That's one option, but I prefer doing it the opposite way around: Have the live server push data to the backup server via an append-only interface. This is much simpler in terms of access control if you want to back up some of the live server's data but not all of it.
I think you missed his point. He meant its safer to give the live server no access because if it gets hacked/virus then it can not impact the backup server.
I think you missed my point. I was suggesting that the live server should access the backup server via an append-only interface, i.e., one which doesn't allow it to delete backups or modify them.
Now the security of your backups is completely dependent on the construction of the append-only interface. Are you 100% certain it can't be compromised or permission-escalated?
