June 22, 2017
Once common wisdom had it that backups were a low priority when it came to security. While IT leaders focus heavily on stopping attacks and preventing breach repercussions – loss of customer faith, regulatory fines, and compromised data– protecting backups from attackers traditionally just hasn’t been at the top of the security list.
Yet backups are the last line of defense when criminals take over your system. Attackers know this, and many head straight for your backups to remove any hope of recovery. So why do so many IT teams fail to secure their backups like the valuable insurance they are?
If your team has yet to integrate your backup and disaster recovery ecosystem into your security program, here are 5 practices to get started.
If you’re still relying on physical backups, realize they can be vulnerable to theft and consider adding an additional layer of security in the form of cloud backups. Another vulnerability: the end of the tape or disc lifecycle. Be sure to thoroughly destroy them to keep sensitive data from being exploited.
Take Advantage of Detection Tools
The longer criminals are in your system, the higher the likelihood they’ll spread through your network – including infiltrating any backups they can find. Detection tools that can identify unauthorized users, or users employing valid stolen credentials, can go far in doing damage control.
Include Backups in your Response Plan
When creating and testing your recovery plan, make sure your backups are present and accounted for. If you’re booting up one set of backups and leaving others on the bench, remember to check on whether they’ve been compromised.
Use Advanced Security Controls
Each individual virtual network that connects to the DR recovery node should be isolated by a dedicated firewall; any data centers hosting your applications should offer Tier 1 architecture and be certified with PCI, HIPAA & SOC 2. If necessary, ask your vendor how they handle data migration, cloud tenancy and remote access.
Secure Your Backups
Criminals who want to hold your information hostage, like ransomware attackers, are especially interested in seizing your backups. Your best option for protecting them: encryption. Even if your backups are accessed or stolen, encryption will disguise the data from their unauthorized eyes. (You might also get any regulatory financial penalties and notification requirements reduced.) Any backup stored in the cloud should pass through a 128 bit AES encrypted session over a 256 bit AES VPN tunnel before leaving your network; the data should be encrypted again while at rest in the cloud. Any link used to connect or upload your data should be secured through SSL or other protocols as well.
Typical methods for rendering data unreadable include encryption algorithms like AES, Blowfish, RSA and 3DES, truncation, index tokens and pads, and one-way hashing. But skilled cryptography must be paired with other security protocols as well, such as restricting access to encryption keys, protecting transmission over open networks, using best practices for wireless networks, and cracking down on transmission of sensitive data over email, chat and other casually used technologies.
Maybe you believe your backups are already protected. If so, great. Just be sure to regularly evaluate those controls. With the explosion of Big Data and the growing complexity of many BDR systems, many organizations find their backups aren’t as well-protected as they thought. Weak encryption key management or a gap in backup disk disposal can easily become a habit, opening a door to data loss. Backups have always served as your organization’s insurance; by giving them the protection they deserve, your team can unlock a stronger level of BDR security and greater peace of mind.