If your organization uses version control systems like GitHub, GitLab, and Bitbucket, you probably are aware that code as intellectual property is the most valuable asset inside your company – you and your team spent thousands of hours (and money) to write, support, and improve projects. As CTO, IT manager, software-house owner, or team leader – you probably can imagine how much it would cost you to lose the code your team has been working on for months…
But is it even possible? Data breaches, systems downtime, policy changes, and more – all of those factors can limit access to your repositories on GitHub, GitLab, Bitbucket, and in conclusion, put your Intellectual Property at risk. And without proper protection of your IP, your business might not be able to harness the full potential of code created by your employees.
What can go wrong with your Git data
Now, let’s find some arguments that will back you up during discussions with your superiors. team members and even developers that professional repository backup software is something essential for your development process and company security.
Reason #1 – Shared Responsibility Model
Like most SaaS providers, also GitHub, GitLab, and Atlassian rely on shared responsibility models that define which security duties are handled by the service provider and which belong to your organization. In a nutshell: service providers are generally responsible for the entire system’s accessibility, security, and availability. But when it comes to data, they are only data processors, you are the owner so your data is your concern – you need to make sure it’s properly protected and compliant with all legal requirements – for example in terms of data retention.
For example, at Atlassian, the company handles the security of the applications themselves, the systems they run on, and the environments those systems are hosted within. They ensure compliance with standards such as SOC2 or PCI DSS.
You are responsible for the proper management of information on your account. You have to control the users, access to your data, and what apps you install and trust. Finally, you are responsible for ensuring your company is meeting compliance requirements. Just like in the below image:
Image: Atlassian Cloud Security Shared Responsibilities (more: Atlassian)
Probably that is why hosting service providers like GitHub recommend having reliable third-party backup software – such as GitProtect.io.
Reason #2 – Outages
Believe us or check it out, but there were many times that GitHub, Bitbucket, or GitLab went down, leaving many companies without access to their code and the possibility to work. Going further, with many financial losses.
One of the biggest outages of GitLab happened in 2017. It was caused by the accidental removal of data from primary database servers. This incident caused the GitLab.com service to be unavailable for many hours. They also lost some production data that they were eventually unable to recover. Specifically, they lost modifications to the database and data such as projects, comments, user accounts, issues, and snippets (more).
In June 2020, there was a major outage of the Github service that lasted for hours and impacted millions of developers (more).
Image: Tech Monitor
That kind of outages can impact developers’ productivity, especially if they occur during crucial launch windows. Think about your company – how long will you be able to work without access to your GitHub data? How much such an outage will cost your company? Are you able to afford it? Or you better prevent such situations and invest in reliable third-party backup software like GiProtect.io to quickly recover data and get back to code and work?
And GitHub downtime is only the tip of an iceberg…
Reason #3 – Human errors
One of the most common issues when it comes to cybersecurity incidents generally is human error/mistake. HEAD overwrite, accidental deletion of branches, or even intentional deletion made by the frustrated employee (or ex-worker, who still has access to the repository) – are some of the most common reasons for data loss. And we have to keep in mind that developers tend to have one GitHub account that they use both for personal and professional purposes, sometimes mixing the repositories. Thus, it is crucial to keep an eye on that.
Reason #4 – Ransomware
Ransomware remains one of the most expensive threats for businesses of all time. It happens every 11 seconds and is projected that by the end of 2021 it will generate global losses of…20 billion dollars (compared to 325 million in 2015).
In 2019 Bleeping Computer reported that attackers were targeting GitHub, GitLab, and Bitbucket users, wiping code and commits from multiple repositories and leaving behind only a ransom note and a lot of questions.
Image: Bleeping Computer
Business downtime caused by a ransomware attack usually lasts days. Then a company needs weeks to restore all systems, and without reliable backup software those attempts usually fall down. You can not believe that paying a ransom will give you a 100% guarantee of recovering your data. When it comes to the version control system, losing access to the data that stays encrypted, can cause downtime as well. Unless you have your Git backup and you can recover the data anywhere, from any point-in-time, and get back to work immediately. And most of all, not lose your data at all.
Reason #5 – Hardware and Software Errors
Not only human errors or hacker attacks can lead to losing access to your data, but it can also be influenced by many sorts of hardware and software failures. This is especially dangerous when your developers are working on a local git repository.
Adding problems with synchronization, saving repositories, downloading it, you can see a full range of issues that can slow down, postpone or disable the development process and expose your company to financial loss.
Summary – why do I need Git backup
As you can see GitHub, Bitbucket, and GitLab as hosting services proved themselves as quite reliable solutions, yet are not bulletproof. That is why for example GitHub recommends having an additional, third-party backup software. Please note that the stake here is your source code, projects, Intellectual Property, hours of work, and thousands of money… So GitProtect.io as the most professional backup software seems like a small investment for the peace of mind it provides.
Your own git backup script vs. repository backup software
When it comes to files, endpoints, servers, or VMs – a third-party backup software is something obvious. Try to find a business that doesn’t have it – nearly impossible, right? And now let’s consider any business with IT department, software development companies, or software houses – what is a key asset within those businesses? Source code as intellectual property. Sometimes it even defines the market value of such companies (especially including startups). So… for them – git repository backup should be of even bigger importance. How to protect the source code hosted within GitHub, GitLab, or Bitbucket?
No protection, self-written git backup scripts based on git-clone command, snapshots of local repositories, on-premise backup – this is how companies try to deal with git repository backup today. In this blog post, we will take a look at the pros and cons of managing your own git backup scripts vs. repository backup software.
Managing your own git backup script – pros and cons
Managing your own git backup scripts of GitLab, GitHub, and Bitbucket in-house obligates you to manage all the processes, infrastructure, maintenance costs to make your internal copies. In the beginning, it might be laborious and time-consuming but it seems cost-effective. However, it turns out that in a long-term perspective, the working hours of the employees managing backups and all related maintenance expenses can cost you a fortune.
Managing your own git backup script lets you decide how it should work to meet specifications, legal and internal requirements. You can decide how it should integrate with other elements of your organization. You know best what kind of data you want to protect, how often this backup should perform, and how you should be able to customize and manage it. However, are you sure how are you gonna make it happen? Can you supervise your employees in this matter? Do you have enough time and resources to write down specifications, delegate developers to write such script, and finally, someone to maintain it?
CON: High long-term costs
If you want to make your own backups you have to delegate internal employees to work on it, test it on a regular basis and maintain it. You need to supervise their work and further maintenance activities. You need to dedicate some time to consider how this script should work. For example – think about data retention. You need to have such assumptions unless you have to keep in mind to manually remove older backup copies to make room for new ones…
So even if maintaining a git backup script is just a part-time job of your employee, it distracts him from his core duties. And now – let’s assume that you sacrificed your employee time and you finally have your own backup script. Now somebody has to test it and maintain it as a part of his routine. As in most software, not only in the backup case, most costs occur during use so, in a long-term perspective, such a git backup script costs you huge money you would be able to invest somewhere else once having third-party repository backup software.
Moreover, if the event of failure happens and your backup script fails so you won’t be able to restore the data, the only person you can blame is yourself. Or at least your management will do that. Are you sure you need this additional responsibility on your shoulders?
CON: No git restore guarantee
Please bear in mind that having a git backup script allows you to do only copies. Once you need to recover your data from such copies – you need to write another script. Then, just think about how long will it take to write a git restore script and how long will you have to work without access to your source code.
Third-party repository backup software – pros and cons
When you are buying a third-party repository backup software you know you pay for a piece of mind, saving your employees time so they can focus on core duties, reducing administration and maintenance costs. What is most important, you gain data protection and restore guarantee. Initial higher-cost seems now pretty slight when you consider it in the long-term. It turns out that it’s a pretty small investment for all of the security it provides…
PRO: All the best of professional backup solution
The third-party repository backup software such as for instance GitProtect.io powered by Xopero ONE enables you to protect all GitHub, GitLab, and Bitbucket data – no matter what hosting service you use. You can backup all GitHub and Bitbucket repositories and metadata – both local and cloud. Including comments, requests, milestones, issues, wikis, and much more.
Such dedicated git repository backup software as GitProtect.io makes you sure you use years of experience of a backup service provider – Xopero Software. Additionally, you can even protect all mission-critical data – including files, endpoints, servers, virtual machines, SaaS, etc.
So, except for some dedicated options, you have access to the most professional features of general backup software such as:
- any storage compatibility (you can store your copies on SMB network shares, local disc resources, public clouds)
- long-term retention and advanced rotation schemes – GFS and FIFO for git archive options, legal compliance, and effective storage usage.
- full automation (“set-and-forget”) and central management
- predefined backup plans or advanced plan customization (so you can adjust backup performance to your company requirements and specification and execute backups even several times a day)
- wide range of recovery options (including granular, point-in-time recovery, cross-over recovery, and easy migration between git hosting platforms)
Even if you delegate your best developers to write you a backup script, they probably won’t be able to deliver you such advanced and secure features as a professional backup provider and won’t ensure you with the same guarantee of data accessibility and recoverability.
PRO: Security and recovery guarantee
Speaking about best practices – for all third-party professional backup software providers security is an integral part of their DNA. They need to make sure that the data is well protected, accessible, and recoverable from any point in time, as fast as you need it.
We bet your business probably relies on software and digital assets more than ever before. That is why you need to be sure the git repository backup software you use provides you with key security measures. Such as encryption (AES is desired), zero-knowledge encryption, no-single-point-of-failure, web-based architecture. Daily email notification and audit logs should keep you up to date with the backup execution.
PRO: Lower long-term costs
You might think an external repository backup software is an expensive option. But try to compare a git backup script vs. repository backup software and calculate how much you are going to pay for writing and implementing internal procedures, specifications and methods. Then, add hours spent on maintenance, tests, and administration of your employee. Finally, consider an alternate cost – how much money would this employee bring you while he would do his normal work instead. We will make a bet, that initial higher costs seem pretty slight now – long-term costs of a third-party repository backup software now seem more attractive, and your employees can focus on what they are best at – their work. And bring you money.
CON: Limited control
Like with every kind of third-party software you don’t have control over each aspect of its pricing, terms of services, and potential changes in the future. So you should consider what is more important to you – choosing a third-party repository backup software with limited control and team’s focus on solving core business problems or maintaining your own git backup script over which you have full control with devoting priceless time of your developers.
PRO: Meeting the shared responsibility model
Whether you use GitHub, GitLab, or Bitbucket, like most SaaS providers, those also rely on shared responsibility models. In short: service providers are responsible for the accessibility and availability of their infrastructure while you, as a data owner, are responsible for data protection. Are you sure that your own, internal git backup script is safe enough? Have you considered all possible scenarios of losing your data? Finally, do you have a git restore script written as well? With a third-party backup solution you share this concern – now also an external company is responsible for keeping your data safe, accessible, and recoverable.
GitHub, Bitbucket, and GitLab backup options – what to choose?
This chapter shows you the different types of tools you can use to back up your version control system data. Please bear in mind that GitHub. GitLab or Atlassian, as most cloud services providers, rely on shared responsibility models in which you are responsible for data protection. They even encourage you to use third-party backup software to make sure your data is accessible and recoverable. So now, let’s take a look at what external options you have.
Option one: git backup scripts
GitHub, Bitbucket, and GitLab are the platforms used by developers who see the need to back up their work. Thus on developers forums, inside Git communities you can find a lot of self-written scripts that provide you with some basic features and a bit of peace of mind.
Among some backup scripts are:
- Python GitHub Backup
- based on PowerShellForGitHub
- ghe-backup by Zalando Tech
and many more…
PRO: Using an open-source script is free and usually the code is pretty stable. You can check the entire script on GitHub or Bitbucket and decide whether it’s sufficient for all your or your organization’s requirements.
CON: Sometimes scripts do not provide you with a restore option, give you rather archiving features, or require specific data storage. So you can perform backups but if the event of failure occurs, you will need to write your own script to recover the data. Having backups without a reliable recovery method provides you with very limited possibilities. In the event of failure every minute matters, so besides backups it might be even more relevant to have a recovery option that makes your data accessible and recoverable from any point-in-time exactly when you need it.
Scripts – for who? Individual developers or small project owners. It’s a solution for those who are in need of very rare backups, made rather sporadically. As it doesn’t include a recovery option – it would be efficient only for people whose business does not rely on version control system data and might survive with no access to information for some while. Finally, it’s efficient only assuming that afterward you or your team would be able to write a recovery script to not lose data.
You can even solve this by writing your own scripts if you have enough skills, time and resources. But please bear in mind that it can be tricky to get this right. Moreover maintaining such a tool might generate long-term costs and administrative time (as mentioned in the previous chapter).
Option 2: S3 Backup
Amazon S3 Backup is an open-source script made with the use of GitHub Action. GitHub Action is an internal GitHub tool that helps to build, test and deploy applications. In short – it automates every step of the development workflow.
S3 Backup app allows you to backup git repositories into popular Amazon S3 compatible object storage only.
PRO: S3 Backup is an open-source script meaning it’s for free and quite simple to use. You don’t need to install any additional software. All changes are captured as it works with every push so you don’t need to worry about missing some data in your backups.
CON: S3 Backup relates only to repositories so all metadata – including pull requests, wikis, projects, issues, etc. are not protected and can be lost. The biggest disadvantage is that it does not provide you with any retention settings and options – old backups are immediately replaced with new ones here. It gives a very poor recovery option – all you can recover is only the last full version and there is no possibility of point-in-time recovery. Just imagine that malicious actors can compromise backups by infecting a new copy that will replace an old reliable one. It opens them a gate to perform further attacks. Yes, it is possible with only one backup version stored.
Moreover – it does apply only to cloud storage so if you want to use your own, local infrastructure, it’s not for you.
S3 Backup – for who? As S3 Backup does not differ a lot from the scripts mentioned above we can also recommend it to individual developers or small project owners who need to perform backups rather sporadically. As there are no retention settings and it simply replaces old copies with new ones it may be useful only when you don’t need to track changes and recover historical data. In short – all you need is only the last state of data. Moreover, if you consider using S3 Backup, please make sure you have all the most important security measures in place to prevent any malicious actions.
Option 3 – Git and GitHub API
Finally, you can use the official GitHub API to back up your Git repository. First, you need to clone and download a repository or wiki to your local machine. Once you have it done, you need to use API to export elements of your GitHub Enterprise Server repository (like issues, pull requests, forks, comments, etc.) to your local machine, create a zip archive and save it in some secure place – external hard drive or cloud service.
PRO: Using GIT and GitHub API allows you to create copies of the entire set of data – repositories together with all metadata.
CON: We would say that this option is rather a replica of your repositories and all metadata but not a backup itself – it’s not encrypted, can be compromised, and lost. It’s like an external copy of your repository saved in separate localization. It doesn’t run automatically so it requires repeating this action over and over again.
GIT and GitHub API – for who? As this method doesn’t work automatically, it’s rather an option for archiving a GitHub repository and old projects. It doesn’t provide any security measures for such copies so it shouldn’t be treated as a backup. It might become useful for small project owners who simply want to keep access to older projects for any future use.
Option 4 – GitProtect.io powered by Xopero ONE
If your organization expect more from a backup than simply one copy of your data set (and mostly only repository copy) better consider a professional backup and recovery software for GitHub, Bitbucket, and GitLab such as GitProtect.io powered by Xopero ONE which automatically protects all your version control systems data – including repositories and metadata (pull requests, wikis, issues, branches, projects, etc.).
PRO: GitProtect.io is the software dedicated to GitHub, Bitbucket, and GitLab (soon) which includes the best features of enterprise backup software created by the vendor with more than 10 years of experience on the backup market. Trusted by thousands of customers and partners worldwide (including T-Mobile, Orange, ESET, Subway, AVIS).
Whether you use GitHub, Bitbucket, or GitLab (soon) you can protect all your data – including repositories, and metadata. And it does not matter if you use your version control system as a SaaS application or locally on your developers’ devices.
When it comes to storage, you don’t need to invest in an additional IT infrastructure – you can store backups locally (your local machine or any NAS, SAN devices) as well as any private or public cloud compatible with Amazon S3 (AWS, Azure, Wasabi, Xopero, etc.). It can even be a hybrid or multi-cloud environment as within one license you can have multiple storages.
All you need to do is to set your administrative account and use a central web-based management console to set backup plans, recover the data, manage users, devices, and storages. Thanks to this cloud-based architecture you have access anytime and anywhere – every time you need it.
Once you add your GitHub, Bitbucket, or GitLab (soon) account to GitProtect.io you can set automatic backup plans which include data to be protected, storage where the copies should be stored, schedule so the time when the automatic backup should be performed, and backup execution manner. New repo? It can be automatically added to your scheduled backup plan. Moreover, you can set a push as a trigger so the backup will perform automatically with every push you make.
To make it even easier for you – you can choose a predefined backup plan from the list.
You have full control over retention due to the Grandfather-Father-Son scheme – probably the most efficient way of rotation that allows you to manage the copies in the long-term perspective while requiring minimal space in data storage and enables fast recovery.
Moreover, having full control over retention gives you the possibility to archive unused repositories and save your version control system’s free space and save money.
During the backup plan set up, you can even choose encryption level (all copies are encrypted with AES encrypted key considered as impossible to break but additionally you can change a force of this encryption) and compression level to control your storage capacity.
To make it even more safe for you – we have implemented a Secure Password Manager that enables you to create strong passwords that you don’t need to memorize.
GitProtect.io also provides audit logs and notifications, so you can stay up to date and keep track of your copies for security and compliance purposes.
And finally, you have a wide range of data recovery options. Flexible, point-in-time recovery to a repository or local device makes GitProtect.io a very reliable and complete backup and disaster recovery solution for your version control system.
CON: GitProtect.io powered by Xopero ONE is a paid solution but the price depends on the number of repositories to protect. The more repos you have, the less you pay for one repository. Unlike in your own script case, you are not an architect here so you have less control over how it works and what features it has. But the list of features is quite long (and based on years of market experience) so probably it can be even wider than you expect. Considering you can use your own infrastructure and nearly every storage as well as even archive git (and saving your version control system space) this price seems relatively low and reasonable. Adding any possible attacks and events of failures may even become an investment with a pretty high return. It is said that in the event of failure you can save 4$ on every 1$ spent on backup and disaster recovery solutions.
GitProtect.io – for who? For every organization that treats its code as an Intellectual Property and relies on version control systems like git and hosting platforms like GitHub, Bitbucket, or GitLab – regardless of its size, revenues, and even industry. It can be an enterprise, a small or medium-sized business that has an IT department as well as a software house and even individual developers. It’s for all organizations that are aware of data breach costs and legal penalties so want to prevent data loss and ensure business continuity.