Backing up a corporate Google Drive
With the ever-increasing frequency of ransomeware attacks, a client wished to implement a secure and reliable backup solution for a company-wide shared folder on their Google Workspace account.
Although several commercial solutions for this exist, they generally involve signing up for a monthly subscription. There can also be uncertainties about how secure a third-party's data storage may be, the more so as they are a very attractive target for cyber-criminals.
A custom, in-house solution was therefore developed:
- To manage the backup, at minimal extra cost to the client, a Raspberry Pi mini-computer was used, coupled with a 2TB external HDD.
- Using Rclone and a custom Google Cloud project, the company's shared google drive folder was mirrored to the local USB HDD each night.
- Using a custom shell script, daily backups were taken using Restic, both to the local HDD and to an off-site location.
- Finally the shell script was configured to send a summary email from the RPi to the local sysadmin, showing the files changed, the integrity of the backups and any errors.
Backup servers are a primary target for cyber-criminals and they will typically identify and destroy any online backups before deploying ransomeware. The RPi is chosen to present as small an attack surface as possible to an attacker, especially one without physical access.
However, even if it were to be compromised, the RPi+Restic setup makes it easy to take duplicate encrypted backups to a second USB drive, which can then be stored completely offline.
Depending on the sensitivity of the data, and how much damage a ransomware attack would cause, it would be quite feasible to have twelve “cold storage” HDDs and have a year's worth of completely untouchable backups available were the worst to happen.