Part 1 of the “Compass Protects It All” Series
For years, backup lived quietly in the background. Jobs ran overnight, reports usually came back green, and as long as restores worked, the system was considered reliable.
Cyber attackers see something very different. To them, backup is one of the easiest and most lucrative entry points in the enterprise, especially in hybrid environments spanning multiple platforms, locations, and cloud services. These environments grow organically, accumulate tools and processes, and often remain far less defended than the systems they protect. That combination makes backup a high‑value, low‑resistance target that is ripe for the picking.
Modern ransomware groups increasingly start by going after backup. They probe for unpatched servers and consoles, privileged agents, exposed credential stores, stagnant administrator IDs, unencrypted paths, and outdated interfaces that haven’t been revisited in years. If they can corrupt catalogs, erase restore points or lock you out of the infrastructure that manages backup, the entire recovery strategy becomes unstable — even if some data technically remains intact.
A Landscape Built Over Time — And Full of Weak Points
Every major platform contributes its own version of backup sprawl. The details differ, but the patterns are consistent:
IBM i: Stable, Familiar, and Often Overlooked
Many IBM i environments still rely on long‑standing job schedules, native save commands, and tape processes that haven’t changed in years. Backup logic is often embedded in CL programs or inherited scheduler entries, and access controls are tied to profiles no one has audited in a long time. From an attacker’s perspective, this quiet consistency — predictable workflows with minimal modern security oversight — is appealing.
Enterprise Systems With Multiple Operating Environments
Systems that host multiple operating environments side by side often evolve unevenly. Different teams rely on different tools, scripts, and protocols, many of which were never reevaluated after migrations or upgrades. Older SSH‑based scripts, shared network mounts, and lingering agents expand surface area attackers can probe — not because the platforms themselves are weak, but because the surrounding backup practices have aged.
x86: The Epicenter of Backup Tool Sprawl
x86 hosts typically accumulate the most clutter over time: legacy enterprise suites, hypervisor‑level snapshot tools, array‑based replication, and homegrown scripts. It’s not unusual to find multiple agents on the same host, each with its own credentials and update requirements. None of this sprawl was deliberate, but every component becomes a potential entry point.
Cloud: A Separate Security Universe
Cloud backup tools live in their own control plane with separate IAM policies, retention defaults, consoles, and APIs. They’re often owned by a different team entirely. Unless cloud backups are explicitly integrated into the broader strategy, they operate as an island, protected and audited on different terms than everything else.
Why Backup Is More Exposed Than You Think
Across all platforms, the same foundational weaknesses repeat:
- Unpatched Components: Backup servers and agents often lag behind production patch cycles. Operating systems, consoles, catalog databases, and embedded libraries drift out of date simply because they appear to “just work.” Attackers are quick to exploit known issues hiding in these neglected components.
- Overprivileged Access: Backup tools require significant permissions. That power becomes dangerous when environments rely on shared admin accounts, outdated service identities, inconsistent MFA, or credentials stored in configuration files. Old user profiles linger, long‑lived domain accounts keep elevated rights, and cloud roles quietly persist long after workloads shift.
- Unencrypted Data Paths: Inconsistencies in applied encryption is common. Backup traffic frequently crosses old VLANs, dedicated networks, or cross‑cloud paths without modern protections — especially when legacy agents or storage targets don’t enforce them.
- Scale Without Integration: Backup is often the largest “application” in the enterprise. It spans all data sources across production platforms, storage systems, networks, and cloud services. Yet it’s rarely treated as a unified system with its own architecture and security model. That lack of cohesion makes drift inevitable.
What Continuous, Automated Hardening Should Look Like
Addressing individual settings won’t keep up with environments that span multiple operating systems, hardware architectures, and deployment models. The backup system itself needs to maintain a secure posture with less reliance on manual oversight.
Automated Maintenance of Core Controls
A hardened environment updates itself on a predictable cadence — backup servers, appliances, and agents included. It also disables outdated interfaces and unused ports as part of the same process. The goal is simple: close known vulnerabilities quickly and consistently.
Stronger, Centralized Access Control
Authentication should be strong, consistent, and role‑based across platforms. Admin access shouldn’t depend on long‑lived accounts scattered across consoles, servers, and partitions. Direct system access should be reduced wherever possible, backup operations should be limited to tightly controlled profiles, and cloud backup roles should match current workloads instead of historical ones.
Immutability and Integrity by Default
Backup data should be stored in ways that prevent alteration or deletion for defined periods, with integrity validated both on ingest and retrieval. Multiple logically separated copies ensure that a compromise in one area doesn’t eliminate every recovery path.
Continuous Monitoring Across Platforms
Backup systems generate rich telemetry: job patterns, retention changes, restore activity, encryption settings. Monitoring that spans on‑premises systems and cloud environments provides visibility that no single console can. When these signals remain siloed, early warning signs go unnoticed.
Policy‑Driven Behavior Instead of One‑Off Configuration
A small set of clear policies should define encryption requirements, retention ranges, immutability rules, and restore authorizations across the entire hybrid environment. When policies — not manual configuration — govern behavior, security becomes a systemic property instead of an aspirational practice.
A Shift in Perspective
The critical change is more conceptual than technical. Backup can’t remain a background process; it’s a key part of the organization’s security posture, and its security stance may determine how severe an incident becomes. Treating backup as a strategic, security‑sensitive application is the only way to keep pace with modern threats.
This brings us to the next challenge: complexity. Every time a new platform, tool, or acquisition enters the environment, backup grows more fragmented. These layers accumulate quietly, increasing risk over time.
In Part 2, we’ll look directly at how tool sprawl across heterogeneous environments erodes protection — and how deliberate consolidation can reverse that trend.
< Back to Blog