With the rise of ransomware attacks, the industry is buzzing about the term “immutable” as the ultimate solution.
At Kwik Backup, we believe that true ransomware recovery is only possible with a comprehensive security architecture. This includes isolating backup copies, minimising the attack surface, and restricting unauthorised access to backups.
We prioritise these three key elements to ensure the highest level of protection for your valuable data.
How does Kwik Backup ensure isolation and security for your backups?
Kwik Backup provides comprehensive isolation for your backups with a cloud-first approach. This means that every backup is sent offsite and isolated in their private cloud by default, eliminating the need for a local appliance. Kwik Backup also uses AES 256-bit encryption to secure your backups on site and during transfer to remote data centers via one-way TLS 1.2 connections. These backups are stored and encrypted in their highly secure data centers located worldwide, ensuring that your valuable data is always within reach and in-region.
If desired, Kwik Backup also offers the option to keep a local copy for recovery at LAN speed with their SpeedCache (LSV) feature. This optional local copy is separate from the primary backup storage, ensuring that your backups remain unaffected even in the event of a ransomware attack on the local copy.
How does this product differentiate itself from its competitors?
Compared to traditional image-level backup products that were built local-first and added mechanisms to push backups to offsite storage, Kwik Backup eliminates the added cost and complexity of additional licenses and manual configuration. Some competitors require customers to find, purchase, configure, and manage their own cloud storage. Unlike traditional vendors that often use WORM locking, which has proven inadequate against destructive cyber-attacks, Kwik Backup reduces the attack surface of the on-premises backup infrastructure while addressing concerns about backup copies being stored on the same network as the bad actor.
How does Kwik Backup minimise the attack surface?
By keeping two of the three critical elements off the local network: backup copies and the infrastructure used for recovery. Kwik Backup’s cloud-first backup method stores backup data in a remote cloud location, making them inaccessible to someone with access to the local network. Additionally, Kwik Backup is a fully hosted SaaS application, so the recovery mechanism is also safely off the local network. As a result, malware has a much smaller attack surface, and recovery is much easier.
What measures does Kwik Backup take to address trusted access?
Kwik Backup enforces two-factor authentication and limits access to specific capabilities by role, allowing for granular access to delegated tasks while preventing unnecessary levels of access.
What access is needed to make changes to backup selections, exclusions, or schedules in Kwik Backup?
Local administrator access is required to access the local backup manager client or administrative command-line functions, and changes can also be restricted using backup profiles. Two-factor authentication is required for an additional layer of security.
What happens if the Kwik Backup local backup manager agent is deleted from a device?
Uninstallation of the local backup manager client does not delete prior backup sessions stored on the LSV or on Kwik Backup cloud storage.
What happens to backups in Kwik Backup if production data is deleted, corrupted, or encrypted?
File deletions, corruptions, or encryptions on the production system do not affect prior backup sessions already stored on the LSV or Kwik Backup cloud storage.
What security considerations are there when setting up a SpeedCache?
It is recommended to configure the LSV to target a NAS device with workgroup-level security and unique credentials. An LSV with compromised or damaged unsynchronised data will not be uploaded to Kwik Backup cloud storage.
How are archives protected in Kwik Backup?
Cleaning of individual data sources can be initiated from the local backup manager client with local administrator access and the device’s encryption key or passphrase. Cleaning of specific archive sessions older than the default retention settings can be done with the use of a GUI (Graphical User Interface) password. Deletion of an archive schedule does not impact prior backup or archive sessions.
Additional Security Measures
- The backup management console is protected with two-factor authentication and offers multiple user roles with varying levels of access.
- The ability to generate a passphrase is restricted to named security officers and the code is only valid for a single use or 24 hours.
- Some user roles are allowed to delete a backup device from the backup management console, which can typically be undeleted by Kwik Backup if requested within 14 days.