Nothing you said is wrong, in fact it’s all good advice. But none of what you listed implicitly provides protection against ransomware either.
For that you need backups that are immutable. That is, even you as the admin cannot alter, encrypt, or delete them because your threat model should assume full admin account compromise. There are several onprem solutions for it and most of the cloud providers offer immutable storage now too.
And at the very least, remove AD SSO from your backup software admin portals (and hypervisors); make your admins use a password safe.
You’re right, I forgot about that. Our backups require three people’s signoff to delete. Alter and encrypt I’m sure are the same, we’ve just never needed to do that as far as I’m aware.
Nothing you said is wrong, in fact it’s all good advice. But none of what you listed implicitly provides protection against ransomware either.
For that you need backups that are immutable. That is, even you as the admin cannot alter, encrypt, or delete them because your threat model should assume full admin account compromise. There are several onprem solutions for it and most of the cloud providers offer immutable storage now too.
And at the very least, remove AD SSO from your backup software admin portals (and hypervisors); make your admins use a password safe.
You’re right, I forgot about that. Our backups require three people’s signoff to delete. Alter and encrypt I’m sure are the same, we’ve just never needed to do that as far as I’m aware.