\noffer the best air gapped protection of my files<\/p>\n<\/blockquote>\n<\/aside>\n
Can you elaborate more on that ? If you really need air gap protection, then maybe use a device that have external write lock and never write on them again ?<\/p>\n
What software are you using to perform backups ?
What is your RPO/RTO?<\/p>\n
Rotate according to a schedule that fulfills those requirements.<\/p>","upvoteCount":1,"datePublished":"2025-05-06T16:42:16.611Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/4","author":{"@type":"Person","name":"phildrew","url":"https://community.spiceworks.com/u/phildrew"}},{"@type":"Answer","text":"
I rotate my drives each week after a full backup has been completed.<\/p>\n
How many drives you keep in the cycle is just personal preference imo. I might consider the current average length of time bad actors are in networks before attacking in my decision.<\/p>\n
Those drives aren’t my main repository, the main repository is on-site.<\/p>\n
For me the air gapped backup is only for ransomware that breaches to the on-site repository or the server room disasters that destroy everything such as a fire, flood, or other such disaster.<\/p>","upvoteCount":0,"datePublished":"2025-05-07T14:49:46.245Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/5","author":{"@type":"Person","name":"microsoftfanboy","url":"https://community.spiceworks.com/u/microsoftfanboy"}},{"@type":"Answer","text":"
I don’t know that anyone can answer this for you. It will depend entirely on how current you need your backups to be.<\/p>","upvoteCount":0,"datePublished":"2025-05-07T15:26:57.816Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/6","author":{"@type":"Person","name":"kwelch007","url":"https://community.spiceworks.com/u/kwelch007"}},{"@type":"Answer","text":"
Thank you everyone for your replies. I work in corporate BC/DR. Our BC & DR plans are stored on SharePoint. Yes, the corp teams backs them up regularly, but being the doom & gloom person that I am, I wanted some extra protection for this specific set of critical files.
For your case, I would suggest creating multiple offline backup copies when the source changes.<\/p>\n
So, if you publish changes to the BC/DR plan weekly, then every week you’ll want to create at least two copies of that “new” plan to your USB drives that are stored off-site. Then, if a ransomware attack takes out everything, you’ll still have at least two independent copies (because you should want to protect this highly critical info against a drive failure).<\/p>\n
If you don’t publish changes on a schedule, then I would create new backups every time there’s a major enough change in the documentation.<\/p>\n
If you don’t schedule or track major/minor changes, then just make sure you’ve got two copies of it off-site, according to whatever schedule works for you and your colleagues.<\/p>","upvoteCount":0,"datePublished":"2025-05-07T20:51:38.518Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/8","author":{"@type":"Person","name":"phildrew","url":"https://community.spiceworks.com/u/phildrew"}},{"@type":"Answer","text":"\n\n
<\/div>\n
KC_Chiefs:<\/div>\n
\nThank you everyone for your replies. I work in corporate BC/DR. Our BC & DR plans are stored on SharePoint. Yes, the corp teams backs them up regularly, but being the doom & gloom person that I am, I wanted some extra protection for this specific set of critical files.
But you did not mention what backup software and what backup method are you using ?<\/p>\n
Then why do you need to access to Microsoft ?<\/p>\n
Also having air-gapped copies may be reason for malware (like virus, ransomware payloads etc) as you may not know when the systems were infected (payload may not always be infected dates) and thus stored in these USB devices ?<\/p>","upvoteCount":0,"datePublished":"2025-05-08T04:17:16.272Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/9","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}},{"@type":"Answer","text":"
I only use Windows to transfer copies of the documents to the USBs. The files are mostly Word and Excel files.<\/p>\n
I realize this is a meager solution to thwarting ransomware; but I have to work with what I was given.<\/p>\n
This was my first post here. My purpose of this post was seek advice on an optimal rotation schedule. You all clearly gave me good advice and then some. So, thank you for that.<\/p>","upvoteCount":0,"datePublished":"2025-05-08T05:49:45.800Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/10","author":{"@type":"Person","name":"KC_Chiefs","url":"https://community.spiceworks.com/u/KC_Chiefs"}},{"@type":"Answer","text":"\n\n
<\/div>\n
KC_Chiefs:<\/div>\n
\nThis was my first post here. My purpose of this post was seek advice on an optimal rotation schedule. You all clearly gave me good advice and then some. So, thank you for that.<\/p>\n<\/blockquote>\n<\/aside>\n
Sometimes we do go a bit long winded to give a more wholesome solution or suggestions.<\/p>\n
As I have seen how “air gap” backup data sets sometimes also can be sources of outbreaks…like we had a customer that went through an outbreak, cleaned the servers and user machines, only to have the outbreak again as they had to restore some files from backups (tapes) that were locked away for weeks.<\/p>\n
Then there are backup solutions like Veeam Backup & Replication 12.x (VBR) where you can encrypt backup data sets and also use passwords etc…but they have an additional function called Veeam SureBackup where VBR can use its Veeam lab (assign IPs etc) to test backup data sets by recovering the VM in its lab (virtual appliance) and testing OS, file integrity, heartbeats and also run AV scans etc.<\/p>\n
Then as for USB devices, the issue is “chicken vs egg” as can your AV scan the device before or after it gets mounted to the OS ?<\/p>","upvoteCount":0,"datePublished":"2025-05-08T06:31:34.989Z","url":"https://community.spiceworks.com/t/air-gapping-rotation-schedule/1202764/11","author":{"@type":"Person","name":"adrian_ych","url":"https://community.spiceworks.com/u/adrian_ych"}}]}}
I have 4 encrypted USB drives to back up my critical files. They are split, with the drives located in 2 different states. What is the rotation schedule to use that will offer the best air gapped protection of my files? Do I use 1 drive for X days/weeks, then rotate to drive #2 , etc?
3 Spice ups
Hi and welcome…
Can you elaborate more on that ? If you really need air gap protection, then maybe use a device that have external write lock and never write on them again ?
What software are you using to perform backups ?
1 Spice up
What is the value of the files you are using vs. the cost of the media and the physical space you have secured to stash those in? From someone who has become exhausted from a similar situation for past 5 years, I would offer that it is possible that your data is worth getting 12 of the devices. Use one the first month, and set it aside until next year and go down the list. By the end of the year you have one for each month and now if you need a random file from sometime during the year there is a chance you can connect it to an air gapped station and recover it for whatever reason. Won’t have to mess with your regular backup retention. I was running USB data sticks for over a year on production in a lot of cases as boot drives for hosts so am confident that even an entire month of use will see you to 4 or 5 years out on these devices if your data footprint doesn’t increase dramatically over that time.
Mostly advocating you do the cost benefit analysis not just run out and stash a dozen extra drives, but depending on your data size/cost that may not be a rotten solution.
7 Spice ups
phildrew
May 6, 2025, 4:42pm
4
What is your RPO/RTO?
Rotate according to a schedule that fulfills those requirements.
1 Spice up
I rotate my drives each week after a full backup has been completed.
How many drives you keep in the cycle is just personal preference imo. I might consider the current average length of time bad actors are in networks before attacking in my decision.
Those drives aren’t my main repository, the main repository is on-site.
For me the air gapped backup is only for ransomware that breaches to the on-site repository or the server room disasters that destroy everything such as a fire, flood, or other such disaster.
I don’t know that anyone can answer this for you. It will depend entirely on how current you need your backups to be.
Thank you everyone for your replies. I work in corporate BC/DR. Our BC & DR plans are stored on SharePoint. Yes, the corp teams backs them up regularly, but being the doom & gloom person that I am, I wanted some extra protection for this specific set of critical files.
phildrew
May 7, 2025, 8:51pm
8
For your case, I would suggest creating multiple offline backup copies when the source changes.
So, if you publish changes to the BC/DR plan weekly, then every week you’ll want to create at least two copies of that “new” plan to your USB drives that are stored off-site. Then, if a ransomware attack takes out everything, you’ll still have at least two independent copies (because you should want to protect this highly critical info against a drive failure).
If you don’t publish changes on a schedule, then I would create new backups every time there’s a major enough change in the documentation.
If you don’t schedule or track major/minor changes, then just make sure you’ve got two copies of it off-site, according to whatever schedule works for you and your colleagues.
KC_Chiefs:
Thank you everyone for your replies. I work in corporate BC/DR. Our BC & DR plans are stored on SharePoint. Yes, the corp teams backs them up regularly, but being the doom & gloom person that I am, I wanted some extra protection for this specific set of critical files.
But you did not mention what backup software and what backup method are you using ?
Then why do you need to access to Microsoft ?
Also having air-gapped copies may be reason for malware (like virus, ransomware payloads etc) as you may not know when the systems were infected (payload may not always be infected dates) and thus stored in these USB devices ?
I only use Windows to transfer copies of the documents to the USBs. The files are mostly Word and Excel files.
I realize this is a meager solution to thwarting ransomware; but I have to work with what I was given.
This was my first post here. My purpose of this post was seek advice on an optimal rotation schedule. You all clearly gave me good advice and then some. So, thank you for that.
Sometimes we do go a bit long winded to give a more wholesome solution or suggestions.
As I have seen how “air gap” backup data sets sometimes also can be sources of outbreaks…like we had a customer that went through an outbreak, cleaned the servers and user machines, only to have the outbreak again as they had to restore some files from backups (tapes) that were locked away for weeks.
Then there are backup solutions like Veeam Backup & Replication 12.x (VBR) where you can encrypt backup data sets and also use passwords etc…but they have an additional function called Veeam SureBackup where VBR can use its Veeam lab (assign IPs etc) to test backup data sets by recovering the VM in its lab (virtual appliance) and testing OS, file integrity, heartbeats and also run AV scans etc.
Then as for USB devices, the issue is “chicken vs egg” as can your AV scan the device before or after it gets mounted to the OS ?