3-2-1, No Thank You

Written by

From time to time we all receive advice on best practice, and one which has been popular recently is from The National Cyber Security Centre (NCSC), which recommends keeping multiple backups and to logically separate them; three copies of your data, stored on two different media, with one off-site.

These seem rational and wise words, given so few organizations take back up seriously, as they frequently think that with data in the cloud - hosted by multi-billion-dollar companies - backups are managed by them. How wrong the IT director is that has such thoughts! As always, it is in the small print and unless you pay for backups to be taken or have designed a cloud strategy that mirrors your data, it is always the data owner’s responsibility to keep copies of their data.

For those organizations that do back up regularly, are the NCSC’s sage words correct in all cases? Back-ups are taken to enable a company to restore their data in the event of a system failure, accidental deletion of data or compromise from, for example, a ransomware attack.

Having multiple copies of data, in various places, increases the company's attack surface. There are many recommendations and strategies lauded around attack surface reduction including, reducing the number of code/apps/data duplications running, reducing entry points and, eliminating services requested by relatively few users (as they are not well monitored).

By having three copies of data, virtually untouched, in an automated way is breaking this recommendation. What then is the right strategy?

Take protecting against compromise, having multiple copies sounds like a good idea as it gives options to rectify a breech. But, looking at ransomware, if we know we have it (our primary data has been attacked and maybe locked), our back up will also have it, especially as the backup is often the first point of attack. Think of it as the Rottweiler in the living room, you shut the door but it is still there when you want to go back in!

Some back-up systems reduce this risk by having immutable storage: this technique locks the data so it cannot be changed or modified by a hacking tool. Because the data cannot be changed, it is fixed and you have a chance to remediate any 'Rottweilers' still there, as the ransomware has not been allowed to activate any code to lock you out of your data. This is a must have for any back up strategy and could mean that multiple copies are unnecessary.

Also, “3-2-1” does not address the issue of protecting the data from theft. Having three copies scattered around is increasing risk. As a minimum the data should be encrypted and the keys stored outside of the data to ensure that, should the data be stolen, the decryption key is not held within the data file.

Also, do not opt for the encryption to be handled by the cloud storage provider, as then they have both your data and the keys to unlock it. By handling the encryption yourself (Bring Your Own Key) or by using a security service provider to handle your encryption key estate, removes the possibility of a third-party cloud operator being able to read the data. Plus, by not giving them the key to decrypt, wherever the backed-up data is sent, it is protected. Separation of duties is the key and is a core foundation for any data security strategy.

Question: Now I have locked my data so it can't be changed, encrypted it so only the correct people can access it, do I still really need three copies?

I can see a reason for having data on different media as if you’re on/premise back up is unavailable a cloud/off site version becomes the alternative. There is almost a case for going back to tape as the second option, as this is something you can easily move to locations of your choice in an emergency and you have the peace of mind that you can see and touch it.

There is even a line of reasoning for such a back up to be unencrypted, just in case the decryption key is lost. Are three copies necessary? Given the risk of data theft, in most cases, I don’t think so.

Recommendations are fine but they must be proportionate to the business, the value of the data and the budget. A solution needs to be fit for purpose and offer flexibility and reliability with built in security and role-based access control. These are the fundamental points to consider, in my opinion.

If, however you want to follow guidelines, especially NCSC’s 3-2-1, fine, have more copies of your data; buy two media systems and store it all over the place, just make sure you monitor closely who and what is touching it when you are not!

What’s hot on Infosecurity Magazine?