Off-Site Backups: Cloud, NAS Replication, and Cold Storage
Summary: Off-site backup is the third leg of the 3-2-1 rule and the last line of defense for SME data against fire, theft, and ransomware. Cloud, NAS replication, and cold storage each have a different cost, restore speed, and suitability profile; this guide helps you choose the right mix.
The third copy of the 3-2-1 backup rule — "one off-site" — is perhaps the most critical part of the rule. Every disk in the same building can be lost in a fire; every backup on the same network can be encrypted in a ransomware case. Off-site backups move data to a location physically and logically separate from the office. SMEs have three realistic off-site options: cloud backup, replication to a NAS at a second location, and cold storage (rotated portable disks, tape archives). Which choice is right when, this guide compares in detail.
Why Is Off-Site Backup Critical?
Three scenarios separate off-site from on-site backup:
- Fire / flood: Physical damage at the office wipes out every device at the same time. NAS, server, external disks — all of them.
- Theft: Someone entering the office takes everything visible. Off-site backup is out of scope because it sits elsewhere.
- Ransomware: Backup disks attached to the same network get encrypted too. An independent off-site backup is the last sanctuary. Modern ransomware does not attempt to encrypt cloud-bound but unauthorized sessions; independent credentials for backup access are essential.
On-site backups offer a speed advantage in a loss event; off-site backups provide coverage. The two are complementary; one cannot replace the other.
Option 1: Cloud Backup
The most common off-site method. The backup software (Veeam, Acronis, Synology Active Backup, etc.) writes data over the internet to the cloud provider's data center. Typical traits:
- Automation: Once set up, it runs every night with no manual intervention.
- Geographic isolation: The data center is hundreds/thousands of km from the office. Fire, flood, and earthquakes do not hit two places at the same time.
- Scalable capacity: Buy additional space as data grows; no hardware ceiling.
- Cost model: Monthly subscription. TRY 100-1,000/month at SME scale.
Cloud Provider Options
- Veeam Cloud Connect partners: Through Veeam-authorized providers in Türkiye — Türk Telekom, Turkcell. Preferred for KVKK compliance.
- Acronis Cyber Cloud: Acronis's own cloud. EU/TR data center options.
- AWS S3 / S3 Glacier: Raw object storage. The backup software must be able to write directly to S3 (Veeam, Acronis, Synology support it). Cost-efficient.
- Azure Blob Storage: Strong Microsoft 365 integration; a natural choice for M365 backups.
- Backblaze B2: Purely cheap, S3-compatible. Attractive pricing at SME scale (1 GB ≈ $0.005/month ≈ TRY 0.15).
- Wasabi: Also S3-compatible, with flat pricing (1 TB $7/month) and no egress fees. Wasabi is advantageous if restores are frequent.
Option 2: Second-Location NAS Replication
If the company has another branch, factory, or a partner office: a NAS there can receive replication. Typical traits:
- No internet subscription cost: You control the subscription completely. One-time NAS investment.
- Fast restore: Speed close to local backup (over gigabit Ethernet). It still requires physical access or VPN to the second location.
- Geographic distance limit: The further the two locations are, the more risk is decentralized. The same district shares fire risk; being in a different city is ideal.
- Dependency: If the second location closes or the partner leaves, the structure falls apart.
Replication packages on NAS units like Synology (Snapshot Replication, Cloud Sync) simplify this. Thanks to encrypted connections, scheduled sync, and incremental deltas, internet bandwidth is used efficiently.
Option 3: Cold Storage
For low cost, store archive data you do not need continuous access to. Two types:
Cloud Cold Storage
- AWS S3 Glacier / Glacier Deep Archive: 1 GB ≈ $0.001-0.004/month. The cheap champion. But data retrieval latency is 3-12 hours (Standard) or 12 hours (Deep Archive), and egress is billed. Right for annual archives.
- Azure Archive Storage: A similar model to Glacier.
- Google Cloud Archive: Likewise similar.
Physical Cold Storage
- Rotated external disks: Using 2-3 external disks on rotation. One disk is in the office taking backups, one is in a bank safe, one is with the manager. Weekly swap. Requires discipline and manual labor; high risk of human error.
- LTO Tape: Tape libraries. Usually impractical at SME scale (expensive hardware, training required); more common in enterprise environments.
Comparison Table
| Dimension | Cloud | Second NAS | Cloud Cold | Disk Rotation |
|---|---|---|---|---|
| Monthly cost (500 GB) | TRY 200-400 | NAS amortization + internet | TRY 10-50 | Disk replacement cost |
| Restore speed | Medium (hours) | Fast (LAN/VPN) | Slow (hours-days) | Very fast (USB) |
| Automation | Full | Full | Full | Manual |
| Geographic isolation | ★★★★★ | ★★★ (depends on the location gap) | ★★★★★ | ★★ (depends on human discipline) |
| Ransomware resilience (immutable) | ★★★★★ (Object Lock) | ★★★ (snapshot lock) | ★★★★★ | ★★★★★ (offline) |
| Up-front cost | Low | High (NAS) | Low | Low |
A Practical Mix for SMEs
Combining two of the options instead of picking just one is usually the right call. Recommended SME structures:
Standard SME (10-50 employees)
- Local backup: Synology NAS, daily
- Off-site: Cloud backup (Veeam Cloud Connect or Backblaze B2)
- Cold archive: Push the annual full backup to AWS S3 Glacier (7-year retention for compliance)
Multi-Location SME
- Local backup: A NAS at each office
- Off-site #1: NAS-to-NAS replication (hourly)
- Off-site #2: Cloud backup (for the disaster scenario)
Critical Data / KVKK-Heavy Environment
- Local backup: NAS, strict RPO
- Off-site: Cloud with a Türkiye data center (Türk Telekom, Turkcell)
- Cold archive: Likewise a TR-data-center cold store
Common Mistakes
- Counting a single cloud account as off-site: Microsoft 365, Google Drive are extensions of the office; they do not count as off-site. An independent account, independent billing, independent MFA is required.
- Not noticing the cloud backup's capacity limit getting full: You start with 100 GB; two years later it is 800 GB. If the limit is full, backups silently fail; monitoring is essential.
- Ignoring the cloud provider's country: For KVKK-scope data, prefer a Türkiye or EU data center. Cross-border data transfer creates legal risk.
- Storing the encryption key in the cloud: If the key to the encrypted backup sits in the same cloud account, when the account is stolen, everything is gone. The key must be kept elsewhere (password manager + a written copy in a safe).
- Not calculating cold-storage restore time: Glacier Deep Archive is 12 hours of activation + download time. Not suitable for urgent restores; only for annual audit archives.
Frequently Asked Questions
Frequently Asked Questions
How much bandwidth do off-site backups need?
The first full backup (say 500 GB) over a 100 Mbps internet link takes ~12 hours. Subsequent incrementals are much smaller (5-20 GB per day on average) and complete in 30 minutes-2 hours. For the first backup, seeding services (physically sending a USB disk) are available (akin to AWS Snowball); useful for large initial data sets.
Is cloud backup enough for KVKK compliance?
If the KVKK cross-border data transfer clause is in scope, a Türkiye data center is preferred. If an overseas cloud is used, explicit consent, adequate-protection guarantees, or an exceptional permission is required. Transfer to countries on the KVKK Authority list is easier. Get legal advice for the specifics.
Can I use a partner's office as my second NAS location?
Technically yes, but the contract terms should be clarified. If the partner leaves, goes bankrupt, or physical access is blocked, your data is at risk. A written contract + an alternative exit plan is required.
Is the cloud backup file encrypted?
All modern cloud services provide at-rest encryption. Client-side encryption from the backup software is also recommended; that adds a layer the cloud provider also cannot read. Veeam, Acronis, and Synology all offer client-side encryption.
How much does cold storage cost annually?
Keeping 500 GB in AWS S3 Glacier Deep Archive runs about $1/month ≈ TRY 360/year. Retrieval fees are separate; $5-50 per restore. Very economical if used purely as backup. If active restore is in scope, Wasabi (flat pricing, no egress) is more suitable.
Author
Serdar
Yamanlar Bilişim Expert
Writes content on IT infrastructure, cybersecurity, and digital transformation at Yamanlar Bilişim. Get in touch for any questions.
Professional Support
Get help on this topic
Let's design the Business Continuity and Disaster Recovery solution you need together. Our experts get back to you within 1 business day.
support@yamanlarbilisim.com.tr · Response time: 1 business day
Keep Reading
Related Articles
The 3-2-1 Backup Rule: Practical Implementation for SMEs
The 3-2-1 backup rule is an SME's most reliable defense scheme against data loss. This guide explains what the rule means, the scenarios where it saves you, and how to apply it step by step in an SME office.
What Are RTO and RPO? Setting Your Disaster Recovery Targets
RTO and RPO are the two foundational numbers of a disaster recovery plan. This guide shows how SMEs should set these metrics, with example calculations and how they translate into a backup strategy.
Veeam vs Acronis vs Synology Active Backup: SME Backup Comparison
The three most common backup platforms at SME scale — Veeam, Acronis, and Synology Active Backup. This guide compares them across licensing, scope, restore flexibility, and total cost.