Introduction:
With the ever changing and threatening digital landscape of today, our data is more important than ever, how do we protect our data against all kinds of data loss? In this blog post we take a look at Azure backup and what kind of protection it offers against data loss! I will not cover how to set up and configure Azure Backup!
What is Azure Backup:
Azure Backup is Microsoft Azures cloud-based backup service, it provides scalable and reliable data protection solutions for companies of all sizes. It offers central management such as monitoring backup operations, configure policies and trouble shooting from a unified management interface. Its encryption is also compliant with ISO, HIPAA and GDPR, in Azure Backup service security is the priority!
So, what kind features and functionality does Azure Backup actually offer that can help protect your data?
General features:
Well first of all Azure Backup like any other Backup tool it offers automated backup on a schedule without the need of any manual intervention. On top of this we can of course (and you should) have alerts configured to inform you if any backup job fails. This is where the monitoring also comes into play, using an Azure native backup service enables you to have full control of the logs related to all resources and backup logs for the same resource, ensuring an easy and reliable audit trail if/when you need it.
Azure Backup offers redundant data that you can span over different regions/data center just as other services, this offers an easy and cost-effective way to ensure your protected against hardware failures.
Another great feature is soft delete, that functions a little like a recycle bin, this feature is enabled default and lets you recover deleted objects for 14 days. This setting can also be configured to span up to 180 days.
It offers incremental backups (as others), this helps minimize backup duration and optimes the storage utilization by not constantly taking full backups and instead only look at changes since last backup.
Retention offers in Azure Backup varies depending on what kind of backup point you have configured (you can have multiple). In the picture below we see an example of a Azure backup policy for Virtual machines. For example, the maximum retention value for daily backup is 9999 days (around 27 years, probably enough for most use cases) and for yearly its 99 years as the maximum value, anything in between goes. This gives us a very flexible retention configuration to fit most needs.
Azure Backup also extends its reach to on-premises data by installing the MARS (Microsoft Azure Recovery Service) agent on the servers to ensure you have the same protection on-premises or manage your backup trough a single tool.
Security:
As stated, before Azure Backup offers robust encryption mechanics and compliance such as ISO, HIPAA and GDPR, but encryption only gets us so far, how do we protect our data even further?
First of, Azure Backup uses role-based access management (RBAC) to ensure only authorized administrators have the right to manage or modify backup/backup policies, this of course reduces the risk that our data is compromised even further (both from accidental and intended). But Azure also has two other ways to increase the protection of your backup one is to create a "Resource Guard" and use "Multi-user authorization", with this configuration you can create a requirement for deleting your backups/service vaults. So backup up admin can’t remove any backup without the authorization of another admin. Add Privileged identity management on top of these features and you have a robust way of protecting your data from malicious or accidental deletion. Side note, when it comes to accidental deletion soft delete of course is a great protection against this provided you know about the accident.
If all this still is not enough there is one more setting that protects your backup data and it is more powerful, then all of the above (but also comes with a small drawback). You can enable "Immutable backup", this setting protects your data from deletion, and it does it so well that even you can’t delete it anymore. This is of course the intention, selecting immutable backup and a retention period (let’s say 30 days) makes it IMPOSSIBLE! to remove/change this data for 30 days after removing the backup configuration, you can have global admin key to the kingdom, it still will not work! This is one of the strongest protections you can have against data loss! Since whether it is ransomware or someone deleting your data, they cannot alter or delete immutable backups! This is of course also the little draw back with it, since you will have to pay for the storage you’re using during this time, so setting immutable backup 7 years on all your backups might not be a great idea but setting it to let’s say 7 days (can have different for different systems) on them might save you in the future.
Azure Backup Management:
This post is not really about the management of Azure backup or a guide how you should configure it, but i figured ill just write a really short information about the management part.
As most (if not all) backup solutions we have a central management tool (service) called "Backup Center", here we are greeted with an overview of our backup jobs, their status and our security assessment score (for our backup/vaults).
A simple and clean dashboard for backup center
We can from here click on the different highlighted links to get a more detail view of for example the "completed" backups. These more detail views will show us, the job and details like, data sources, start time, runtime, status and so on.
In the left pane we can also navigate to get an overview of all our "backup instances", "backup policies" and our vaults.
The Backup policy pane, you can also of course go into each backup policy and check/manage their settings from here.
In the left pane we can also check out our backup compliance, "Azure policies for backup" will show us all built-in policies that have Azure backup setting/association and "Protectable data sources" will show us all data sources Azure backup can manage but currently are not.
Besides this Azure backup offer Alerts to be configured for all kinds of backup related events, such as backup status (often you want to know when a backup fails ofc).
Summary
Azure Backup offers a very robust data protection solution, in fact so strong it can stop you from even deleting your data ;) (using immutable backup). Azure Backup provides an extreme resilience with redundancy all over the world, immutable backup, alerts, attest-flows, this will ensure that your backup data remains invulnerable to tampering or encryption by ransomware attackers (and letting you sleep at night ;) ). So if you haven't already you should dive deeper into what Azure has to offer!