As an IT and data manager in any organization - large or small - it is of course one of the most important priorities to have control over security when it comes to the company's business-critical data. It is also no secret that the threat picture is constantly evolving with new trends hitting the market from time to time. Hacker attacks, ransomware, etc. are constantly becoming more sophisticated and as we have also seen examples of in recent years, even the very big players in the market have experienced being hit on security and have had to pay ransom to regain access to their systems.
Business-critical data has been leaked and/or locked and business systems have been shut down for unacceptably long periods of time. One of the reasons for this is that ransomware has evolved. It has become easier for criminals to access ransomware applications, where developers and practitioners can share the proceeds required, for example, to be paid into anonymous Bitcoin accounts. In addition, ransomware can now also be designed to go after the backup.
This is clear evidence that the security strategy that may have worked 5 years ago is currently no longer up to date. Therefore - and as part of our security strategy - we recommend offline tape backup as part of the complete and market-standardized 3-2-1 (1) backup strategy.
Tape backup is in short an offline backup placed on tape. It is one of the links in a 3-2-1 (1-0) backup strategy. With a 3-2-1 (1-0) backup strategy, it is important that you:
There is nothing that is 100%, but with a 3-2-1 (1-0) backup strategy implemented, you get as close as possible to secure your data. In fact, 3 copies of the company's data usually means that you have your production data (live environment) as well as two backup copies.
The copy that is placed off-site and away from the other copies should be placed at a minimum distance of 10 kilometers. This is due to a serious accident at the production site and the backup is also located there, fire, flood or sabotage can eradicate the company's data.
The reason why the data should be placed on two different media (in this case tape backup) is to ensure as large a risk spread as possible. Although the chance is small, a firmware error that potentially prevents access to the data on a backup media will in that case also prevent access to the data on both backup media, provided that these are the same and run with the same firmware.
The last step in the 3-2-1 (1-0) strategy is to make sure you have a backup offline so that it cannot be accessed by, for example, hackers. Since the backup is both offline and on tape, the backup procedure is performed somewhat differently than usual.
First, a normal backup of production data to disk is performed. Next, it is verified whether the backup is intact, after which the backup data is copied on to a tape. The tape sits in a taper robot that contains several tapes and data is distributed on different tapes. Eventually, the tapes are moved out of the taper robot and into a fire and waterproof cabinet, thus making it offline. This should be done as a regular weekly procedure. In order to access this data, the physical presence of a person who must perform an active physical action (by, among other things, unlocking the locker) is required to obtain the tape. Of course, it is also a good idea to have a clearly defined process for who and how to get hold of the tape, but the point is that it is offline.
Of course, it will also be possible to place a digital copy of the data offline in a safe, but tape backup also has other benefits. For example, there are no mechanical parts, which is why they (the bands) are less vulnerable to movement and physical movement. In addition, they can more easily withstand high and low temperatures and they are resistant to water. Last but not least, tape backup tapes are cheaper than digital versions.