Recently, we conducted a thorough review of our storage and backup configurations, looking beyond just uptime to see how everything was set up. During this review, we discovered some issues like outdated access still active, backup settings that hadn't been updated in ages, and minor inconsistencies across different systems. It made me realize that just because something is working doesn't mean it's secure. I'm curious about how others handle their configuration reviews. Do you have a specific process for this, or is it more of an ad hoc approach?
2 Answers
It's a good idea to use standardized configurations across all systems. This ensures your backups are processed correctly. Implementing monitoring for all backup jobs is essential too, maybe through enforced services, so you get alerts if anything isn’t configured properly or if a backup fails. We use checkmk for monitoring our backups, whether done via scripts or other solutions. Just remember to monitor the systems where backups are stored as well!
It’s crucial to automate the deactivation of old accounts—maybe anything unused for 30-60 days should be disabled automatically. If you lack a process for archiving accounts, consider developing one with help from your legal team. If HR isn’t keeping you updated on personnel changes, definitely bring that up multiple times. As for backups, it’s not enough to just set them; test restoring them regularly to ensure they still work and keep an eye on your backup server’s space so you can sleep easy! Inconsistencies between systems are common; just ensure you have a documented baseline config that you can patch as needed—you're already ahead of the game compared to most.
Be cautious with automating the disabling of backup accounts. It could open a door for threat actors to disable your critical backup access. Monitoring would be a safer approach!
Totally agree, but don't just set it and forget it! Make sure to monitor everything: inactive accounts, backup jobs, and disk space. That way, you'll get alerts if something goes wrong instead of discovering issues later. We're currently using checkmk for monitoring, and it's worked great for us.