 Okay, hello, so my name is Mike Ausendorf from Barrios from Germany and We are here on the cyber security track and this talk is about Downloads and take your hostage be prepared by open source backups when it comes to talk about ransomware and other threats so We will talk about disaster recovery not only in respect of ransomware But in special and we will also cover the question why open source backups are crucial especially in this respect Lastly, we give an overview of the Barrios open source backup solution so Just to give an overview what threats do we have when we talk about data loss? We have things like physical damage, of course We have software failure we have user failure someone typing in this and the whole disk is lost, of course and then there is a mailware The screens that users get shown when they are hit by ransomware ransomware I think most of us know what it is But I just explained in a few words that is if you get some software on your computer that you definitely don't want there But this kind of software will encrypt all your data and then you have to buy a key To decrypt it again So in other words they have taken your hostage because they have your data They have all your work and you need to pay them to get a key to free you again So that's meant here by ransomware So these are just some threats that may affect you of course. There are many many more Especially the unknown the unexpected threats that we don't know so whatever might happen to destroy your data And it's always good to be prepared Just in case you are hit by known or even unknown threats so Just to distinguish a little bit the code the scope we are talking about to defend yourself against any kind of a text Of course, they are firewalls there are virus cameras there are intrusion detection and other stuff And this is of course important not the scope today. It's scope for other talks We are talking about resilience and disaster recovery So just in case that you were hit by some damaged attack whatever what are you doing then? Have you a chance to recover to get back to operational as soon as possible or in other words when we talk about backup What we are daily doing what we should daily do is to prepare us against any kind of a text And commandeer William T. Ryker said our daily routine is the unexpected So before we start to talk about backup of data. I want to show you another picture a little side trip Anybody knows what this picture shows? That's the entry to the so-called swarovard global seat vault. That's a Norwegian. It's a project funded by the Norwegian government and It hosts about 860,000 different seats of species and so the idea of that is To be prepared in kind of all kind of catastrophes That after that you can have all the seats to grow again food and to ensure nutrition and of course diversity so this picture on the left on the on the upper side shows the inside of that building someone storing stuff there and on the downside here that several lentil seats and There was the first use case of this seat vault in 2015 When we look to Saria and the Civil War in 2010 a local research center Ikada they had a large Repository of seats by themselves. They said okay. We have this war here growing and let's be safe Let's put at least a portion of it to turn Norwegian and then in 2011 they put a lot of it to Norwegian and in 2015 they decided to continue their research in another in another location I think it's Morocco and Then they retrieved stuff out of swarovard to grow again their seats and then after they got enough to continue the research work They send it again back to Norwegian. So this is just a good example of yeah I called it analog backups and also to Illustrate the importance of the concept of back up your backup. So one backup might not be enough It's good to have another one. So it's kind of backup replication. What's it did here? Okay, but let's go back to the to the digital work Sorry What's wrong with So So didn't understand Yeah, okay, so well in Norwegian guys they are auto guys they go climbing itself. They don't need letters or so Yeah Okay, okay some General backup guidelines back when we go come back to backup data. So all world here the digital work If you do backup in a network, you should definitely copy the data to another server So we had to boost you several days and had a lot of people coming in all I do my backup I copy my files regularly on Shared network drive or something. So what does this help you if you got attacked by ransomware? It will just encryption and could everything it can write to so it will also encrypt your network share So that doesn't work. So make Back up to dedicated backup servers and in the best case They are completely separated from the network by means of other ways to accessing it So let's let it only access by the network protocol itself And then I said before make backups of your backup So meaning replication and the best case to other media and other sites So what a lot of people do is back up to disk and then to tape And then you could put your tape to some external storage then you're on the pretty pretty safe side Some people said I must admit a lot of people ask, can I do back up to the cloud? Yes, you can but there are two things to consider First is if you back up to the cloud, please, please, please encrypt in any way Otherwise, you never know what these cloud people and cloud just means cloud is just a synonym for someone else's computer So you never know what those people are doing with your data. So encrypt it in any way And the other thing to consider is if you want to do long-term archiving Consider the cost of the space I mean cloud space is very easy. You can just get it. You fire it up. It's in a second It's there, but then you start paying and if you leave your data there for let's say 10 years This may sum up to some substantial sum And if you compare that to even the large investment into a tape library And the cost of tapes and the tape doesn't consume any energy Once it's written, you put it into a vault and it's there just being completely passive Not causing any more costs than for storage So you store to tape and then set to cloud when it comes to long-term storage And then if you find out so okay, my my backup space is growing Then you this might might be a little bit too late So you should start before you start your backup you start thinking about how long you have Do I really have to retain the data? Do I really have to be able to restore any file or the last 10 years from every version of every day? So maybe it's okay to if you go back further than one year that you say, okay It's it's enough to have monthly backups or even yearly backups after a while So if you consider this well, you might need a lot of less space for backup So but this this is just some some general guidelines Without looking too much to a security when we look Especially to the preparation against possible ransomware attacks So, um, yeah, I said before separate from the rest of your network Only access for backup protocol If possible read use read only mediums So there are special tapes called warm tapes right right once read many If you leave those in your library really nothing can can happen unless a bomb falls on it So but that's a different thread And if you're using backup data encryption for for your backup data Then there's of course some piece of information that Deserves special treatment and that is the encryption key. So First if you lose it you can't restore And if ransomware hits you and encrypts your encryption key Then all your backup data is also lost and you have no chance. So this is really crucial Make extra copies of it put it to CDs use B sticks Somewhat and to external place That's really important here Okay, and then again, if we think about long term availability And now we are coming to the way why it's crucial to use open source backup software So from a from a technical point of view If you think into the future Let's say in 10 years you want to make a restore of the tapes you have somewhere stored And then of course you need a piece of software to read those data from the tapes So one important thing is that The way the data is stored on the tape is an undocumented and open format So it doesn't help you if it's proprietary and you don't know what to do with it Then second there must of course be some kind of software to read the stuff you get in And the same is true for hardware drivers So let's say you have your tape and in 10 years you want to read it and you might find a tape That can read the tape, but then also you need a piece of hardware a computer that can connect to the tape So and with with drivers running on it So these are the technical things to consider And the other thing is if it comes to the software you're using Avoid a vendor lock in and that's not that rare as it as it seems to be There are Well, some easy ways per paper use when you need a restore Is something you have to consider for example, if you're using amazon glacier storage, which is Kind of economical, but when you have to restore you just need funding because then it becomes a little bit expensive So but that that can be solved with just money The other thing might not be solvable. So the software is not existent anymore. It might hit you deeper And then there are things limit limited usage allowances And some things really happen So a customer or potential customer called me They have with their company left a bigger group and those bigger group used to have a framework contract for a backup software vendor And then the company was sold This sold process was finished the sales guy of those proprietary software called him and said, hi You're not part of that group anymore. Our framework contract is not value. It does not apply here You have to pay some some hundred thousand dollars to continue to run your software Um, and if you don't do after the next start of the demon Software won't run and you can't do the restore So this is the kind of now that's definitely a vendor lock-in and I advise to try to avoid such lock ins Then there are models outside Kind of subscription models that have the obligation to delete the software If you decide not to continue pay a subscription fee and that of course means you can't access your data unless you pay So they are really caught by them Yeah, and what happens if a vendor of a software goes out of market and that is not only applicable to small companies Even larger companies may decide if we think about oracle to discontinue some certain kind of Projects or software and then you're you are there. So there's nothing that helps you if it's not open source You have no chance So and that's why open source is crucial for backups One thing is we have to distinguish between real open source Which means completely open source and things that call themselves open core or or something else Open core means you have some portion of the software that is open source And something else around it that is not And these kind of software combines the disadvantages of open source and proprietary source So it's no reason to use it because it's nothing else than proprietary source Or software if it comes to the question does it work for me? Do I have a vendor lock in can I use it in the future? So that didn't help doesn't help. So really what only helps is real open source. Then you really have no vendor lock in Even if the company behind a project may disappear The code is available and can be adapted The the worst that can happen to you is that you have to find somebody pay him to develop continued development Okay And the same is true of course for the for the operating system. So we talked about earlier About are you sure that you can connect your tape trust in the future to a computer? So if you are running on linux, you have a pretty good choice a pretty good chance that in the future You will have hardware drivers or someone being able to write your sum. So Operating system should be open source and the backup software as well And then you can be sure or not be sure, but then you are very well prepared if you think about data sovereignty Any questions so far No, okay Yeah, so Requirements summary 100% open source If you want to be extra prepared In regards of ransomware keep extra copies of your encryption keys. Oh, that's mandatory. Anyway separate backup data use backup replication as possible Use different media types warm medium as possible And make sure that you can easily access your backup data and it comes to a disaster For example, many people ask me can I run a backup server and invert your machine? Yes, you can But imagine what happens and the kind of a disaster before you can start your restore process You have to set up your hypervisor you the mvxm or whatever cluster So it's better to have the backup server as a dedicated machine And because that will be the first one that you're going to restore Um, and then or or recover and then you can start restoring your data your configuration whatever you have okay, so um Now coming to one possible solution and that is barrios. So the company I work for under the project So it's it's both. It's an open source project and a company behind it Um, technically barrios used to be or is a fork of the bacula org project with which is a little bit more Longer available. Uh, the fork was started around 2010. Um started with a collection of let's say patches that didn't make it into bacula and um in 2012 we decided to make an own project and an own company out of it to Yeah implement our own ideas speed up development and to Sustainably ensure that it stays open source. So we are committed to do 100% open source We had a first release in 2013 and since then yearly a new major version um Yeah, that is some of the things I've said before So no vendor login 100% open source um with Okay, making a fork is very easy on github. You just press fork and then you have a fork But that of course doesn't help anybody. So what we did is we really started to Look what features are missing. Uh, what can we do better by means of code organizing? So we did a lot of cleaner and refactoring We invented a python plugin interface to speed up the development of Yeah, let's let's call it agents that are able to back up special environments like vm there like databases like other applications We have a growing open source community an open storage format and one thing is we have A special tools to access the tapes So even if we have lost your barrier server, but you have you still got your tapes There are simple simple command line tools Which eases the disaster recovery or at least the first steps out of it to get your Your really servers back running Um, yeah, I've got like 10 minutes left. So I can show a little bit the the architecture overview So what barrios usually does is it can back up all your machines and your network So if you look to the left column here, that is what you can back up. So starting with linux unix windows mech clients and client could be a desktop or server doesn't matter We just install our agent there. Yeah little linux demon running And providing interfacing the barrier server, which is centrally configured And he connects secured by a shared secret and with the next version we will also automatically Start encryption with these shared secrets, which which you can already do by now But by now we have to do a lot of manual work to get it running encrypted With the next version it will be starting automatically Unless you decide not to use it, but normally people will use encryption So then everything is centrally configured here. It has a database and configuration files and there's a schedule which says What to backup from which computer at what time to what storage and the storage is here on the left side This could be just a simple file space on the backup server It can be tapes or tape changes and we support several kind of cloud storage So the first was gluster and sef And Meanwhile, we can also write to s3 compatible interfaces and Yeah, that that makes people think about funny things. We have a national archive from a european country They have digitized all their materials that they've collected over the centuries And they have said all stored on a on a gluster fs And they said okay, we want to have a backup of all this data, but using a different technology So they decided to make a backup from the gluster fs on a server storage So that can be done. You can also write it from a from a gluster storage on tape, for example So everything is possible there Okay, this is just to repeat for someone reading the slides in the future Some of the new features we've developed over the years one is hardware encryption So modern tape drives support Hardware subscription and you can just upload a key to the hardware drive and that's pretty fast And barrios manages all that we support for example client support Quota support and bandwidth limitation So if you don't have a dedicated network backup, for example, and you have to run your backups over daytime You maybe want to limit the bandwidth it can have to let other people continue to work We support in dmp that is used with big storages for example from net app We can do replication to other backup sites. We have several cloud interfaces We have a python plug-in interface, which makes it quite easy to develop plugins We have a nice multilingual and multi-tenon web UI. So when it comes to restore you have a web browser Maybe I can show you for a minute I know it's not there sorry Yeah, you have a file browser where you just can select Back restore all the files or just one or maybe a sub directory And has an api jason rpc. So you can Integrate it in your existing environment and automate for example, if you get new clients On your network, you can automatically create for this api the backup jobs for for these clients Or you can also start restore jobs using the api. So let's say if you have another already some kind of management software Or web Web UI for your users. You could integrate the restore process for example Okay, so the source code is always on github and you see the open build server to build installation packages and repositories for almost all major linux distributions For macOS we also use the open build server to make Windows installer packages And we have packages for solaris aix and so on and if we need something else just ask us and we may be able to Build packages free bsd is missing on that listed. Sorry, that's pretty new Also supported Okay, this is the picture of the vector browser. So on the left you have the the clients to choose from Here you can choose where to restore. So for example, if you have completely lost a machine Then you can restore to the data to just another machine And you can select where to restore so in the default case it will restore to Place below the temp directory But you can also just write a slash here and then it will go to the richom location of the file Okay, um, we are rated on Openhub which is a platform that analyzes open source projects. It just scans github and Makes analyzes over how many commits there are how long the contribution phase and so on and there we are Rated in the top two percent of all projects on github and then there's a In friend in in france. There is an inter governmental Working group on open source and they have set up a list with open source software They recommend to use for public administration in france and they're listed as I think that there are two backup solutions listed And one is barrios on that list Unfortunately, this line ends at the end of 2015 because then we decided to use mirrors for download But until then we had about every half a year Doubling the number of accesses to download barrios.org where the packages are and at the end of 2015 It was something about 102,000 Now 122 unique visitors on download barrios.org Well, this this of course also includes like debian clients looking if there are updates So we don't know the exact number what we see that it's until that time it doubled almost every half a year Some of the customers using us So one Case study which you can also find on the web Is the bavarian state archives and we have a lot of universities the max plancky zelchoft max planck society in germany And for all kind of industries So backup is something that everybody needs and it skates from very low always very Small implementations up to really large ones. So you can use it in your home office, but you can also use it in large organizations such as in public archives Okay, we offer services with our global partner network which has room for improvement as one of the reasons why we are here We are looking for open source minded service companies integrators that are interested to Deliver services around barrios other open source projects to their customers. So if you're interested just sent me an email um, here are all the contacts git Our buck tracker my email address and so on And here are and there's one thing There's a block story about the ransomware and barrios that i've written some some years ago There's a link you can read it for some more details then we have some picture credits And last if you find well backup is a cool Cool subject. I want to learn more. We have an annual conference in cologne September is a pretty good time to come to cologne, especially 26 this year when you see 10th anniversary Just feel free and get up here early but ticket. Sorry for the adaptation advertising here Okay, any questions Sorry If we lose what the catalogs the database That's that unless you have a copy so By default if you're installed barrios, it makes Every day every day. It's right. Yeah every day a backup of the catalog itself And if you want to have You can also have an extra copy sent to you by email or copy to other places But usually that will be the first task if if you lost everything, but you've got your tapes You can use these command line tools to find the the backup of the catalog and on the tape or other backup media Yes, there's a catalog on the tape and on second if you if you can't Restore your catalog. There are tools That can yeah kind of restore the catalog from the media So but that of course will involve some work because then you have to Put every media if it's a tape into the drive scan it But then it will this tools will fill in your catalog again with the information it finds on the backup media Okay, I have a question. Yeah