Cloud
Build Your Fortress Against Threats with Backup Externalization on AWS
Oct 18, 2024
–Today, companies increasingly prefer the advantages of a multi-cloud (or hybrid cloud) approach, namely because of its benefits in terms of costs and resilience. However, this approach brings its own set of challenges. Among these, data protection plays a central role. To reinforce your cloud modernization strategy, backup externalization on AWS is essential; scroll down to discover why.
Multi-Cloud Strategy and Backup Externalization
Multi-cloud combines in complementary ways the use of several infrastructures, whether public or private, to meet your specific business needs.
This approach helps you optimize costs and improve the availability and resilience of your critical applications by relying on different providers. For example, some clouds may be better adapted to certain types of workloads than others. It is sometimes better to opt for a hybrid combination (private on-premises and public infrastructures), especially to exercise greater control on highly critical applications (BCAs).
Now, what about backups? Storing your backups on a single site can present risks. In the event of a major incident (crash, fire, etc.), you might be in danger of losing all your data. That’s what makes externalization such an important step.
Of course, there are several externalization solutions available, but in this article, we’ll be focusing on AWS solutions.
Backup Externalization on AWS is a reliable and durable solution thanks to its S3 (Simple Storage Service) native object storage service. It offers various features, such as:
- Strong resilience (99.999999999% durability; statistically, it means losing one file in a million every ten years);
- Data immutability, with Object Lock;
- Transition to a Glacier-type storage class (tier) (optimizing costs in case of long-term backup retention needs);
- Secured data access;
- Versioning and retention policy management using S3 Lifecycle rules;
- Same-Region Replication (SRR): AWS automatically replicates the data in all the Availability Zones (AZ) in the same region;
- Cross-Region Replication (CRR);
- Data encryption;
- Etc.
Amazon S3 has a MFA (multi-factor authentication) feature that adds an extra layer of protection by requiring a confirmation from a third-party device before allowing anyone to delete an object.
These features make Amazon S3 the ideal solution for backup storage and management, and the best tool to protect your company’s sensitive data.
Immutability: A Shield Against Ramsomware Events
The immutability of AWS storage is based on the WORM model (write-once-read-many), which allows you to create immutable backups. S3 Object Lock offers two types of retention modes:
- Governance mode: In this mode, only users with special permissions can delete or modify objects.
- Compliance mode: In this mode, no one, not even AWS, can delete or modify an object during the selected retention period.
This immutability constitutes a highly efficient protection against ransomware. Ramsomware is a type of malicious software that encrypts your data until a ransom is paid. In this scenario, it wouldn’t be able to modify objects that have been locked, like your backups.
Building the Architecture: A Meticulous Implementation
When we build the architecture for backup externalization, we consider several factors. First, we determine if the client has an AWS account with a landing zone that’s connected to their on-premises infrastructure (hybrid cloud). If that’s not the case, we evaluate the connection options, for example with AWS DataSync.
Next, it’s important to ensure that the network interconnectivity is powerful enough to enable backup transfers within the allotted time, i.e., with a good RPO and without impacting the system performance during the backup process.
Choosing the encryption keys is another important point to consider at this stage. Finally, we implement a strict restricted access policy (principle of least privilege) and observability tools (monitoring, reports, etc.).
Various backup tools are compatible with Amazon S3, namely Veritas NetBackup, a software that allows you to send your backups directly to a S3 bucket through its Deduplication Pool system (MSDP), for instance. Other tools, such as Veeam or Commvault, also give you the possibility to interface with AWS storage services.
Moreover, many other AWS services can integrate with Amazon S3:
- IAM: For access management.
- Lambda and S3 Event Notifications: To verify backup consistency, for example.
- CloudWatch: For metrics analysis and setting alarms.
- CloudTrail: To track activity and analyze actions.
- Malware Protection for S3: To detect malicious actions.
oXya’s Expertise, at the Service of Your Strategy
With our expertise in hosting critical applications (BCAs), and our deep knowledge of hyperscalers, we’re your ideal partner to implement a robust architecture, with full support:
- Most suitable study of AWS architecture for a custom selection of tools and services (AWS DRS to facilitate the implementation of a recovery plan, and other native services).
- Implementation of the solution through our DevOps deployment stack and our infrastructure-as-code methodology.
- Our Cloud Managed Services include 24/7 monitoring, daily reports and regular FinOps consulting.
By combining AWS’ capabilities with oXya’s expertise, you’ll be building a fortress against threats and ensuring your resilience. Get in touch with our experts to find out more.
Other articles
SAP Clean Core: Why It’s Your Blueprint for Enterprise Transformation
Suharsh Anand, Solutions Architect
Read moreFrom Bare Metal to Cloud: Optimize Your Databases on Cloud SQL
Hendrick Labranche, Loïc Moerman, Mehdi Shojaei
Read more