If their backups are being placed somewhere like S3 they should have a stand alone server that simply copies daily backups from the S3 bucket the network has access to, over to another S3 bucket that only the backup managing app has access to.
I expect they are allowing their backup app to have read write access to manage cleaning up removing backups but just giving it write only access from the network would work too. And using a standalone server/app to manage the backups.
I'd still copy over a backup to a stand alone bucket not accessible by the network for something this critical.
I expect they are allowing their backup app to have read write access to manage cleaning up removing backups but just giving it write only access from the network would work too. And using a standalone server/app to manage the backups.
I'd still copy over a backup to a stand alone bucket not accessible by the network for something this critical.