MacNix: I could write a book on this, and maybe someday I will. You've nailed the two major issues with PIAF... and every other Linux-based server. In fact, it's the reason the stand-alone Incredible PBX builds came about in the first place. So let's get right to it...
#1 BACKUPS. PBX in a Flash had its historical roots in the Asterisk@Home and trixbox projects. Both were created the same way originally, on the fly from source code. The problem with backups using that design is you have to have a reference point to recreate a new image. Unfortunately, the operating system and Asterisk and FreePBX continue to evolve. That means your original snapshot may no longer work with the "improvements" that have come along over a period of years, and PBXs typically last for years. Without making complete image backups (and I appreciate they are painful since you have to shut down the server), there just is no other way.
#2 USER ACCOUNTS. PBX in a Flash started out using the FreePBX security methodology which was flexible in letting administrators create different accounts for different people. FreePBX runs as the asterisk user, and once someone breaks into your system, they get a blank check to all of your Asterisk, FreePBX, and most MySQL assets. The problem was/is that FreePBX is a collection of modules from many different people of varying skills, and many of them abandoned the project years ago leaving their code for others to maintain, or not. The ARI (Asterisk Recording Interface) module in particular is pretty awful. We got burned early on by a remote code execution bug in ARI and decided to switch to Apache security. While Apache security is not perfect, it has been damn near perfect for the past seven years. Yes, you lose login flexibility. No, you don't get hacked. And then along came the latest
ARI mess with much smarter hackers. I'm not sure FreePBX Distro admins will ever recover their systems from this unless they had a hardware-based firewall or locked down IPtables setup in place. There were backdoors created all over the place. It was that ugly. Did PBX in a Flash systems get hacked? No. Is PBX in a Flash account management less flexibile? Absolutely.
Incredible PBX Security. And that brings us to Incredible PBX. It originally was an add-on to PIAF servers for bells and whistles, over three dozen of them at last count. One of those was Travelin' Man which has evolved into a flexible WhiteList security mechanism using the IPtables Linux firewall. That led to creation of new standalone Incredible PBX builds for a number of platforms: CentOS/Scientific Linux/Fedora, Ubuntu/Debian, and lots of mini-platforms including the Raspberry Pi, BeagleBone Black, CuBox, and even PogoPlug. We didn't adopt the PIAF security model opting instead to use FreePBX's native account management. But what we added was a locked down, WhiteList-enhanced IPtables firewall. And we also added Automatic Updates. Every time you log in to your server as root, the latest updates "from headquarters" get loaded on your server. Did the latest FreePBX ARI vulnerability affect Incredible PBX servers? Absolutely. Did anyone get hacked? No. Why? Because the preconfigured IPtables firewall kept the bad guys out AND we pushed out the FreePBX ARI patches within hours of release using the automatic update utility.
Incredible Backup. I share the frustration over backups. It's not that we haven't wrestled with backup methodologies for years looking for the silver bullet. There just isn't one that we have found for Linux servers. Mondo is close, but next year's Mondo may not work on last year's server, and vice versa. There's not a worse feeling than pulling out a backup to restore and having it blow up. I've had it happen with Apple's Time Machine, and I've seen it repeatedly with Mondo. So I don't use either of them. That led to Incredible Backup which takes a snapshot of your Asterisk and FreePBX setup. It can be restored to almost any server running the same major release of Asterisk and FreePBX. It works reliably with PIAF or Incredible PBX servers. With monthly or even quarterly full image backups, it is an excellent addition to provide snapshots in between. That's about as good as it gets in the Linux world. And frankly, that's about the same situation you find on the Windows and Mac platforms as well. If your PBX isn't worth a $100-$200 investment for a standby backup image, then get ready to roll up your sleeves and start over when the inevitable disk failure happens. For me personally, the solution was to migrate to a virtual machine platform where snapshots are a 10-minute chore, and you always have a half-dozen backup images. But I appreciate it may not be the best fit for those that have hundreds of users or still rely upon dozens of Ma Bell phone lines.
PIAF4 Future Direction. We're still wrestling with how to proceed in the next release. Everyone's input is encouraged.