A big important one is air gapping. Disk solutions are generally not ransomware proof themselves. Most (all?) disk solutions, particularly the ones that do de-dupe, are Linux or FreeBSD based. Gain administrator privileges to the solution, or escalate to root, and the ransomware attackers, will wipe your backups. We are seeing more and more incidents where the attackers are not only lurking for months waiting to gain more and more access - but they are also becoming much more sophisticated in understanding enterprise data protection solutions. They know about snapshots, disk to disk, and more. We've seen many instances where the attackers were fully educated in the backup solution being used and attacking that as the first step. Once the backups were compromised then they switched to attacking the primary and secondary storage. Even there, they are deeply aware of the capabilities of the storage arrays themselves and can delete, eliminate, or even encrypt the snapshots (point in time copies) at the array level. Tape does not have this problem. You can not wipe something if it's securely stored in a shelf somewhere. The answer is really, both. - You need secure, immutable (as immutable as you can afford) disk storage. This is for speed of recovery NOT speed of backup. Disks will outperform tape for just about any restore operation. - You need tape for the storage of last resort. If all of your defenses are compromised you will still have a system of record that can not be compromised. You will get your data back, but it will take longer. In my position and my job I work very closely with all the major storage and data protection vendors. They all recognize this as a problem. I can attest without qualification that they are all working to solve this problem. As an industry we are closer, but not done. I suspect it will never be done. The genie is out of the bottle.

Virtualization is the thing. I was fortunate to be able to do this early on (5+ years ago) and I learned a few things along the way:

1) Memory is the thing. VMware and the other hypervisors are really good at making the most out of memory (ballooning, shared memory, de-dupe, etc.), but RAM is cheap now. My setup has 16GB and I can do just about anything I want with this.

2) Disk is even more the thing. My setup is a cluster, but even if it wasn't I'd still use some sort of external disk solution. I have two in my environment. For my "dev and cheap" stuff I use a cheapo windpc+opensolaris/indiana ZFS based NAS box. You can build yourself something that rivals enterprise class stuff for dirt cheap. My other solution is a discard from one of my customer. I have an (older) netapp array. It's clustered and does all sorts of fun stuff. At one point it was an enterprise class solution, so for my lab it's more than enough. You use external storage because your VM's then become transportable. The server you use today, might not be the same tomorrow. Moving the bits around from one server to another is a pain. Having them on external storage makes it really easy: fire up the new server, connect it to the storage, shut down the VM's on the old server, start them up again on the new server, retire the old server. And if you have compatible architectures, you might not even need to do the shutdown the VM's at all.

3) Get your servers from the company you work for (or a friend works for). My lab is Dell 2950 based. I was able to get the servers for next to nothing from a company that had depreciated them and was willing to sell them for nothing. They are not the most current, bestest, fastest thing, but guess what - the time when CPU and memory are the bottlenecks for most stuff is over. Even three year old hardware can run most current OSs more than adequately for a home lab. Granted, if you are going to playing games in your "lab", then this isn't going to work. But then again, it would turn this whole discussion moot anyways.