. Many businesses utilize a combination of cloud storage and physical disks to fulfill this rule, ensuring the most robust and secure approach to data backup.

There is also a newer, more modern version of this rule called “3-2-1-1”. In this situation, there are three backup copies, two storage types, one copy that is stored away from the rest – and one more copy that is “locked” or immutable. Data stored on truly immutable media cannot be modifiable at all once it is created. Both cloud storage and physical appliances can be used to create immutable storage locations, but due diligence is sometimes needed to ensure this is indeed the case (because certain technologies, cloud storage and media types may be claimed by their providers to be, or appear to be “immutable”, but in reality may not be). Bacula respectfully recommends IT leaders correctly follow the 3:2:1 rule carefully.

The introduction of this “locked” data is a logical reaction to ransomware growing much more sophisticated – many ransomware variations now seek out backups and target them alongside original data, making it far more difficult to safeguard against such attacks.

Backup immutability

Attackers recognize that a successful data and systems restore can transform a potential organization-crippling catastrophe (and therefore successful attack) into a mere inconvenience to the victim. Therefore, while these attacks can disrupt operations for days or even weeks, effective backup techniques rarely result in ransom payments (unless the threat actor’s strategy is instead related to disclosure of private or sensitive data; a somewhat different scenario). Consequently, threat actors have begun targeting backup systems alongside the live environment.

With this shift in tactics, organizations must now protect their data not only in its primary state but also during the backup and restore processes. Immutability offers further protection against this growing threat. Instead of relying solely on preventative measures and tools, immutability safeguards backed up data by preventing any modifications, including those initiated by backup software. That way, even the most sophisticated attacks would not be able to alter this specific copy of your backup data.

Data immutability in itself is a comprehensive topic – including WORM storage, which has evolved to accommodate modern security requirements.

Traditional WORM (Write Once, Read Many) solutions relied on optical discs, leveraging the permanence of laser-induced material alterations. However, optical media’s limited capacity has rendered them practically useless in present-day use cases. To address this challenge, vendors have developed alternative WORM solutions.

Removable magnetic media has some form of write-protection in most cases. Tape remains the primary medium utilizing this approach, typically requiring manual intervention, such as physically moving a sliding tab or breaking off a tab. Some manufacturers offer tape cartridges that automatically switch to write-protected mode after the initial write. Tape drives also employ physical mechanisms to detect write-protect status, ensuring that only individuals with direct physical access can tamper with these systems. Furthermore, some tape mechanisms also automatically eject the media after a write, which cannot be re-inserted unless done manually by someone on-site.

Certain SAN (Storage Area Network) vendors provide WORM capabilities, with the implementation varying depending on the device’s architecture. Removing write protection in these systems typically requires administrative access to the SAN.

Cloud storage is another possibility for the topic of immutability and, like physical tape storage or on-premises storage with immutable features, can also offer true immutability. The issue with a Cloud provider though, by definition, is that the user is handing over responsibility for the actual supposed immutability to the third party service provider.

By setting the full immutable flag when copying backups to the cloud, users can theoretically ensure that the data remains inaccessible for modifications, even for cloud administrators. The flag will automatically self-destruct once the defined retention period expires. Additionally, configure your S3 buckets to restrict write access solely to your backup application, further enhancing data protection.

Retention and how it helps secure data

Backup systems play a crucial role in your IT infrastructure and require the same fundamental security measures as other critical systems. To effectively protect your backup data, Bacula recommends these essential practices:

  • Create unique accounts specifically for backup operations and restrict their privileges to backup-related tasks.
  • Immediately change passwords when individuals with access leave the organization.
  • Store backup account passwords in a properly secured password vault.
  • Consider using different accounts for different backup contexts.
  • Implement robust password rotation and complexity policies to safeguard backup accounts.
  • Use backup software such as bacula that has true role-based control interfaces

While these practices may not provide absolute protection against ransomware or othor malicious attack, they can help mitigate the damage caused by backup-aware malware. However, if the ransomware has already breached your organization’s defenses, such measures may be ineffective. Good backup technology will provide a variety of different scanning, check and monitoring capabilities to check that the original data to be backed up has not already been compromised.

Other examples of ransomware protection measures to secure backup data

There are additional options to protect against ransomware. In the list below you can find several more examples of how it is possible to secure data backups against ransomware and other persistent threats.

Backup encryption

Encryption plays an essential part in protecting sensitive data in practically every possible case. Encryption renders the data unreadable to anyone who lacks the decryption key, even if they manage to steal a backup tape or compromise your cloud storage account. All modern backup software have at least some form of encryption to offer to their users. Ironically, encryption is also the main weapon used by threat actors. The security levels of a backup system’s encryption system must therefore be extremely high. Some backup software is able to achieve these levels, but not all.

Iit is extremely important to implement different methods and features into your security strategy.

Blockchain technology has garnered widespread attention due to its inherent tamper-proof nature, offering a beacon of security in an increasingly vulnerable digital landscape. Blockchain’s robust cryptographic fingerprinting mechanism renders the data it safeguards exceedingly difficult to breach or manipulate. In the context of backup solutions, blockchain ensures the authenticity and integrity of backup data, providing users with the confidence that their backups are reliable and unaltered. In a way, blockchain is seen as an extension of the encryption process, even though it is somewhat more difficult to implement.

When evaluating backup software, carefully examine its encryption implementation. If you intend to utilize data deduplication and other storage optimization features, conduct comparisons to determine the impact of encryption on these functionalities. While encryption significantly enhances data security, it should not be your sole defense mechanism. The act of stealing a backup that is encrypted still results in the attacker having your data – even if it is unreadable at that moment. If the attacker possesses the necessary expertise, resources, and determination, they could eventually break even the most sophisticated encryption algorithms and lengthy encryption keys.

Key management

On the topic of encryption keys – pay particular attention to protecting the encryption keys used for your backups. These keys represent the weakest link in the encryption process. Implement the same stringent measures to safeguard the keys as you would for critical account passwords.

Minimize the risk of attackers gaining access to both encrypted data and the corresponding decryption keys by employing a third-party key management system. While it may be more expensive than the key management solution integrated into your backup system, it’s a worthwhile investment, especially if your system stores encryption keys within a database protected solely by the Windows machine key. This key is relatively easy for adversaries to compromise once they escalate privileges, exposing your encryption keys to theft.

Offline storage

Offline storage is an important element of the backup security topic – since it is typically difficult for ransomware or other malware to infect a storage drive that is not physically connected to any kind of network. This kind of approach is called air gapping, and it is, when done properly, extremely effective. It does have some  disadvantages and vulnerabilities, so it is usually employed in tandem with other backup storage.

Other than that – there are some storage types that have the “offline mode” as one of their advantages. For example, tape storage is experiencing a resurgence in popularity due to its inherent immunity to electronic attacks when offline, and its practicality when used for air gapping. Similarly, RDX, a removable disk-drive technology that mimics tape functionality, offers the same resilience against cyber threats.

Utilizing tape or RDX for data backup provides an effective offline storage solution, making it extremely difficult for hackers to access or manipulate backup data. However, extracting data from these storage targets may be quite difficult – or slower – for the authorized user too.

Regulatory compliance

Regulatory compliance in backup security extends beyond mere legal obligations; it represents a proactive approach to safeguarding sensitive information, mitigating risks, and maintaining the trust of customers, partners, and regulatory authorities. It establishes a benchmark for data protection practices and ensures that organizations are held accountable for the security of the data they handle.

Numerous countries and regions have established stringent data protection and privacy laws that mandate organizations to safeguard sensitive information. Regulatory frameworks such as GDPR in the European Union and HIPAA in the United States impose legal obligations on organizations to implement robust security measures, including secure backup and recovery practices.

Optimal compliance is helpful if not critical for companies when it comes to preventing cyberattacks and data breaches. Demonstrating compliance also enhances an organization’s reputation, as it signifies a commitment to protecting customer and stakeholder information.

Regulatory frameworks often include guidelines and best practices for securing data, encompassing backup and recovery processes. Compliance helps organizations adopt standardized security practices that are recognized and accepted within their respective industries.

Certain industries have specific regulations governing the protection of sensitive information. For instance, financial institutions may be subject to regulations like the Payment Card Industry Data Security Standard (PCI DSS), which mandates secure handling of payment card data.

Regular testing

Encryption and maintaining multiple backup copies are crucial safeguards for your valuable files, ensuring comprehensive backup security. However, it’s equally important to verify that your backups are operational so that they can effectively restore your data when called upon. Regular testing of your backups is essential and could be the deciding factor between a seamless restoration and potential business disruption.

Testing helps identify and address any vulnerabilities before they impact your operations, allowing you to refine your backup strategy to better align with data security requirements. Secure backups are an indispensable component of business continuity, and ensuring their protection through encryption is paramount.

By employing encryption, practicing the 3-2-1 rule and conducting regular testing, you can safeguard your files and maintain peace of mind, knowing that you’re prepared to recover from any unforeseen incident.

Supply chains and third-party vendors

The security of backup data is often interconnected with the practices of third-party vendors and supply chain partners. Organizations need to actively manage and mitigate risks associated with these external entities to ensure the overall security and resilience of their backup systems and data.

Many organizations rely on external vendors for backup solutions or cloud storage services. If these vendors are not secure, it introduces vulnerabilities into the backup process – especially since third-party vendors often have access to an organization’s data or systems, including backup repositories. A compromise in the security of third-party services can directly impact the security of the organization’s backup data.

Dependence on third-party vendors for backup solutions means that any disruption or security incident involving these vendors can impact the organization’s ability to recover data and maintain business continuity. The supply chain can be targeted in order to gain access to information as a whole or to gain access to one or several internal organization systems. If a vendor is compromised, it can provide an entry point for attackers to infiltrate the organization’s network, potentially impacting backup systems and data.

Regulatory frameworks often hold organizations responsible for the security of their data, even if it is processed or stored by third-party vendors. Ensuring that vendors comply with relevant regulations is necessary to meet legal requirements and avoid regulatory penalties.

Establishing clear contractual agreements and service level agreements (SLAs) with third-party vendors is essential. These agreements should outline security requirements, data protection measures, and the vendor’s responsibilities regarding the security of backup data.

Organizations should evaluate their security practices on a regular basis with security assessments and audits. This ongoing evaluation ensures that vendors maintain a high level of security and are continually improving their security measures.

Modern technologies and features

Malware and ransomware attacks are no longer confined to online systems; malicious actors are increasingly targeting and corrupting offline backups as well. This includes Cloud service organizations.

One powerful approach involves utilizing artificial intelligence and machine learning to differentiate between normal system behavior and anomalous activity. This enables AI-powered anti-ransomware defenses to proactively identify and halt malicious activity, acting as a security guard who intervenes to prevent damage before it occurs.

Unlike traditional anti-virus software, which relies on identifying known threats, AI-based solutions may aim to detect and intercept even never-before-seen ransomware strains. This provides an impenetrable shield that safeguards all data, including offline backups.

Comprehensive third-party backup software

Ensuring business continuity demands, in part, comprehensive protection of the entire IT infrastructure, encompassing physical and virtual systems, cloud services, and mobile devices. This necessitates implementing a holistic backup solution that seamlessly integrates advanced security technologies and productively collaborates with existing security measures. With each layer of defense operating independently yet cohesively, organizations can effectively combat increasingly sophisticated, pervasive, and disruptive threats to their operations.

Furthermore, a robust backup solution must incorporate seamless disaster recovery capabilities to guarantee swift restoration in the event of an unforeseen incident. This ensures that backups are not only readily available when needed but also instantly accessible to minimize downtime and maintain business operations.

Bacula Enterprise is a good example of such a solution, with an especially high number of features, capabilities and unique architecture to protect against ransomware, as presented below.

Bacula Enterprise’s extensive backup security capabilities

Bacula Enterprise is a comprehensive, open-source-based backup and disaster recovery solution that offers high-end, enterprise-grade features for protecting critical data across heterogeneous environments. Bacula’s unique modular architecture eliminates the need for two-way communication between its individual components, effectively removing a common and significant security vulnerability that plagues many competing solutions.

This inherent security strength is further amplified by Bacula’s core engine running on Linux, a renowned operating system known for its exceptional security posture. As a consequence, Bacula stands out as a significantly more secure backup solution compared to its peers. Moreover, Bacula’s exceptional flexibility allows seamless integration into various user environments without compromising security, a critical factor in bolstering an organization’s overall defense posture.

Bacula’s comprehensive security features include restricted RunScript directives,  FIPS 140 compliance, immutable Amazon cloud storage, restricted file agent paths, encryption at the file agent level, storage server-level encryption, LDAP access controls, restricted UID per Director, SIEM integration, Multi-factor Authentication (MFA), Communications encryption, volumes protection (both immutable and Append-only), an advanced Antivirus plugin, and automated system checks. The system also provides advanced security reporting systems,  smart security assessment, data poisoning detection, granular encryption when sending data to untrusted storage, and global encryption to disk, tape or cloud with high control. Bacula is integrated with many more security tools and features too numerous to mention in this article. More information can be found here. As a result of its high security profile, Bacula is used almost exclusively by the largest defense and military organizations in the West.

Of note is Bacula’s ability to operate the client/agent in read-only mode, a critical security measure that minimizes potential attack surfaces. Additionally, Bacula’s broad support for tape encryption ensures secure offline data protection, addressing the need for robust backup integrity.

Bacula’s unique architecture poses a significant challenge for attackers seeking to disrupt its operations, as the core functionality resides outside the protected host environment. Any attempt to alter Bacula’s behavior would be readily detected, rendering such attacks ineffective. Moreover, Bacula’s comprehensive system-wide analysis and trending capabilities enable the detection of even meticulously concealed or gradually unfolding system compromises.

Bacula’s exceptional strength lies in its ability to identify and report hostile modifications. Intrusions invariably involve file alterations, leaving behind traces that Bacula can detect during backup operations. Unlike other file system change detection tools, Bacula’s extensive checks can be tailored to the target platform, providing deeper insights and enhanced protection.


Security is not a one-time endeavor; it requires ongoing implementation, monitoring, and testing to ensure the effectiveness of protective measures. Identifying and addressing vulnerabilities, detecting emerging threats, and implementing reliable recovery mechanisms are paramount for safeguarding critical data and workloads. The adoption of appropriate security tools with robust capabilities to protect, monitor, and restore systems is more crucial than ever.

Bacula is an exceptional solution made to secure backup data and offer a massive number of features and capabilities to its users. These users are often the most secure-conscious organizations in the world. It is fast, scalable, versatile, and can scale to practically any company size or IT environment size.

When evaluating both your business continuity plan, your disaster recovery plan and your backup and recovery strategy, carefully consider the realistic threats your organization faces. Calculate your organization’s tolerance levels for lost services, data, applications and other assets, and what the consequences of such loss could be. Then use this assessment to create your organization protection strategy. Bacula is available for testing against even the most rigorous safety demands, and offers a way to obtain the highest security levels in backup available today and tomorrow.

About the author
Rob Morrison
Rob Morrison is the marketing director at Bacula Systems. He started his IT marketing career with Silicon Graphics in Switzerland, performing strongly in various marketing management roles for almost 10 years. In the next 10 years Rob also held various marketing management positions in JBoss, Red Hat and Pentaho ensuring market share growth for these well-known companies. He is a graduate of Plymouth University and holds an Honours Digital Media and Communications degree, and completed an Overseas Studies Program.
Leave a comment

Your email address will not be published. Required fields are marked *