We have used
rsync for years and it works fine for us. We
rsync out backups everyday to
offsite backup we control and manage so if the datacenter meets with disaster, we have all the goods
Also, when you think about backups and security, keep in mind that IT security consists of three key domains:
When you backup your data, you need to consider all three of these domains.
If you have a high confidentiality requirement, backing up to third party solutions (and clouds, that are not under your strict administrative control and belong to others) may not be the best option for you.
Security is not one size fits all, and it is based on your unique risk management model. This is comprised of three key areas as well:
It is the intersection of these three domains which help drive your backup and recovery strategy.
Some web sites are under threat more than others because of their content or domain (business model), others are not really of interest to bad guys.
Some people know how to host securely, install the latest patches, know how to secure their filesystem, etc. so they are less vulnerable than those who are not so knowledgable (or just lazy) in this area.
Some people run very mission critical web sites and forums. If the web site goes down, for example, they might lose a lot of money in a single day (or an hour) or their brand integrity will be tarnished.
Others, if the site goes down, maybe only a few people notice or care and no money is lost.
Hence, without making this fun subject into a security tome, you must understand your own risk management requirements based on your unique business model and risk factors, not other peoples risk management model.
One size does not fit all… and this is one of the most important lessons IT people can understand about IT security (but very few actually do understand). Backups and recovery is a key part of the equation.
FWIW: We never trust our backups to any third party (never) and always keep them in a safe location under our technical and administrative control.
As a side story, a friend of mine is one of the world’s top cave divers (explorers). When he dives and explores underwater caves, he has double and triple redundancy (gas, masks, computers, lights, batteries, knives, scooters, and more). I have seen him stage over 40 bottles of gas and carry with him at least two underwater scooters. He know how to manage risk underwater.
HOWEVER, this same world famous scuba diving cave explorer, he never backs up his desktop computer and often he goes online because his laptop crashed and he lost all his data. He says he does not care if he loses his powerpoint presentations… so that it is personal risk management strategy. He values his live much more than that of a few digital files.
Such is life…
So, to answer your question. We have self-hosted for nearly 30 years. We always keep our backups off site using
rsync and even
sftp on a server we have access too, and we have never had a problem in 30 years of having servers on the Internet. I even have an extra copy in my home network on a little Mac Mini as a private storage device. That is what I consider “secure”… for my risk management model.