Server Backup Strategy

[+InsaneNutter MVC]

Basically I?m interested to know what peoples backup strategies are, this is what I currently have in place using the Server 2012 R2 backup tools.

Server ? This has 3x 4TB drives in the backup pool, backups are taken twice a day of everything on the server - once during lunch at 1pm, then the other at 11pm at night. These 3x backup drives are rotated every Monday, one is in the server for that week?s backups, the previous weeks is taken offsite and the week previous to that is kept on site in a fireproof safe.

The most essential company data such as databases are backed up to Windows Azure each night at 1am, these backups are retained for 30 days.

Client PC?s - folder redirection is setup so any files users save on the desktop or in their documents is actually on the server, so backed up when the server runs its backups. Client PC's are also backed up each day by the server.

Finally file history backups are enabled for users data, these backups are on a different drive in the server to what the data is saved on.

I would like to think with this backup plan if the worst ever did happen I have multiple options to recover data, I have randomly tested I can recover data from the various different backups. I have also taken manual backups of important data every so often, essentially for historical backups.

Just curious to see what other people are doing to see if I should be considering doing anything differently.

[sc302 Veteran]

I do windows shadow copy for my backups 4 times a day to capture the changes that are made through out the day.  I do a weekly full and daily incremental backups to cover my system at a complete systems failure. Daily differentials are done on databases. 

[Roger H. Veteran]

Good stuff sc302. (Y)

I bascially do nightly incrementals along with 3 shadow copies during the day.

I offsite to Azure at 1am as well. :)

[sc302 Veteran]

I would like to use cloud based backups, but I don't have full control of it.  Corporate secrets, intellectual property, and what not.  Cant take the risk of someone or something snooping and then selling it.  Unfortunately public cloud is not for the business I am in because of lack of control.  I can create my own local cloud spanning sites, but I cannot use a public one.  If I weren't in manufacturing or design this would be a different scenario, many businesses do not fall in this area. Imagine how much business coke would loose if someone created an exact duplicate of their recipe.  Can anyone guarantee the formulations safety in the cloud?  I don't care how secure it is, everything is secure until someone finds a way to get into it.  WEP was secure in the beginning, now it is a joke.  Don't need to have that on my shoulders. 

[ITFiend]

I would like to use cloud based backups, but I don't have full control of it.  Corporate secrets, intellectual property, and what not.  Cant take the risk of someone or something snooping and then selling it. 

 

That's only a problem if you have a poor quality backup solution. For example, if you are using Microsoft System Center Data Protection Manager / Microsoft Azure Backup, Microsoft cannot decrypt your cloud backups anytime in the near future, because you never provide them with decryption keys. It's not much different than using a service that keeps archives of your tape backups off-site, as you never give those entities your keys either.

[StrikedOut]

Each of our sites have 2 VM each with AD installed. The host server backs up these the VMs to our file server and an onsite NAS. The server image is also part of the nightly offsite backup to our cloud based storage which in turn is mirrored to a second data centre with like for like abilities.

[sc302 Veteran]

That's only a problem if you have a poor quality backup solution. For example, if you are using Microsoft System Center Data Protection Manager / Microsoft Azure Backup, Microsoft cannot decrypt your cloud backups anytime in the near future, because you never provide them with decryption keys. It's not much different than using a service that keeps archives of your tape backups off-site, as you never give those entities your keys either

The question comes down to trust.  do you trust microsoft enough to not be able to reverse engineer something that they designed or had a part in?  Do you trust that when you use their service that they will not snoop into your stuff?  People create back doors in security for many reasons, some of it being government mandates that we have no knowledge of.  Somethings I will leave out there for people to see as it is low risk, things that are high risk only exist in areas that I have full and absolute control of who/what/and where.  From a security stand point, you can never be too careful...and you have no clue what the programmers have designed into the security apparatus that leaves it vunerable to eyes.  Just like a storage locker in a storage facility, the owners can get it if they want to....you can make it harder by putting a safe in their storage facility, but they can get into that too if they need to, they just need to hire the right person to get into that.

[ITFiend]

The question comes down to trust. 

 

If Microsoft's products have those backdoors, then so does everyone else's. All your security in this case is false, because they probably can just walk through your firewalls and servers without leaving traces if not also your tape backups.  They're not going to care about just one path into your data, they'll want them all.  Your trust in any of your security may be just as reality or illusion as your fear of online backup storage, even if you personally coded it yourself.

 

The idea of control may also be nothing than illusion, because you probably can't be any surer of that than anything else.  Did you trust OpenSSL?  If so, anything you secured through that was definitely illusion for years.

 

As for law enforcement, if they want your data, they?ll just raid you while your sleeping after installing keyloggers, presuming they didn't place wireless ones in your motherboards before delivery of your systems.

 

Plus, do you have any devices with DMA access like Firewire, Thunderbolt, or PCI Express?  If so, those machines are likely insecure just by being powered on, because it allows you to just rip all your keys from memory by connecting the right device to the port. Sure, it requires hardware access, but if its law enforcement, they'll get your data no matter what you do so long as they are smart with their methods for collecting it. 

 

My point is, however paranoid someone is, they'll always both be too paranoid and never paranoid enough. I trust Microsoft enough in this case otherwise I wouldn't be using any of their products, and if it turns out they did something I can sue them for later, half the world will probably also do so.

 

Sorry all for semi-off topic response here.

 

[winrez]

I've always had good luck using Windows Server Backup & Microsoft's Data Protection Manager as well as doing manual SQL Backups and Weekly Acronis Images. Data Protection Manager is a great one to have if someone messed up a file and you can pick the date and time, kind of like volume shadow copy on steroids. But from what you described in your first post you look like your pretty set as long as you have a speedy network. :)