Implementing proper trust relationships in backup systems
As many people may have read today, a certain web hosting company which operates in Australia suffered an attack which resulted in significant amounts of data loss. Not only was their live production data lost, but all backups were also unrecoverably lost in the process.
Whilst significant technical details have yet to be released as to the nature of these attacks, now is an opportunity as good as ever to explain how the trust relationships exist between the backup server and the system being backed up across our entire server infrastructure.
Our backup servers are separated with there being a minimal trust relationship between the backup server and the system being backed up:
- All backups happen on an independent network which is inaccessible from the Internet.
- The backup server can only read data from the machine being backed up (and not alter it).
- The machine being backed up can only send new data and not alter the data that is already backed up.
Using this methodology should protect any attacks from the public, customer facing servers from damaging the independently stored backups.