Kwik Backup: Ransomware Protection

Kwik Backup provides comprehensive isolation for your backups with a cloud-first approach. This means that every backup is sent offsite and isolated in their private cloud by default, eliminating the need for a local appliance. Kwik Backup also uses AES 256-bit encryption to secure your backups on site and during transfer to remote data centers via one-way TLS 1.2 connections. These backups are stored and encrypted in their highly secure data centers located worldwide, ensuring that your valuable data is always within reach and in-region.
If desired, Kwik Backup also offers the option to keep a local copy for recovery at LAN speed with their SpeedCache (LSV) feature. This optional local copy is separate from the primary backup storage, ensuring that your backups remain unaffected even in the event of a ransomware attack on the local copy.

Compared to traditional image-level backup products that were built local-first and added mechanisms to push backups to offsite storage, Kwik Backup eliminates the added cost and complexity of additional licenses and manual configuration. Some competitors require customers to find, purchase, configure, and manage their own cloud storage. Unlike traditional vendors that often use WORM locking, which has proven inadequate against destructive cyber-attacks, Kwik Backup reduces the attack surface of the on-premises backup infrastructure while addressing concerns about backup copies being stored on the same network as the bad actor.

By keeping two of the three critical elements off the local network: backup copies and the infrastructure used for recovery. Kwik Backup’s cloud-first backup method stores backup data in a remote cloud location, making them inaccessible to someone with access to the local network. Additionally, Kwik Backup is a fully hosted SaaS application, so the recovery mechanism is also safely off the local network. As a result, malware has a much smaller attack surface, and recovery is much easier.

Kwik Backup enforces two-factor authentication and limits access to specific capabilities by role, allowing for granular access to delegated tasks while preventing unnecessary levels of access.

Local administrator access is required to access the local backup manager client or administrative command-line functions, and changes can also be restricted using backup profiles. Two-factor authentication is required for an additional layer of security.

Uninstallation of the local backup manager client does not delete prior backup sessions stored on the LSV or on Kwik Backup cloud storage.

File deletions, corruptions, or encryptions on the production system do not affect prior backup sessions already stored on the LSV or Kwik Backup cloud storage.

It is recommended to configure the LSV to target a NAS device with workgroup-level security and unique credentials. An LSV with compromised or damaged unsynchronised data will not be uploaded to Kwik Backup cloud storage.

Cleaning of individual data sources can be initiated from the local backup manager client with local administrator access and the device’s encryption key or passphrase. Cleaning of specific archive sessions older than the default retention settings can be done with the use of a GUI (Graphical User Interface) password. Deletion of an archive schedule does not impact prior backup or archive sessions.

1. The backup management console is protected with two-factor authentication and offers multiple user roles with varying levels of access.
2. The ability to generate a passphrase is restricted to named security officers and the code is only valid for a single use or 24 hours.
3. Some user roles are allowed to delete a backup device from the backup management console, which can typically be undeleted by Kwik Backup if requested within 14 days.