Backup Best Practices for Reliable Data Protection

Topic

This document outlines various best practices for NinjaOne Backup.

Environment

NinjaOne Backup

Description

There are several factors that need to be considered when setting up a backup solution. These factors need to be addressed in order to create and maintain a successful backup and recovery strategy. 

Factors to be considered include the following:

• Type of environment
  • Size of IT infrastructure:
    • Large
    • Medium
    • Small
  • Corporate vs a Small Business
• IT Infrastructure
  • Backup Target type:
    • Desktops / Laptops
    • Servers
• Backup requirements:
  • File and Folder only
  • Image
  • Local storage
  • Cloud storage
  • Hybrid

Select a topic to continue.

• Environment Type
  • Workstation 
  • Servers
• Backup Plan Types Explained
  • File and Folder Backups
  • Image Backups
• Backup Storage Destination types
  • Cloud Only
  • Local Storage
  • Hybrid
• Other Setups
  • NAS Backup Tips
  • OneDrive
  • VMWare and Hyper-V Setups
• Tips for Maintaining Your Backups 
• Recovering After a Cyber Attack 

Environment Type

Consider the type of environment that you are working in when planning on which backup plan type to use. This can be anything from a small office environment that consists of primarily workstations (desktops or laptops) or larger offices that consist of not only workstations but servers as well.

Although the services required to back up these devices are similar, they are different in the method and type of backup plan you choose. Consider how much data of each type you’ll be working with and use that information to inform your decisions on different backup solutions. 

Workstation 

For workstations, the most common backup plan is referred to as 'file/folder'. This means that important files that are saved on your local computer will be backed up. If something were to happen to the device, you would run a restore job to copy back down only the files and any folders that had been selected to be backed up. With this, you would need to have the operating system installed and configured along with the user’s profile after they have logged into the computer.

If the environment consists primarily of workstations (Windows or Mac), this will allow for all the selected users to back up critical files to either a local device/NAS or directly to the cloud. Files that have been deleted can also be restored to the device.

Servers

For servers, it can be a mixed bag. This can include both full image backups of the entire server, and file/folder backups for just the data or a combination of both. For a combined or hybrid approach, you could have a file/folder backup plan that performs backups on a daily or even an hourly schedule depending on the change rate and a weekly or monthly image backup can be added as well.

If the IT environment contains servers, these would need to be backed up differently than a workstation. This is due to the type of backups being performed along with the amount of data being backed up. 

There are many variables that need to be considered when designing and setting up server backups:

• Number of servers that need to be backed up.
• Volume of data on the servers.
• Number of revisions of changes the user desires to keep.
• Stand-alone physical servers or virtual servers.
• Running in a virtual environment Hyper-V or VMware.
• How critical is response time on restoring a server or file in an emergency.
• Presence of a NAS (Network Accessible Storage) to house your local backups.
• Network speeds and ISP configuration.

Initially, it may seem like the correct and most economical approach is to put all selected data in the cloud. However, if your network bandwidth is slower or if you are trying to restore large volumes of data, this method can be more costly in the long-term.

Backup Plan Types Explained

Each type of data will have its own retention time and process based on how the data is used, so you’ll likely be using each of the methods described below. When thinking about the data in your organization, think about how it will fit into the two plans. 

File and Folder Backups

File/folder is generally used when you need to restore only certain files and folders and can be used to reduce storage costs as it focuses on smaller files. 

Common practices for file/folder backups:

• Should be used to back up organizational files such as spreadsheets, documents, photos, etc.
• Are great for recovering single files or folders.
• Take less time to backup & recover data due to smaller data size.
• Cost less to store.
• Will put less of a strain on bandwidth and network performance.
• Should not be used for full servers or databases.

Please refer to the following images for additional reference points.

• All User Profiles—This will back up all users’ profiles on the computer. Access this option under the Folders tab of the plan by clicking Manage.
  • Please note that when setting up file/folder backups, if you choose to back up the user profiles, you will also need to go to the Advanced tab to verify all the file types that you want to protect are backed up.
    
    
• File exclusions—As mentioned before, by default we are excluding numerous different file types from the backup. If there are types of files you want to ensure get backed up, you will need to review the Advanced tab and see if the filetype is listed as an exclusion and flip the toggle switch if needed.
  • By default, there are 211 exclusions set. This includes *.dll, *.dmg, *.exe file extensions along with multiple others. If you want to back up these types of files, disable the exclusion. 
    
• Including additional directories—If you want additional directories that were not included in the user's profile path, you can add them here.
  

Related documentation: 

• NinjaOne Backup: File/Folder Backup Plans
• NinjaOne Backup: Deleting File/Folder Data
• NinjaOne Backup: Downloading and Restoring File/Folder Data

Image Backups

Image backups make the most sense when you need to restore an entire device or full disk(s) to new or existing hardware. Image backups are also capable of restoring individual files and folders from the cloud, but the backup will encompass the whole rather than a subsection of files.

In general, Image backups:

• Should be used for large system copies such as databases, servers, and other business-critical systems.
• Will recover entire machines including applications, OS, etc.
• Minimize downtime in case of a disaster.
• Take longer to recover due to larger data size.
• May be able to access individual files but are used mainly for machine-level backups.
  

Related documentation: 

• NinjaOne Backup: Image Backup Plans
• NinjaOne Backup: Image Restores
• NinjaOne Backup: Deleting Data for Image Volumes
• NinjaOne Backup: Mounting Images to the Cloud
• How to restore a device from an image backup

Backup Storage Destination Types

Like your backup method, you will likely be using a mix of different storage destinations for your organization’s data. User file data will likely take a different backup form than the data stored within a large database. When considering storage destinations, you can sort them into three basic buckets.

The three destinations include:

• Cloud Only
• Local Storage
• Hybrid

Cloud Only

Your data is stored strictly offsite using a cloud storage vendor such as AWS (Amazon Web Services) or Azure. Cloud storage allows you to support a large number of remote workers, deliver a consistent user experience, and take advantage of scalable storage options. Unfortunately, cloud-only is also limited by the download speed available, making it less flexible and accessible.

Local Storage

Data is stored on-site only without any remote backups. This data has no internet dependencies, so you’ll see quicker recovery times than cloud backups. However, if your organization is comprised of many remote employees, local backup recovery may be nonexistent. And with local-only backups you have a single point of failure, so one natural disaster or cyberattack could end up wiping out both your data and backups.

Hybrid

Data is stored locally and in the cloud, providing quick recovery options as well as disaster protection. Many of you may be aware of the 3-2-1 Backup Rule, where you have three (3) copies of your data, in two (2) different forms, one of which should be offsite. This could take many forms, but commonly this will include both local and cloud backups, with the cloud backup ensuring that your data is stored somewhere offsite.

Other Setups

NAS Backup Tips

1. NAS access should be secured by its own service account that is not used for anything but the Network Storage credential for NinjaOne Backup.
2. The NAS Share should be configured only for this service account and not have access to any other user account.
3. Consider isolating the NAS behind VLAN or firewall access rules.
4. Make sure you disable the Recycle Bin on the NAS (not security, but storage bloat related).
5. Do not make the share visible to the network (such as the discovery search feature; this may add a bit of security by obscurity).
6. Keep your NAS up to date.
7. Do not keep your NAS open to the internet.

OneDrive

If you are using OneDrive as part of your user’s profile, by default these files are not backed up based on how your OneDrive settings are configured. Only files that are on the workstation will be backed up. 

By default, in your OneDrive setup, the option is checked to keep the files on OneDrive unless you had selected the file to make changes. This action will copy the file to your local computer, and it will be processed that same as any other file on your workstation.

If you decide that you want any files contained in your OneDrive folder to be backed up along with your regular files you will need to uncheck the box labeled “Files On-Demand” in your OneDrive settings. Please note that if you decide to do this, you will need to ensure that your workstation has enough space to hold all files contained in your OneDrive setup.

VMWare and Hyper-V Setups

Virtual machines are a very popular configuration. This type of setup allows companies to create multiple machines on a singular hardware platform. This allows them to reduce the cost of hardware, energy consumption and carbon footprint on the world. This is the preferred setup in majority of the mid-size to larger companies.

There are two (2) main options in the realm of virtualization:

• VMWare
• Hyper-V (Microsoft)

There are certain steps that need to be followed when backing systems up for a virtual environment and they are described below.

VMware

• Backups: In a VMware setup, the only option is to back up the individual virtual guests. This is done the same way as if you are backing up a physical device. The NinjaOne agent is installed on each one of the devices so that they can be monitored. If they need to be backed up, the backup agent needs to be configured along with a backup plan that performs either a file/folder or image backup.
• Restores: Restoring a VMware guest is the same as restoring any device. Start the restore tool, choose an image download, or restore and choose the destination.
• System Restore: If you need to access information on a particular drive, you can bring back solely that drive when running a restore.
• Image Download: If you need the entire VMDK disk, you will need to perform an image restore.  Please note that at this time when you run an image download you will be downloading the entire server and not just a volume. This option is valuable if you need to restore an entire system or just a singular disk to be replaced or attached to a virtual guest.
  Please note, this type restore will be the most time consuming as you are restoring an entire server, not just an individual file or disk.

Microsoft Hyper-V

• Backups: This is where things differ slightly from VMWare. Hyper-V is a service that runs on top of a Widows server OS. You can back up the physical server as well as the virtual guest. The best method to use would be to ensure that all the NinjaOne agents are installed on all systems. This way they can be monitored and backed up, as well as the physical box they are running on. This will allow you to restore an individual guest as well as the entire server if needed.
• Restores: When you are working in this type of environment, if you set your backups correctly, you can restore an individual server (Virtual Guest) instead of the entire server. In the event of a complete server failure, you can restore the entire box, or if you have additional Hyper-V servers, this will allow you to restore your critical servers to another host while you work on replacing the failed hardware. The same principles apply here as well as in the VMWare environment.
  
  • Please note, the same principles apply to the Hyper-V restore as well. When performing an image download, it will take longer than a restore due to downloading the entire server with all the virtual guests as compared to an individual server.

Tips for Maintaining Your Backups

Once you know how you’ll be saving your data and where, there are a few tips on maintaining your backups to ensure that your backups are always reliable and accessible.

• Enable comprehensive backup alerts. Setting alerts for failed backups and failed cloud syncs are a great start but you should consider building out more thorough alerts. Some examples of other alerts include last backup success, length of backups, new devices added, and unexpected large new storage usage. Don’t just rely on failure alerting!
• Keep your backup software up to date. Make sure you’re updating your backup software regularly as your backup vendor may introduce new features or fix critical bugs. Missing updates can negatively impact your backup schedule.
• Consider your recovery point & time objectives. When setting up your backup plan, you need to consider two different objectives: recovery point objective (RPO) and recovery time objective (RTO). RPO determines how much data you need to recover while RTO determines how quickly you need the data restored. RPO will inform how often you set backups (ex: every day vs. every 12 hours) and RTO will inform your restoration methods.
• Consider which backups are needed local vs. cloud. Are there any backups you need to have restored more quickly? Do the backups impact remote workers? How does the location of data impact the restore process? These questions are helpful in determining which data will reside in local vs. cloud backups.
• Consistently audit and test your backup process. Backups are only good if they’re successful, so auditing your backups regularly is incredibly important. Backups constantly need to be tested and validated. You’ll also want to validate that your backups have completed successfully on a regular basis, not just for failures.
• Develop a disaster recovery checklist. List everything that needs to be done in case of data failure including your potential recovery point & time objectives, who is involved, how you’ll recover the data, where the backup is stored, etc. This blog is a great place to get started if you need inspiration.
• Make sure your backups have plenty of redundancy. As mentioned before, 3-2-1 backup rule is a great place to start. Have redundant copies of your data in multiple locations so that no matter the disaster, you always have a reliable place to recover your data from.
• Constantly be updating your documentation. Keep the process is documented for everyone, that way anyone will be able to manage data restoration. Supervise the DR plan but don’t do it yourself, that way more than one person understands and can execute on the recovery procedure.
• Keep your backups in different disks or locations. Backups should always be stored on different media, but especially stored on different disks. If a disk fails and the backup is just on a different store within the same disk, your chances of recovery are next to zero.
• Keep local backups isolated. If using local storage, use least permissive access in case the organization is infected. Separate your backups out, make sure that permissions to your backup appliance are locked down so that no one can maliciously or accidentally browse this file path. This also ensures that bad actors cannot access those backups to encrypt them. And if possible, consider keeping your local backup storage NAS out of your domain AD.
• Secure local and cloud storage to service accounts. Service accounts are a special type of non-human privileged account that you can use to execute applications, run services, etc. By using a service account, you can limit the access to a single account.
• Backing up SaaS data is still important. Just because data is being stored in “the cloud” doesn’t mean that it’s being backed up by your cloud provider, so run consistent backups of your cloud data.
• Print out your disaster recovery plans. If you’re trying to restore your data and you only had a digital copy of your disaster recovery plans, that document is likely part of what was compromised, and you might have trouble getting access to it. By printing it out, you can easily have access to a detailed plan.
• Don’t neglect your networking hardware. Backups aren’t just for operating systems, servers, and data but also for your switch configs, firewall configs, etc. so that you can quickly restore that hardware in case it goes down. Have a restore plan ready to replace the pieces of networking infrastructure if there is a failure on one of the components.
• Consider having extra physical component backups or a place to source them. If you can have extra physical components, constantly test them, and make sure they’re usable for hot swaps when needed.
• Audit data that be saved in unexpected locations. Employees may save data in places that you might not have protected, make sure you’re auditing every source on the network.

Recovering After a Cyber Attack

Let’s say the worst has happened, your data was hit and suddenly hackers are demanding a ransom for your data. Paying the ransom is not an option, so how do you recover your data? Or, what if your credentials were stolen?

Unfortunately, with cybercrime always on the rise, organizations should plan for these events accordingly and know how to bounce back quickly.

• Prepare a disaster recovery plan in advance. The best approach to recovery is to be prepared for attack at any moment. This may not be something you can do as disaster strikes, but if you have steps outlined ahead of time, it will make it easier to recover as much of your data as possible. Refer to the list above as well as this blog for tips on how to build out your full DR plan.
• Determine the type of threat. With so many potential threats, organizations should know what they’re up against before trying to recover any data. For example, in Red Canary’s 2023 Detection Report, they list a variety of major threats, each one with different remediation methods. Because each threat is different, this information is crucial to determining your next steps on eradication. Depending on the extent and/or severity of the incident, you may need to enlist the help of external DFIR specialists. In some cases, your cyber insurance coverage may specify who those specialists should be and when they should be involved.
• Isolate vulnerable and infected devices. First, assess the network to discover the extent of damage, finding affected systems and isolating them from the rest of the network. Have conversations with your IR and/or insurance provider up front to determine who will be responsible for what in terms of containment, eradication, and recovery. Make sure you have proper logging set up and that you know what not to do in order to properly preserve evidence. Have plans in place for a variety of scenarios. These incident response plan playbooks are great examples to build on.
• Install security updates or patches. Many attackers will exploit major software vulnerabilities to force their way into your network, so you’ll need to scan your network for any unpatched vulnerabilities before proceeding to restoration.
• Run security scans on backups. Many viruses can lay dormant on networks for months, so you’ll need to run scans on your backups to make sure that they’re not infected before restoring.
• Recover your backups. Once you’ve quarantined the threat and ensured that your backups are safe, you can move on to restoration. This will depend on how the threat has affected your network, how quickly you need to restore data, how much data has been affected, and more. Recovery methods may include granular file-level recovery or complete system restoration.
• Update all passwords and codes. Keep your organization safe from future attack by updating all of your passwords and security codes.
• Run thorough vulnerability scans after recovery. Once recovered, you should comb carefully through your network to make sure the threat is properly eradicated. Again, threats can lie dormant so you should scan thoroughly to be sure your network is safe.
• Document attack response and update your data recovery process. Unfortunately, since cyberattacks are always on the horizon, it’s important to document what happened and what steps you took to restore your data. This experience can help inform your disaster recovery process.

Additional Resources

To check out all of our backup guides, visit the Backup (Data Protection) section of the NinjaOne Dojo.