Securing Backups in an Automated Data Protection System

Backup security is an often overlooked element of an organization’s overall security posture, but it shouldn’t be. Not only is there a wealth of sensitive information inside these files, but they’re also the last line of defense against a successful ransomware attack.

If ransomware manages to evade an organization’s defenses and encrypt all data on the network, the organization can still avoid paying ransom so long as the backup and disaster recovery files are intact. 

If the attack accesses and encrypts the backup and DR files, the only two choices are to pay the cyber-criminals or live with the fact that the organization’s data is forever digitally shredded. Paying the ransom won’t stop the headaches immediately.

For example, after officials in Lake City, Florida paid the ransom and received the decryption keys, it still took more than eight days to retrieve all of their data, and they had just about two hundred terabytes. Larger organizations with larger datasets could face a month or longer to achieve a complete recovery. 

In 2016, there was a ransomware attack every 40 seconds, according to Kaspersky Lab, and CyberSecurity Ventures expects an average of one every 14 seconds in 2019. Even worse, of those companies infected by ransomware, more than three-quarters were running up-to-date endpoint protection, according to Sophos.

Perimeter and endpoint protection simply aren’t enough. Finally, more than two-thirds of businesses don’t have cyber insurance coverage, adding to the potentially catastrophic damage these attacks can cause.

Modern malware spreads silently, moving laterally across the network for days, even months, gaining a foothold in every device in the environment until the day it starts encrypting everything. No local SAN or NAS is safe. Once activated, ransomware encrypts large amounts of data within minutes, bringing business operations to a complete standstill.

The most effective way to protect backups from ransomware is to create an “air gap.” Traditionally, this has meant that backup and DR files are physically disconnected from the network. If you’re backing up to tape, these backups are removed from the recording device and shipped somewhere offsite.

Spinning disks can be disconnected after backups are finished. In both cases, the backup medium needs to be physically reconnected when IT wants to restore data.

The air gap problem in an automated service
As organizations increasingly automate backup and disaster recovery functions, that makes implementing a traditional “air gap” impractical. After all, in many systems, backups are done multiple times an hour, not just once a day, and organizations have come to expect to restore within minutes. If you have to physically connect and disconnect the backup infrastructure or physically remove backup storage media from the system every time the backup process takes place, the management efficiencies and cost savings disappear. 

Thankfully, it’s possible to emulate an air gap to get the same effect with an automated service. First, make sure your backups are stored as read-only. That way, while they can be deleted, they can’t be cryptographically shredded.

That is just the beginning, because by itself this step is not sufficient. You’ll also need to create separate authentication domains with different availability zones for the production and backup environments. Each domain must have different credentials and different security silos so that compromising one silo won’t compromise others.

This way, while the automated service can write new files to the backup domain, it cannot access or write to existing files. To recover, an administrator will need to use two-factor or multi-factor authentication to log on and access files for recovery. 

Protecting information in backups
These measures should protect your backups against ransomware attacks by emulating an air gap between your production network and backup repository. You should also ensure that the information inside these backups is secure. Far too many organizations have extremely broad permissions to access backups, which are a treasure trove of valuable data.

First, lock down access to backups to only authorized administrators. Then, encrypt your backups and protect your keys. For example, if your backups are in the cloud, don’t place key management in a cloud server, because you don’t want them sitting in the same domain — there’s too much risk if your cloud domain gets compromised. Instead, store the keys in a physically separate network. If you really want to ensure your backups are secure, go the extra mile: break up the key into pieces and require authorization to access each piece.

This way, the backup system can write backups to the domain on its own, but accessing backup files requires human intervention. They are physically unavailable to the production network.

It’s not an easy task to secure backups, both from ransomware and unauthorized access. Managing encryption, two-factor authentication and multiple security domains is complex. The alternative — losing access to enterprise data for weeks or months, even after paying the ransom — is unthinkable for organizations in today’s fast-moving business environment.

What’s Hot on Infosecurity Magazine?