You are viewing a single thread.
View all comments View context
7 points

What’s the correct way to implement it so that it can still be automated? Credentials that can write new backups but not delete existing ones?

permalink
report
parent
reply
30 points

I don’t know if it is the „correct“ way but I do it the other way around. I have a server and a backup server. Server user can‘t even see backup server but packs a backup, backup server pulls the data with read only access, main server deletes backup, done.

permalink
report
parent
reply
2 points
*
Deleted by creator
permalink
report
parent
reply
1 point

Neat! Thanks for mentioning it!

permalink
report
parent
reply
14 points

For an organisation hosting as many companies data as this one I’d expect automated tape at a minimum. Of course, if the attacker had the time to start messing with the tape that’s lost as well but it’s unlikely.

permalink
report
parent
reply
3 points

It depends what’s the pricing. For example ovh didn’t keep any extra backup when their datacenter took fire. But if a customer paid for backup, it was kept off-site and was recovered

It might be even pretending to be a big hosting company when they’re actually renting a dozen deds from a big player, much cheaper than maintaining a data center with 99.999% uptime

permalink
report
parent
reply
7 points

Fundamentally there’s no need for the user/account that saves the backup somewhere to be able to read let alone change/delete it.

So ideally you have “write-only” credentials that can only append/add new files.

How exactly that is implemented depends on the tech. S3 and S3 compatible systems can often be configured that data straight up can’t be deleted from a bucket at all.

permalink
report
parent
reply
6 points
*

A tape library that uses a robot arm https://youtu.be/sYgnCWOVysY?t=30s

Backups that are not connected to any device are not susceptible to being overwritten and encrypted by malware.

permalink
report
parent
reply
3 points
*

A tape library that uses a robot arm
https://youtu.be/sYgnCWOVysY?t=30s

Or like that vault in Rogue One?

permalink
report
parent
reply
0 points

Here is an alternative Piped link(s): https://piped.video/sYgnCWOVysY?t=30s

https://piped.video/sYgnCWOVysY?t=30s

https://piped.video/1RUWtaOzVPg

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I’m open-source, check me out at GitHub.

permalink
report
parent
reply
1 point

Here is an alternative Piped link(s): https://piped.video/sYgnCWOVysY

https://piped.video/sYgnCWOVysY

Piped is a privacy-respecting open-source alternative frontend to YouTube.

I’m open-source, check me out at GitHub.

permalink
report
parent
reply
1 point

i use immutable objects on backblaze b2

from command line using their tool is something like b2 sync SOURCE BUCKET

and from the bucket setting disable object deletion

also borgbase allows this, backups can be created but deletions/overwrites are not permanent (unless you enabled them)

permalink
report
parent
reply

Technology

!technology@lemmy.ml

Create post

This is the official technology community of Lemmy.ml for all news related to creation and use of technology, and to facilitate civil, meaningful discussion around it.


Ask in DM before posting product reviews or ads. All such posts otherwise are subject to removal.


Rules:

1: All Lemmy rules apply

2: Do not post low effort posts

3: NEVER post naziped*gore stuff

4: Always post article URLs or their archived version URLs as sources, NOT screenshots. Help the blind users.

5: personal rants of Big Tech CEOs like Elon Musk are unwelcome (does not include posts about their companies affecting wide range of people)

6: no advertisement posts unless verified as legitimate and non-exploitative/non-consumerist

7: crypto related posts, unless essential, are disallowed

Community stats

  • 3.5K

    Monthly active users

  • 2.6K

    Posts

  • 41K

    Comments

Community moderators