Cybersecurity Considerations in Selecting an Enterprise Backup Solution

Lester Godsey, CISO, City of Mesa and Ihaab Dais, Security Architect, City of Mesa
372
600
121
Lester Godsey, CISO, City of Mesa

Lester Godsey, CISO, City of Mesa

Endpoint protection seems to be the cybersecurity word of the day, with the news being dominated by ransomware and leaked hacker tools. However, security professionals across the board will tell you that cybersecurity should be in the forefront of all enterprise decisions, including that of backup solutions. Consider the following:

• Depending on your architecture, backups may contain all your organization’s data in a single location. Even if it is tiered using a 3-2-1 approach, your backup application is a single point of data ingress and egress. Think of it this way—threat actors know that there is at least one enterprise service that virtually touches every piece of data that your organization cares about.

• If you are looking at storing data offsite, how vulnerable is your data in transit? This isn’t to suggest that transport isn’t an onsite concern but it is amplified when stored in the public cloud. How well does your backup handle key management? Encryption is only as good as the key management used to encrypt it.

• Backups are a service ripe for disruption. Whether as a diversionary attack or a strategic effort to disrupt an organization’s ability to recover from malware, backups are a key component in one’s DR/BC readiness.

As you tackle your selection process, consider the CIA triad model—confidentiality, integrity and availability. Are the backup solutions you’re looking  at adequately addressing these from a cybersecurity perspective? Below are some criteria you may want to incorporate into your evaluation process, based on this model:

​  Even if it is tiered using a 3-2-1 approach, your backup application is a single point of data ingress and egress. 

CONFIDENTIALITY

• At a minimum, your backups should support encryption at rest and in flight. Some data types, such as CJIS (Criminal Justice Information Services) require data to be encrypted in both states depending on its location.

• Operationally, how do you provide backup services? For example, if your help desk is responsible for restores but not backups make sure your enterprise backup application can grant your help desk restore permissions only. Along these lines, your IT staff shouldn’t need root or full admin rights to perform daily tasks. Make sure your application leverages service accounts for those sorts of elevated activities. Principle of least privilege applies to enterprise backups as well.

• Clients should not have the ability to either browse or worse, directly access the backup repository. The enterprise backup application should be the only way to execute these functions. This is akin to how current versions of web servers disable directory browsing.  

INTEGRITY

• How secure are the services (or daemons if your solution is *NIX-based) that your enterprise backup solution uses? For example, many Windows-based applications leverage the Volume Shadow Service. How easy is it for a threat actor to manipulate this service? At a minimum, this could be a way for someone to disrupt your backups. Worse, this could be their way into your data.  Ihaab Dais, Security Architect, City of Mesa

• Does the enterprise backup solution provide APIs or web services for your SIEM (security information and event management) product to consume? If they do, are these services capturing event IDs and other data important to you? If you don’t have a SIEM hopefully your organization has a strategy to securely copy your backup log data into a secondary logging source, such as a separate syslog server. Without either, how do you know if your backups aren’t compromised? A clean set of backup logs will go a long way to validate this.

AVAILABILITY

• At the core of backups is data restoration. This is even more critical in the face of malware attacks today, especially ransomware. If your organization is successfully attacked by ransomware you basically have two choices: pay the ransom or restore from backups. Does the enterprise solution meet your RTO and RPO requirements and do they factor in cybersecurity attacks and recovery?

• Look for enterprise backup solutions that don’t require clients to connect to CIFS-mounted locations. With the increasing number of malware attacks leveraging SMB vulnerabilities this has become a bigger issue.    

• If your organization is opting in part or looking to completely outsource data backups, what are the security practices of your provider’s data center? Examples of data center industry standards to look for are SOC2 Type 2, SSAE 16 and FedRAMP for government agencies. What you should look for is dependent upon the type of organization you are and the type of data to be stored.    

There is a lot to consider with any enterprise backup solution/service purchase and it is easy to get lost in the details. Try taking a step back and consider the following:

• Map out how the proposed backup solution would fit in your organization architecturally. Identify all the points that your data is handed off or directed with (especially outside your network if hosted) and ask yourself if there are security concerns at any of those points. If so, what has the vendor done to mitigate them?

• Map out how the backup solution would fit in your organization from a service perspective. How is security provisioning handled? Are permissions granular enough for how you operate? How easy and quick is it to restore data in cases such as ransomware attacks?  

• Read reviews from trusted sources, preferably those that you know. If looking at third party reviews, focus on ones that will share their testing methodology. Also, look at whether or not their studies are financed by independent groups or by vendors in that space. If the latter, you may want to question their motivation and approach. This has been a point of contention in the cybersecurity vendor space.  

Lastly, make sure someone from your cybersecurity team is involved in your backup procurement. By letting them have a voice in the selection process, you will ensure if your next enterprise backup solution is prepared to address any security concern that may arise.