Strengthen Your Wall of Protection Against Threats with Backup Externalization on AWS

Today, companies increasingly prefer a multi-cloud (or hybrid cloud) approach because of its benefits in cost efficiency and resilience. However, this approach also introduces challenges, with data protection playing a crucial role. To support your cloud modernization, externalizing backups on AWS is essential—here’s why. 

Multi-Cloud Strategy and Backup Externalization 

A multi-cloud strategy leverages multiple infrastructures, both public and private, to meet your specific business needs.

This approach helps optimize costs and enhances availability and resilience for your critical applications by utilizing different providers. For instance, some clouds are more suitable for particular workloads. In some cases, a hybrid setup (combining private on-premises and public infrastructures) offers better control over highly sensitive applications (BCAs). 

What about backups? Storing backups on one site carries risks. In a major incident (e.g., a crash or fire), you could lose all data, making backup externalization a critical step. 

While there are several externalization solutions available, this article focuses on AWS options. 

Backup Externalization on AWS with Amazon S3. Amazon S3’s native object storage service offers a reliable, durable solution with various features: 

• High resilience (99.999999999% durability, which translates to the potential loss of one file per million every ten years)
• Data immutability, using Object Lock
• Cost-efficient Glacier storage class for long-term backups
• Secure data access
• S3 Lifecycle rules for versioning and retention policy management
• Same-Region Replication (SRR) to replicate data across Availability Zones within a region
• Cross-Region Replication (CRR)
• Data encryption

Amazon S3 also offers multi-factor authentication (MFA) for extra protection, requiring confirmation from a third-party device before object deletion. 

These features make Amazon S3 an ideal solution forreliable data storage and management , ensuring sensitive data protection. 

Immutability: A Defense Against Ransomware Events 

AWS storage’s immutability, based on the WORM (write-once-read-many) model, enables secure, unchangeable backups. S3 Object Lock offers: 

1. Governance mode: Only users with specific permissions can delete or alter objects.
2. Compliance mode: Prevents deletion or modification of objects by anyone, including AWS, for a set retention period.

This immutability offers powerful protection against ransomware, which encrypts data for ransom. In this scenario, locked objects—like your backups—remain unaffected. 

Building the Architecture: Key Considerations 

When creating a backup externalization architecture, we assess several factors. First, we confirm whether the client has an AWS account with a landing zone connected to their on-premises infrastructure (hybrid cloud). If not, we evaluate options like AWS DataSync for connectivity.

Ensuring strong network interconnectivity allows for timely backups with optimal recovery points and minimal impact on system performance. 

At this stage, we also address encryption key selection, implement least-privilege access policies, and add monitoring and reporting tools for observability. 

Amazon S3 is compatible with various backup tools, such asVeritas NetBackup, which enables direct backups to an S3 bucket through its Deduplication Pool system (MSDP). Veeam and Commvault, are other tools that integrate with AWS storage services. 

Additional AWS Integrations for Amazon S3 

• IAM:  Manages access
• Lambda and S3 Event Notifications: Ensures backup consistency
• CloudWatch: Tracks metrics and sets alarms
• CloudTrail: Monitors activity and logs actions
• Malware Protection for S3: Detects malicious activity 

oXya’s Expertise: Supporting Your Strategy 

With our deep knowledge of hyperscalers and experience hosting critical applications (BCAs), oXya is your ideal partner for designing a robust architecture with complete support: 

• Tailored AWS architecture for tool and service selection (e.g., AWS DRS for recovery planning, and other native services).
• Solution deployment using our DevOps stack and our infrastructure-as-code methodology.
• 24/7 monitoring, regular reporting, and FinOps consulting through our Cloud Managed Services 

Combining AWS capabilities with oXya’s expertise allows you to build a secure fortress against threats, strengthening your resilience. Get in touch with our experts to learn more.