Whether you’re navigating HR issues, facing down litigation,or ensuring operational readiness in the face of uncertainty, you need to be ready to preserve your data. When the stakes are high, Legal Hold, a new feature in Backblaze Computer Backup with Enterprise Control, can help you stay ready.
Available today, Legal Hold gives administrators the power to preserve every version of a user’s backup with a single click. No extra hardware, no new software—all at the same flat-rate pricing of Backblaze Computer Backup with Enterprise Control.
Let’s dig into what Legal Hold is, its importance, and how Backblaze implements it to meet enterprise needs.
What is Legal Hold?
A legal hold, also known as a litigation hold, is a process that organizations use to preserve electronically stored information (ESI) when they face actual or anticipated litigation, audits, or investigations. It ensures that relevant data—such as emails, documents, and file backups—is not deleted, altered, or lost. Once enabled, Backblaze Computer Backup’s Legal Hold feature will preserve a user’s entire backup, including every historical version captured, with a single click.
A legal hold is typically triggered when an organization becomes aware of a legal claim or regulatory inquiry. Once in place, normal data retention policies are suspended for any affected data, ensuring it remains available for legal review.
How Backblaze Legal Hold helps you stay protected
At Backblaze, we’ve designed our Legal Hold for Computer Backup feature to be powerful, simple, and reliable. Here’s how it works:
Instant activation: Instantly activate Legal Hold in the Enterprise Control console without additional hardware or software.
Automated data preservation: Apply a Legal Hold to any user’s backup directly from your admin console. The backups are preserved in a fixed state, meaning no files can be altered or deleted—even by retention policies.
Remote and silent enforcement: Legal Holds are applied remotely without disrupting the user’s work, alerting the users, or requiring their involvement. It runs silently in the background without downtime, throttling, or notifications.
Retention beyond the device: Even if the original device is lost, stolen, or wiped, all held data remains safely stored in Backblaze.
Secure by default: Encryption at rest and in transit with optional private key encryption available keeps data safe.
Why Legal Hold matters in 2025
In today’s landscape, Legal Hold isn’t just a “nice to have.” It’s a must-have for almost every organization:
Rising litigation and audits: Businesses face more legal scrutiny than ever—whether it’s an employee dispute, intellectual property (IP) protection, or a customer complaint.
Remote and hybrid workforces: With data scattered across devices and locations, you need a solution that protects endpoint backups no matter where the user is.
Cybersecurity incidents and data loss: Legal Hold ensures that even during a ransomware attack or internal breach, copies of critical data are preserved for investigation or recovery.
Cloud-first operations: Legal Hold needs to work where your data lives—securely in the cloud, always ready when you are.
Ready when you need it most
Now, any business using Backblaze Computer Backup with Enterprise Control can implement Legal Hold in just a few clicks—making it easier than ever to stay compliant, reduce legal risk, and prepare for the unexpected.
Already a customer? You can start using Legal Hold today. See our docs article or log in to your admin console.
Not yet on Backblaze? Reach out to our Sales team to start a free 15-day trial.
Mac admins have always understood the value of prioritizing Mac-native software to ensure performance and compatibility across their environments. With an integrated approach to data protection and device management from Backblaze and Kandji, you can now eliminate manual installations and deploy Backblaze with zero-touch across your entire Mac fleet, ensuring critical data is protected.
Simplifying Mac backup for remote and on-site IT teams
Whether your team is in the office or scattered across the globe, Backblaze’s cloud-based solution ensures your data is accessible and easily managed from anywhere.
Backblaze and Kandji’s solutions have already proven their value in Apple-focused IT environments.
Companies like Foojee, a managed IT provider specializing in Apple devices, rely on Kandji to deploy and manage those devices and Backblaze to protect their data. “We are always looking at best-of-breed apps for our customers, and we have never felt more proud of our product offering,” said Lucas Acosta, CEO of Foojee. “The three biggest benefits we have realized from Backblaze and Kandji are our time savings on our Help Desk, the increased security, and the increased reliability.”
This partnership builds on that success, enabling organizations to:
Deploy Backblaze effortlessly with Kandji: Automate installation and configuration of Backblaze on managed devices with Kandji’s workflows.
Enhance data security: Keep critical data protected with Backblaze’s secure, cloud-based backup service.
Scale with ease: Both platforms support organizations of any size, from startups to enterprises.
Reduce IT overhead: Streamline both device management and data protection with a unified platform.
Join the conversation
Interested in learning more? Join us on LinkedIn Live! Tune in for an in-depth discussion on how Backblaze and Kandji are helping organizations simplify and secure their Mac device management and data protection. Don’t miss out—save your spot today.
Get started
Interested in getting started? Contact our Sales team today to explore how Backblaze and Kandji can streamline your device management and data protection.
Mac usage has steadily increased in recent years, particularly in business. In the fourth quarter of 2023, Apple shipped 16.1 percent of all personal computer units in the United States, per Gartner. Moreover, IDC anticipates the number of Macs sold to business users worldwide will increase by 20% between 2023 and 2024. IDC also reports that 76% of IT decision makers believe Macs are more secure than other computers.
With this surge of Macs in the workplace and increased focus on security, IT administrators increasingly require mobile device management (MDM) to protect, secure, and manage these remote devices.
Today, we’re digging into all things Mac MDM, including best practices for implementing MDM in your enterprise and why it’s so important to seek out Mac-native tools to do so.
What is mobile device management (MDM)?
MDM enables you to securely manage and control Apple devices—such as iPhones, iPads, Macs, and Apple TVs—remotely. With MDM, IT administrators can configure devices, deploy apps, enforce security policies, manage updates, and track device inventory all from a centralized platform. For IT teams, the main purpose of MDM is to improve their management and control over their fleet of devices, especially devices that aren’t on-premises like those for remote workers.
How MDM works in practice
Device enrollment: A device is enrolled via automated device enrollment (ADE), a third-party MDM tool like Jamf, Kandji, or Munki, manual setup, QR code, or a URL.
Device configuration: MDM pushes settings (Wi-Fi, VPN, email), security policies (passcode, encryption), and apps to the device.
Ongoing management: MDM continuously monitors the device’s compliance with organizational policies and can enforce restrictions or trigger actions (like updating software, changing user permissions, etc.) when needed.
Device retirement: When a device is retired or a user leaves, the MDM can deprovision the device, sometimes wiping or restoring it to factory settings.
MDM solutions provide a centralized, scalable, and secure way to manage devices in an enterprise setting. This ensures consistency, enhances security, and simplifies IT administration.
What are some advantages of MDM for Macs?
Using MDM for Macs in an enterprise environment offers several advantages, particularly in terms of security, efficiency, and scalability. Here are some key benefits:
Enhanced security: Mac MDM tools frequently make use of the built-in Apple management framework, and one of the most significant benefits of MDMs are their robust security features. With features such as location tracking, remote data wiping, encryption enforcement, and strong authentication methods, MDM solutions protect businesses from cyber threats and unauthorized access. They allow you to enforce security settings like passcodes, encryption (FileVault), and password complexity requirements across all Macs. They also allow you to implement web security policies, blocking access to harmful sites, restricting app installations, controlling software updates, and preventing malicious downloads.
Centralized device management: You can automate enrollment and configure devices remotely, setting up Wi-Fi, VPN, email, and other necessary system preferences without user intervention. This functionality enables touchless deployment, allowing you to ship laptops directly to employees and enroll them remotely, without your IT team ever having to touch the machine. Mac admins can also assign custom configuration profiles to different user groups (e.g., for different departments), allowing flexible yet consistent policy enforcement.
Self-service: As you scale, it becomes increasingly important to limit rights on employee machines, depending on the department and the level of access they need. With MDM, you can populate a self-service portal where employees can access the software they need to do their jobs, including licensed and paid apps.
Streamlined app deployment and management: You can easily deploy apps from the Mac App Store or distribute custom internal apps, and then centralize automatic updates for those applications.
Efficient patch and update management: MDMs can schedule and enforce macOS updates, reducing vulnerabilities by ensuring all devices are running the latest versions. Automated and remote updates reduce the need for manual interventions and device downtime.
Bring Your Own Device (BYOD) support: MDM supports BYOD environments by providing a separation between personal and work data on the same machine, making it flexible for both company-owned and personal devices.
Challenges with Mac MDM
One of the challenges of managing Apple devices at scale is keeping the Mac operating system (macOS) updated across your fleet of machines. Apple has made changes to how that works over the years. As a Mac admin in a corporate environment, you have to balance conflicting demands—you need to make sure your fleet of machines is up to date and in compliance, but you also need to do so in a way that isn’t disruptive to end users, minimizes downtime, and avoids sudden unexpected reboots.
To answer this challenge, the open-source community has come together with solutions. Third-party, open source scripting can be leveraged within your MDM to allow you more flexibility and control over macOS updates, allowing you to expand user options for updates while at the same time setting deadlines for those updates to happen.
Another challenge of using MDM solutions is navigating the increasingly restrictive permissions introduced by Apple. Starting with macOS 10.14 and in updates since then, Apple added security to parts of the computer it considers sensitive or critical. While these restrictions enhance user privacy and security, they can limit IT administrators’ control over devices. Applications that require sensitive access to these parts of the system, like backup clients or anti-virus software, now require additional permissions.
Silently installing these types of apps now requires an additional component, a custom policy configuration that grants full disk access. This will be different depending on the MDM you’re using, but Jamf, for example, offers the Privacy Preferences Policy Control (PPPC) Utility to help you create configuration profiles.
Best practices for Mac MDM
Managing Macs in an enterprise environment can be a complex task that can have a big impact. One of the biggest benefits of MDM is reducing IT workload. Centralized and automated management reduces the time and effort needed to configure and manage each Mac manually, allowing you to focus on more strategic tasks.
But, effective MDM requires some other building blocks to be in place before you can realize all of those advantages. Here are some best practices for Mac MDM:
Choose the right MDM solution
Find the right partner: Integrate with an MDM solution like Jamf, Kandji, or Munki for streamlined device enrollment and management.
Update processes: Ensure that the MDM solution supports both Apple’s Device Enrollment Program (DEP) and Volume Purchase Program (VPP) to automate setup and app deployment, and ensure all devices are enrolled in the MDM system as soon as they are set up.
Enforce security policies
Passcode and encryption: Ensure all devices require strong passcodes and are encrypted with FileVault (for Mac) and native iOS encryption.
Multi-factor authentication (MFA): Enforce MFA for accessing corporate services and apps.
Remote lock/wipe: Enable the ability to lock or wipe devices remotely in case of theft or loss.
App management
Volume purchasing: Use Apple’s VPP to distribute apps and content centrally.
App whitelisting and blacklisting: Control which apps users can install on their devices, blocking potentially harmful or non-compliant apps.
App updates: Automate app updates to ensure security patches and features are deployed quickly.
User and group profiles
User profiles: Use custom profiles to set different policies for various roles within the organization (e.g., executives, developers, sales).
Configuration profiles: Set up policies for Wi-Fi, VPN, email, and other settings automatically based on user or group membership.
Data protection
Content filtering: Implement web content filtering and secure browsing rules.
Data loss prevention (DLP): Apply DLP policies to prevent sensitive corporate data from being shared through unapproved channels.
Automatic updates: Automate macOS updates and ensure compliance with the latest patches and versions.
Version control: Use MDM to control which versions of macOS and iOS are allowed in the organization to prevent untested or unsupported versions from being installed.
Monitor device compliance
Compliance uniformity: Set compliance rules for security (e.g., passcode policies, encryption) and regularly monitor devices for adherence.
Compliance monitoring: Use reporting and analytics tools built into your MDM solution to track compliance, app usage, and device health.
By following these best practices, you can efficiently manage and secure Mac devices within your organization while minimizing risks and ensuring a seamless experience for employees.
The importance of Mac-native apps
Mac-native apps provide a seamless and optimized experience that takes full advantage of the macOS ecosystem. Native apps are specifically designed to integrate with macOS, ensuring smoother performance, faster responsiveness, and a more intuitive user experience compared to non-native or cross-platform applications.
This integration often means that the apps are more efficient, utilize fewer system resources, and can easily interface with built-in macOS features such as Spotlight, Siri, and Notification Center. For IT administrators managing multiple Macs, the consistency of Mac-native apps helps minimize compatibility issues and ensures a uniform experience across all devices.
In addition, Mac-native apps typically offer better security and reliability, which is crucial for IT administrators overseeing corporate environments. Apple has a strict set of guidelines for app development, especially for apps available through the App Store. These guidelines emphasize security practices such as sandboxing, code-signing, and integration with macOS security features like Gatekeeper and XProtect.
This gives IT administrators confidence that Mac-native apps are less likely to pose security risks, reducing the chances of malware or vulnerabilities being introduced into the organization’s systems. Moreover, since native apps are built to work within Apple’s framework, they are generally more stable, reducing the risk of crashes or bugs that could disrupt workflows.
Furthermore, Mac-native apps support better integration with management and automation tools that are vital for IT administrators. These apps can be more easily deployed, managed, and updated through Apple MDMs.
Finally, native apps can often integrate with Apple’s scripting languages and automation tools like AppleScript and Automator, providing IT teams with more powerful options for customizing workflows, optimizing processes, and enhancing productivity across the organization. This level of control is essential for IT administrators looking to streamline their management tasks and ensure a high level of efficiency.
Having MDMs built native for Macs is critical for the success of IT management. That holds true for all software running on Macs, including backup software like Backblaze Computer Backup—you have to update permissions less frequently, you have access to more robust build possibilities, and it runs seamlessly in the background.
Are you using a Mac MDM tool?
Do you have a favorite MDM tool? Let us know in the comments. We love to hear how they’re working for you.
There’s a lot that goes into building a user-friendly, robust backup utility. When Backblaze set out to create one back in 2007, our goal was to make sure that users of all skill levels would have automatic, nearly continuous backups that could be restored on command. There were plenty of design decisions to be made, and one of the biggest was whether to implement our client in native code.
You might have seen us talk about this on our website and elsewhere, and we felt it was high time to dive into what that decision meant for our development, how it affected the way the Backblaze client works, and why we think it was an important decision and inflection point for Backblaze Computer Backup and our customers.
What is native code?
Each kind of computer central processing unit (CPU), such as Intel/AMD or Apple Silicon, has its own “machine language,” which is the set of instructions the CPU can understand and follow. These instructions are encoded in binary, and aren’t something people can read or write without great effort. When folks talk about using native code, they’re typically talking about a computer program that’s written in machine language, so a computer’s CPU can “natively” understand what the program needs the CPU to do.
Compiled languages
To use a compiled language, developers write instructions into source code that’s easy for humans to read and edit. Then, they use a program aptly called a compiler to convert the source code into machine language for a particular kind of CPU. Examples of compiled languages are assembly (ASM), C, C++, Rust, Go, Swift, and Haskell.
Interpreted languages
Like with compiled languages, developers write programs in interpreted languages by writing instructions into source code files. But instead of converting those instructions into machine language, another program called an interpreter reads the source code and follows the instructions it contains without converting them to machine language. Common interpreted languages are things like Python, Ruby, BASIC, and PHP.
There is a bit of a slippery slope between a compiled vs. interpreted language. For example, some modern Java implementations mix an interpreter and a compiler. But, the difference when it comes to programming is about picking a language that’s suitable to a task’s requirements.
When and how do you use which type of code language(s)?
Well, pretty much anything anyone does on computers these days will take a combination of code languages. In some ways, the whole challenge of working with computers is bridging how humans communicate vs. how computers can process things.
If you were using a metaphor for the above, a compiled code language would represent someone who was raised to natively speak two languages, and could fluently curse in both languages.
By contrast, interpreted language is like this: You’ve moved to a country where you’re not fluent in the language, but someone needs a thorough dressing-down. An interpreted language would let you write in your native language, take your words and literally translate the idiom you were intending to use—then the computer would take your literal translation, and, executing the program, would be supplied with a dictionary to then give you an effective, similarly meaningful, insult. If you didn’t have your translator, your attempt at offense (in this metaphor, a program!), would likely fail because no one can understand you.
To wit: While they mean similar things, “when pigs fly,” and “quand les poules auront des dents,” do not literally translate.
What are the benefits of using native code in a backup application?
Using native code in a backup application is, in our opinion, better for several reasons.
Permissions
When you’re writing in native code, you’re plugging in your program at a lower level than most applications. That gives you access to the kinds of APIs the native operating system (OS) uses. Because you’re in that level of integration with the operating system, it means that users have to update permissions less frequently, have access to more robust build possibilities for your client, and their backup client can seamlessly run in the background.
Efficiency: Build once, run everywhere
By building our backup client lower in the chain of command, so to speak, it allows us to use the same work for different situations, and there are some interpreted languages that have been built for this purpose, like Java VM. Using those solutions, however, would sacrifice some of the other benefits we’re outlining in this article.
Being fully in control of our common code, we can do this without interpreted language and still have the other advantages listed here. So, we can use the same base code for both our Mac and Windows clients, but then add modifications to the code on top of each to refine the clients. There may be slight differences between the operating system (OS) environments, but coding at the level of a compiled language like C++ means that we can adjust for those differences effectively.
Performance
Running native code typically results in better performance. That’s because there are fewer steps (for your computer) between understanding a program and running a program.
Backup programs run all the time in the background, and have to keep track of a lot of information. Backblaze’s native code does that using half to a tenth of the computing resources that a backup program written in an interpreted language would use. So, Backblaze won’t slow down or interrupt the other activities you’re doing with your computer.
Reducing software bloat and size of software
Also, since you don’t have to install interpreters (you know, your insult dictionary), native code applications are usually leaner and more performant on the system.
Eliminating risky third-party dependencies
Since they’re software, computer language interpreters have bugs and get new features, so they’re frequently updated. Sometimes an updated interpreter won’t run programs written for an older version of the language, or will cause a program to behave differently in an unexpected (read: “buggy”) way. Also, vendors have even changed licensing terms and started charging money for interpreters that had been free. Backblaze’s native code doesn’t have those problems.
Platform-standard user interface
Operating system vendors like Microsoft and Apple strongly encourage developers to write programs that use a platform-standard user interface “look-and-feel.” Programs that do that help users feel comfortable, minimize surprises, and support accessibility features like text-to-speech.
The most effective way to ensure a program’s user interface matches a platform’s standard look-and-feel is to use features built into the operating system, and those are typically only available to native code like Backblaze’s client.
What are the challenges of using native code in a backup application?
Nothing is perfect. What are the downsides to this approach?
Industry preference moving towards interpreted language/web apps
Has anyone else noticed that the world of development has changed recently? (No need to qualify that statement—it will be true tomorrow, tomorrow, and tomorrow again.)
As with any industry, tech’s (and developers’) favorite strategies for creating things and solving problems have changed over time.
There are various players in this space, including platforms (Mac, Windows, Linux), software (Adobe, Office), applications (Slack, the latest mobile game, your headphone utility client), and frankly, many things that skirt the boundaries of the above buckets. Executing any program, and particularly third-party applications, is a negotiation between operating systems’ publishers and the program/application’s developers.
Over time, those who sell computers and manage OSes have grown to prefer the lightweight development of application ecosystems. It lets them have more control over their platforms, and it gives developers a shorter time to deployment—as long as they play within the sandbox the OS has made available. OS publishers are attempting to anticipate the needs of program and app developers, but there are some types of utilities—and backup is one of them—that justifiably break standard rules. Giving access to all your files by default, for example, isn’t something you’d do for a social media application. However, in order to get a full and complete backup, a program does justifiably require that level of access.
Limited dev libraries
Given the preference of developers to move to web applications and interpreted languages (for good reason in some cases), many OSes are releasing less detailed support and/or technical documentation for some of their deeper-level tools. If you’re implementing in native code in today’s environment, you need both historical knowledge and ingenuity in house. Which leads us to our next point…
Expertise
We’re on board with the evolution of development—innovation is at the heart of our company—but for aspects of our backup client, we need developers with a deep understanding of compiled code languages and our supported ecosystems. And luckily, in any sufficiently large tech company, you’ll find folks specializing in different code languages and parts of the tech stack. That means we can spend more time nurturing and developing our internal talent rather than seeking it externally.
Hybrid approaches?
Hey, we’ve spent a whole article telling you why native code matters. But, many folks agree that the future requires a hybrid approach, largely because of that gray area between compiled and interpreted languages we mentioned above. You can certainly see that in our style as well—our Mac client uses a combination of Objective C, SwiftUI and C++, for example.
The now and future Backblaze
The core functionality of our client depends on native code for very good design reasons, and they’re ultimately all about making things easier for our end users.
Overall, our design ideas are all centered on what it means to use Backblaze every day, regardless of an end user’s skill level. We want things to be simpler, and sometimes the questions we need to answer (how do I make sure the Backblaze client backs everything up?) are actually a tad more complicated upfront (the Backblaze client needs system permissions—and that means implementing it in native code), in that they require forethought and an investment of time and resources. But, we also prioritize the kind of thinking we can use over and over—so, even if we spend a little more time building native code, it’s an investment that has longevity. Put another way: Build once, run everywhere.
The move to a virtualized environment is a logical step for many companies. Yet, physical systems are still a major part of today’s IT environments even as virtualization becomes more commonplace. With ransomware on the rise, backups are more critical than ever whether you operate a physical or virtual environment, or both.
Catalogic provides robust protection solutions for both physical and virtual environments. Now, through a new partnership, Backblaze B2 Cloud Storage integrates seamlessly with Catalogic DPX, Catalogic’s enterprise data protection software, and CloudCasa by Catalogic, Catalogic’s Kubernetes backup solution, providing joint customers with a secure, fast, and scalable backup target.
Join Troy Liljedahl, Solutions Engineer Manager at Backblaze, and William Bush, Field CTO at Catalogic Software, as they demonstrate how easy it is to store your backups in cloud object storage and protect them with Object Lock.
The partnership enables companies to:
Protect enterprise environments and cloud native applications from ransomware via immutable, air-gapped backups.
Enable hybrid backup and cloud archive solutions to achieve a 3-2-1 backup strategy.
Back up both virtual and physical environments in a single cloud platform.
Restore single files or directories from VMware and Microsoft Hyper-V agentless backups.
Reduce restore times from hours to minutes.
“Backblaze and Catalogic together offer a powerful solution to provide cost-effective protection against ransomware and data loss. Instead of having to wait days to recover data from the cloud, Backblaze guarantees speed premiums with a 99.9% uptime SLA and no cold delays. We deliver high performance, S3-compatible, plug-n-play cloud object storage at a 75% lower cost than our competitors.”
—Nilay Patel, VP of Sales and Partnerships, Backblaze
The joint solution helps companies achieve immutability and compliance via Object Lock, ensuring backup and archive data can’t be deleted, overwritten, or altered for as long as the lock is set.
About Catalogic
Catalogic Software is a modern data protection company providing innovative backup and recovery solutions including its flagship DPX product, enabling IT organizations to protect, secure, and leverage their data. Catalogic’s CloudCasa offers cloud data protection, backup, and disaster recovery as a service for Kubernetes applications and cloud data services.
“Our new partnership with Backblaze ensures the most common backup and restore challenges such as ransomware protection, exceeding backup windows, and expensive tape maintenance costs are a thing of the past. The Backblaze B2 Cloud Storage platform provides a cost-effective, long-term storage solution allowing data to remain under an organization’s control for compliance or data governance reasons while also considering the ubiquity of ransomware and the importance of protecting against an attack.”
—Sathya Sankaran, COO, Catalogic
How to Get Started With Backblaze B2 + Catalogic
Backblaze B2 Cloud Storage integrates seamlessly with Catalogic DPX and CloudCasa to accelerate and achieve recovery time and recovery point objectives (RTO and RPO) SLAs, from DPX agent-based server backups, agentless VM backups, or direct filer backups via NDMP.
After creating your Backblaze B2 account if you don’t already have one, joint customers can select Backblaze B2 as their target backup destination in the Catalogic UI.
In the DPX console, navigate to the Devices tab.In the CloudCasa console, navigate to My Storage and add storage.
Interested in Learning More?
Join us for a webinar on March 23, 2022 at 8 a.m. PST to discover how to back up and protect your enterprise environments and Kubernetes instances—register here.
According to the Cloud Native Computing Foundation’s annual survey, Kubernetes use in production has increased 300% since 2016 to 83% of respondents. There’s no doubt that a fundamental shift has taken place over the past few years—applications are being deployed in container environments and those deployments are being managed by Kubernetes.
But customers that are deploying Kubernetes environments need a new tool to protect all of that data. Purpose-built for Kubernetes, Kasten by Veeam is that tool.
Now, through a new partnership, joint Kasten and Backblaze customers will be able to name Backblaze B2 Cloud Storage as a storage destination where they can store and protect copies of their applications affordably.
This partnership enables developers to:
Back up and restore production stateful Kubernetes applications.
Safeguard application data from ransomware encryption with Object Lock for immutability.
Support regulatory compliance and corporate disaster recovery mandates.
“Kubernetes containers are the standard for many organizations building, deploying, and scaling applications with portability and efficiency. Backblaze and Kasten together offer a compelling solution to support these organizations’ business continuity needs with set-and-forget-it ease and cost effectiveness.”
—Nilay Patel, VP of Sales and Partnerships, Backblaze
The joint solution is fully scalable at enterprise grade. What’s more, organizations only pay for storage used, with no data retention penalties for deleting past backups.
About Kasten
Owned by Veeam, Kasten is an award-winning market leader in Kubernetes backup. Their product was built natively for containers, and the software-only solution runs directly on your cluster within its own namespace.
Together, Kasten and Backblaze provide a simple, seamless integration for shared customers, focusing on ease of use.
“Backup and protection are paramount in a world in which data is everything and cyberattacks continue to rise. The Backblaze-Kasten partnership offers the application protection and disaster recovery support companies seek, with flexibility and freedom to choose their preferred storage partner.”
—Gaurav Rishi, VP of Product, Kasten by Veeam
Customers can test the Kasten solution for free with clusters made up of 10 nodes or less. And Backblaze covers the first 10GB stored.
Data Protection That Scales With You
Kubernetes was built to provide scalability, giving businesses the flexibility to manage and optimize resources. Through this partnership, customers now have storage that matches that flexibility in Backblaze B2. With Backblaze, customers are able to scale their application backups as their applications scale.
Interested in learning more? Join us for a webinar on February 2, 2022 at 10 a.m. PST to discover how to add seamless ransomware protection to your Kubernetes environments—stay tuned for more details and a link to register. Or, if you are ready to future-proof your application, click here to get started today.
According to the latest State of Ransomware report from security firm Sophos, most organizations (73%) use backups to recover from a ransomware attack. In fact, only 4% of victims who paid ransoms actually got all of their data back, so companies are likely using backups to recover after attacks whether they pay ransoms or not.
Still, Sophos found that it took ransomware victims a month on average to recover from an attack. The lesson here: Backups are vital as part of a disaster recovery plan, but the actual “recovery”—how you get your business back online using that backup data—is just as important. Few businesses can survive the hit of weeks or months spent offline.
If you use Veeam to manage backups, recovering from ransomware is a whole lot easier. Using Backblaze Instant Recovery in Any Cloud, you can consider your disaster recovery playbook complete.
Enter: Backblaze Instant Recovery in Any Cloud
Backblaze Instant Recovery in Any Cloud is an infrastructure as code (IaC) package that makes ransomware recovery into a VMware/Hyper-V based cloud easy to plan for and execute.
Disaster recovery and business continuity planning typically elude otherwise savvy IT teams for one of two reasons:
The lift of recovery planning is put on the back burner by more immediate demands.
Disaster recovery solutions aren’t rightsized for your business.
With Instant Recovery in Any Cloud, businesses have an easy, flexible path to as-soon-as-possible disaster recovery, putting fast, affordable disaster recovery within reach for any IT team.
You can run a single command using an industry-standard automation tool to quickly bring up an orchestrated combination of on-demand servers, firewalls, networking, storage, and other infrastructure in phoenixNAP. The command draws data from Veeam® Backup & Replication backups immediately to your VMware/Hyper-V based environment, so businesses can get back online with minimal disruption or expense. Put simply, it’s an on-demand path to a rock solid disaster recovery plan that makes recovery planning accessible and appropriately provisioned for your business.
We’ll explain the why and how of this solution below.
“Most businesses know that backing up is critical for disaster recovery. But we see time and again that organizations under duress struggle with getting their systems back online, and that’s why Backblaze’s new solution can be a game changer.”
—Mark Potter, CISO, Backblaze
From 3-2-1 to Immutable Backups to Disaster Recovery
For many years, the 3-2-1 backup strategy was the gold standard for data protection, and its core principles remain true—keep multiple copies of data, maintain on-site copies for fast restores, and keep off-site copies for disaster recovery. However, bad actors have become much more sophisticated, targeting not just production data but backups as well.
The introduction of Object Lock functionality allowed businesses to protect their cloud backups from ransomware by making them immutable, meaning even the administrator who set the lock can’t modify, encrypt, or delete files. With immutable backups, you can access a working, uncorrupted copy of your data in case of an attack.
But implementing immutable backups is only the first step. The critical second step is using that data to get your business back up and running. The time to get back to business after an attack often depends on how quickly backup data can be brought online—more than any other factor. That’s what makes disaster recovery planning so important, even though it’s one of those tasks that often gets put off when you’re putting out the next fire.
“For more than 400,000 Veeam customers, flexibility around disaster recovery options is essential. They need to know not only that their backups are safe, but that they’re practically usable in their time of need. We’re very happy to see Backblaze offering instant restore for all backups to VMware and Hyper-V based cloud offerings to help our joint customers thrive during challenging times.”
—Andreas Neufert, Vice President of Product Management, Alliances, Veeam.
Disaster Recovery That Fits Your Needs
If you’ve done any research into disaster recovery planning services, you’ve probably noticed that most plans are built for enterprise customers with enterprise budgets. You typically pay for compute functionality on an ongoing basis so you can quickly spin up a server in case of an attack. Those compute servers essentially sit idle as an “insurance policy.” Instant Recovery in Any Cloud opens disaster recovery to a huge number of businesses that were left without affordable solutions.
Instead of paying for compute servers you’re not using, Backblaze Instant Recovery in Any Cloud allows you to provision compute power on demand in a VMware and Hyper-V based cloud. The capacity is always there from Backblaze and phoenixNAP, but you don’t pay for it until you need it.
You can also spin up a server in any compute environment you prefer, allowing you to implement a multi-cloud, vendor-agnostic disaster recovery approach rather than relying on just one platform or vendor. The solution is written to work with phoenixNAP, and can be customized for other compute providers without difficulty.
Finally, because the recovery is entirely cloud based, you can execute your recovery plan from anywhere you’re able to access your accounts. Even if your whole network is down, you can still get your recovery plan rolling.
For busy IT teams, this is essentially a cut and paste setup—an incredibly small amount of work to architect a recovery plan.
How It Works and What You Need
Instant Recovery in Any Cloud works through a pre-built code package your staff can use to create a digital mirror image of your on-premises infrastructure. The code package is built in Ansible, an open-source tool which enables IaC. Running an Ansible playbook allows you to provision and configure infrastructure and deploy applications as needed. All components are pre-configured within the script. In order to get started, you can find the appropriate instructions on our GitHub page.
If you haven’t already, you also need to set up Backblaze B2 Cloud Storage as part of a Scale-out Backup Repository with Immutability in Veeam using the Backblaze S3 Compatible API, and your data needs to be backed up securely before deploying the command.
If you follow the latest ransomware developments, you know disaster recovery is something your business needs now more than ever. With tools like Object Lock and Backblaze Instant Recovery in Any Cloud, it doesn’t have to be complicated and costly. Protect your backups with Object Lock immutability, and keep the Ansible playbook and instructions on hand as part of a bigger ransomware recovery plan so that you’re ready in the event of an attack. Simply spin up servers and restore backups in a safe environment to minimize disruption to your business.
When it comes to having a backup plan, Navy SEALs go by the rule that “Two is one and one is none.” They’re not often one-upped, but in the world of computer backup, even two is none. The gold standard until recently has been the 3-2-1 rule—three copies of your data on two different media with one copy stored off-site.
The 3-2-1 rule still has value, especially for individuals who aren’t backing up at all. But today, the gold standard is evolving. In this post, we’ll explain why 3-2-1 is being replaced by more comprehensive strategies; we’ll look at the difference between the 3-2-1 rule and emerging rules, including 3-2-1-1-0 and 4-3-2; and we’ll help you decide which is best for you.
Why Is the 3-2-1 Backup Strategy Falling Out of Favor?
When the 3-2-1 backup strategy gained prominence, the world looked a lot different than it does today, technology-wise. The rule is thought to have originated in the world of photography in Peter Krogh’s 2009 book, “The DAM Book: Digital Asset Management for Photographers.” At that time, tape backups were still widely used, especially at the enterprise level, due to their low cost, capacity, and longevity.
The 3-2-1 strategy improved upon existing practices of making one copy of your data on tape and keeping it off-site. It advised keeping three copies of your data (e.g., one primary copy and two backups) on two different media (e.g., the primary copy on an internal hard disk, a backup copy on tape, and an additional backup copy on an external HDD or tape) with one copy off-site (likely the tape backup).
Before cloud storage was widely available, getting the third copy off-site usually involved hiring a storage service to pick up and store the tape drives or physically driving them to an off-site location. (One of our co-founders used to mail a copy of his backup to his brother.) This meant off-site tape backups were “air-gapped” or physically separated from the network that stored the primary copy by a literal gap of air. In the event the primary copy or on-site backup became corrupted or compromised, the off-site backup could be used for a restore.
As storage technology has evolved, the 3-2-1 backup strategy has gotten a little…cloudy. A company might employ a NAS device or SAN to store backups on-site, which is then backed up to object storage in the cloud. An individual might employ a 3-2-1 strategy by backing up their computer to an external hard drive as well as the cloud.
While a 3-2-1 strategy with off-site copies stored in the cloud works well for events like a natural disaster or accidental deletion, it lost the air gap protection that tape provided. Cloud backups are sometimes connected to production networks and thus vulnerable to a digital attack.
Ransomware: The Driver for Stronger Backup Strategies
With as many high-profile ransomware incidents as the past few months have seen, it shouldn’t be news to anyone that ransomware is on the rise. Ransom demands hit an all-time high of $50 million in 2021 so far, and attacks like the ones on Colonial Pipeline and JBS Foods threatened gas and food supply supply chains. In their 2021 report, “Detect, Protect, Recover: How Modern Backup Applications Can Protect You From Ransomware,” Gartner predicted that at least 75% of IT organizations will face one or more attacks by 2025.
Backups are meant to be a company’s saving grace in the event of a ransomware attack, but they only work if they’re not compromised. And hackers know this. Ransomware operators like Sodinokibi, the outfit responsible for attacks on JBS Foods, Acer, and Quanta, are now going after backups in addition to production data.
Cloud backups are sometimes tied to a company’s active directory, and they’re often not virtually isolated from a company’s production network. Once hackers compromise a machine connected to the network, they spread laterally through the network attempting to gain access to admin credentials using tools like keyloggers, phishing attacks, or by reading documentation stored on servers. With admin credentials, they can extract all of the credentials from the active directory and use that information to access backups if they’re configured to authenticate through the active directory.
Is a 3-2-1 Backup Strategy Still Viable?
As emerging technology has changed the way backup strategies are implemented, the core principles of a 3-2-1 backup strategy still hold up:
You should have multiple copies of your data.
Copies should be geographically distanced.
One or more copies should be readily accessible for quick recoveries in the event of a physical disaster or accidental deletion.
But, they need to account for an additional layer of protection: One or more copies should be physically or virtually isolated in the event of a digital disaster like ransomware that targets all of their data, including backups.
What Backup Strategies Are Replacing 3-2-1?
A 3-2-1 backup strategy is still viable, but more extensive, comprehensive strategies exist that make up for the vulnerabilities introduced by connectivity. While not as catchy as 3-2-1, strategies like 3-2-1-1-0 and 4-3-2 offer more protection in the era of cloud backups and ransomware.
What Is 3-2-1-1-0?
A 3-2-1-1-0 strategy stipulates that you:
Maintain at least three copies of business data.
Store data on at least two different types of storage media.
Keep one copy of the backups in an off-site location.
Keep one copy of the media offline or air gapped.
Ensure all recoverability solutions have zero errors.
The 3-2-1-1-0 method reintroduced the idea of an offline or air gapped copy—either tape backups stored off-site as originally intended in 3-2-1, or cloud backups stored with immutability, meaning the data cannot be modified or changed.
If your company uses a backup software provider like Veeam, storing cloud backups with immutability can be accomplished by using Object Lock. Object Lock is a powerful backup protection tool that prevents a file from being altered or deleted until a given date. Only a few storage platforms currently offer the feature, but if your provider is one of them, you can enable Object Lock and specify the length of time an object should be locked in the storage provider’s user interface or by using API calls.
When Object Lock is set on data, any attempts to manipulate, encrypt, change, or delete the file will fail during that time. The files may be accessed, but no one can change them, including the file owner or whoever set the Object Lock and—most importantly—any hacker that happens upon the credentials of that person.
The 3-2-1-1-0 strategy goes a step further to require that backups are stored with zero errors. This includes data monitoring on a daily basis, correcting for any errors as soon as they’re identified, and regularly performing restore tests.
A strategy like 3-2-1-1-0 offers the protection of air gapped backups with the added fidelity of more rigorous monitoring and testing.
What Is 4-3-2?
If your data is being managed by a disaster recovery expert like Continuity Centers, for example, your backups may be subscribing to the 4-3-2 rule:
Four copies of your data.
Data in three locations (on-prem with you, on-prem with an MSP like Continuity Centers, and stored with a cloud provider).
Two locations for your data are off-site.
Continuity Centers’ CEO, Greg Tellone, explained the benefits of this strategy in a session with Backblaze’s VP of Sales, Nilay Patel, at VeeamON 2021, Veeam’s annual conference. A 4-3-2 strategy means backups are duplicated and geographically distant to offer protection from events like natural disasters. Backups are also stored on two separate networks, isolating them from production networks in the event they’re compromised. Finally, backup copies are stored with immutability, protecting them from deletion or encryption should a hacker gain access to systems.
Which Backup Strategy Is Right for You?
First, any backup strategy is better than no backup strategy. As long as it meets the core principles of 3-2-1 backup, you can still get your data back in the event of a natural disaster, a lost laptop, or an accidental deletion. To summarize, that means:
Keeping multiple copies of your data—at least three.
Storing copies of your data in geographically separate locations.
Keeping at least one copy on-site for quick recoveries.
With tools like Object Lock, you can apply the principles of 3-2-1-1-0 or 4-3-2, giving your data an additional layer of protection by virtually isolating it so it can’t be deleted or encrypted for a specific time. In the unfortunate event that you are attacked by ransomware, backups protected with Object Lock allow you to recover.
Ben Young works for vBridge, a cloud service provider in New Zealand. He specializes in the automation and integration of a broad range of cloud & virtualization technologies. Ben is also a member of the Veeam® Vanguard program, Veeam’s top-level influencer community. (He is not an employee of Veeam). Because Backblaze’s new S3 Compatible APIs enable Backblaze B2 Cloud Storage as an endpoint in the Veeam ecosystem, we reached out to Ben, in his role as a Veeam Vanguard, to break down some common use cases for us. If you’re working with Veeam and Microsoft 365, this post from Ben could help save you some time and headaches.
—Natasha Rabinov, Backblaze
Backing Up Microsoft Office 365 via Veeam in Backblaze B2 Cloud Storage
Veeam Backup for Microsoft Office 365 v4 included a number of enhancements, one of which was the support for object-based repositories. This is a common trend for new Veeam product releases. The flagship Veeam Backup & Replication product now supports a growing number of object enabled capabilities.
So, why object storage over block-based repositories? There are a number of reasons but scalability is, I believe, the biggest. These platforms are designed to handle petabytes of data with very good durability, and object storage is better suited to that task.
With the data scalability sorted, you only need to worry about monitoring and scaling out the compute workload of the proxy servers (worker nodes). Did I mention you no longer need to juggle data moves between repositories?! These enhancements create a number of opportunities to simplify your workflows.
So naturally, with the recent announcement from Backblaze saying they now have S3 Compatible API support, I wanted to try it out with Veeam Backup for Microsoft Office 365.
Let’s get started. You will need:
A Backblaze B2 account: You can create one here for free. The first 10GB are complimentary so you can give this a go without even entering a credit card.
A Veeam Backup for Microsoft Office 365 environment setup: You can also get this for free (up to 10 users) with their Community Edition.
An organization connected to the Veeam Backup for Microsoft Office 365 environment: View the options and how-to guide here.
Configuring Your B2 Cloud Storage Bucket
In the Backblaze B2 console, you need to create a bucket. If you already have one, you may notice that there is a blank entry next to “endpoint.” This is because buckets created before May 4, 2020 cannot be used with the Backblaze S3 Compatible APIs.
So, let’s create a new bucket. I used “VeeamBackupO365.”
This bucket will now appear with an S3 endpoint, which we will need for use in Veeam Backup for Microsoft Office 365.
Before you can use the new bucket, you’ll need to create some application keys/credentials. Head into the App Keys settings in Backblaze and select “create new.” Fill out your desired settings and, as good practice, make sure you only give access to this bucket, or the buckets you want to be accessible.
Your application key(s) will now appear. Make sure to save these keys somewhere secure, such as a password manager, as they only will appear once. You should also keep them accessible now as you are going to need them shortly.
The Backblaze setup is now done.
Configuring Your Veeam Backup
Now you’ll need to head over to your Veeam Backup for Microsoft Office 365 Console.
Note: You could also achieve all of this via PowerShell or the RESTful API included with this product if you wanted to automate.
It is time to create a new backup repository in Veeam. Click into your Backup Infrastructure panel and add a new backup repository and give it a name…
…Then select the “S3 Compatible” option:
Enter the S3 endpoint you generated earlier in the Backblaze console into the Service endpoint on the Veeam wizard. This will be something along the lines of: s3.*.backblazeb2.com.
Now select “Add Credential,” and enter the App Key ID and Secret that you generated as part of the Backblaze setup.
With your new credentials selected, hit “Next.” Your bucket(s) will now show up. Select your desired backup bucket—in this case I’m selecting the one I created earlier: “VeeamBackupO365.” Now you need to browse for a folder which Veeam will use as its root folder to base the backups from. If this is a new bucket, you will need to create one via the Veeam console like I did below, called “Data.”
If you are curious, you can take a quick look back in your Backblaze account, after hitting “Next,” to confirm that Veeam has created the folder you entered, plus some additional parent folders, as you can see in the example below:
Now you can select your desired retention. Remember, all jobs targeting this repository will use this retention setting, so if you need a different retention for, say, Exchange and OneDrive, you will need two different repositories and you will need to target each job appropriately.
Once you’ve selected your retention, the repository is ready for use and can be used for backup jobs.
Now you can create a new backup job. For this demo, I am going to only back up my user account. The target will be our new repository backed by Backblaze S3 Compatible storage. The wizard walks users through this process.
Giving the backup job a name.
Select your entire organization or desired users/groups and what to process (Exchange, OneDrive, and/or Sharepoint).
Select the object-backed backblazeb2-s3 backup repository you created.
That is it! Right click and run the job—you can see it starting to process your organization.
As this is the first job you’ve run, it may take some time and you might notice it slowing down. This slow down is a result of the Microsoft data being pulled out of O365. But Veeam is smart enough to have added in some clever user-hopping, so as it detects throttling it will jump across and start a new user, and then loop back to the others to ensure your jobs finish as quickly as possible.
While this is running, if you open up Backblaze again you will see the usage starting to show.
Done and Done
And there it is—a fully functional backup of your Microsoft Office 365 tenancy using Veeam Backup for Microsoft Office 365 and Backblaze B2 Cloud Storage.
We really appreciate Ben’s guide and hope it helps you try out Backblaze as a repository for your Veeam data. If you do—or if you’ve already set us as a storage target—we’d love to hear how it goes in the comments.
Protecting businesses and organizations from ransomware has become one of the most, if not the most, essential responsibilities for IT directors and CIOs. Ransomware attacks are on the rise, occuring every 14 seconds, but you likely already know that. That’s why a top requested feature for Backblaze’s S3 Compatible APIs is Veeam® immutability—to increase your organization’s protection from ransomware and malicious attacks.
We heard you and are happy to announce that Backblaze B2 Cloud Storage now supports data immutability for Veeam backups. It is available immediately.
The solution, which earned a Veeam Ready-Object with Immutability qualification, means a good, clean backup is just clicks away when reliable recovery is needed.
It is the only public cloud storage alternative to Amazon S3 to earn Veeam’s certifications for both compatibility and immutability. And it offers this at a fraction of the cost.
“I am happy to see Backblaze leading the way here as the first cloud storage vendor outside of AWS to give us this feature. It will hit our labs soon, and we’re eager to test this to be able to deploy it in production.”—Didier Van Hoye, Veeam Vanguard and Technology Strategist
Using Veeam Backup & Replication, you can now simply check a box and make recent backups immutable for a specified period of time. Once that option is selected, nobody can modify, encrypt, tamper with, or delete your protected data. Recovering from ransomware is as simple as restoring from your clean, safe backup.
Freedom From Tape, Wasted Resources, and Concern
Prevention is the most pragmatic ransomware protection to implement. Ensuring that backups are up-to-date, off-site, and protected with a 3-2-1 strategy is the industry standard for this approach. But up to now, this meant that IT directors who wanted to create truly air-gapped backups were often shuttling tapes off-site—adding time, the necessity for on-site infrastructure, and the risk of data loss in transit to the process.
With object lock functionality, there is no longer a need for tapes or a Veeam virtual tape library. You can now create virtual air-gapped backups directly in the capacity tier of a Scale-out Backup Repository (SOBR). In doing so, data is Write Once, Read Many (WORM) protected, meaning that even during the locked period, data can be restored on demand. Once the lock expires, data can safely be modified or deleted as needed.
Some organizations have already been using immutability with Veeam and Amazon S3, a storage option more complex and expensive than needed for their backups. Now, Backblaze B2’s affordable pricing and clean functionality mean that you can easily opt in to our service to save up to 75% off of your storage invoice. And with our Cloud to Cloud Migration offers, it’s easier than ever to achieve these savings.
In either scenario, there’s an opportunity to enhance data protection while freeing up financial and personnel resources for other projects.
Backblaze B2 customer Alex Acosta, Senior Security Engineer at Gladstone Institutes—an independent life science research organization now focused on fighting COVID-19—explained that immutability can help his organization maintain healthy operations. “Immutability reduces the chance of data loss,” he noted, “so our researchers can focus on what they do best: transformative scientific research.”
Enabling Immutability
How to Set Object Lock:
Data immutability begins by creating a bucket that has object lock enabled. Then within your SOBR, you can simply check a box to make recent backups immutable and specify a period of time.
What Happens When Object Lock Is Set:
The true nature of immutability is to prevent modification, encryption, or deletion of protected data. As such, selecting object lock will ensure that no one can:
Manually remove backups from Capacity Tier.
Remove data using an alternate retention policy.
Remove data using lifecycle rules.
Remove data via tech support.
Remove by the “Remove deleted items data after” option in Veeam.
Once the lock period expires, data can be modified or deleted as needed.
Getting Started Today
With immutability set on critical data, administrators navigating a ransomware attack can quickly restore uninfected data from their immutable Backblaze backups, deploy them, and return to business as usual without painful interruption or expense.
Get started with improved ransomware protection today. If you already have Veeam, you can create a Backblaze B2 account to get started. It’s free, easy, and quick, and you can begin protecting your data right away.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
backups immediately to your VMware/Hyper-V based environment, so businesses can get back online with minimal disruption or expense. Put simply, it’s an on-demand path to a rock solid disaster recovery plan that makes recovery planning accessible and appropriately provisioned for your business.
product now supports a growing number of object enabled capabilities.
