What are the security implications of employing backup as a service? Are there certain controls we should put in...
place or request from a service provider to ensure our data remains safe?
Backup as a service will appeal to a range of organizations. The idea that someone else will perform backup operations and keep your data safe is hard to pass up, at least at first glance. But before you jump into backup as a service, make sure your company has proper controls and agreements in place.
First, consider the need to encrypt your data before it is backed up to a third party. Are you required by regulations or other policies to ensure some or all of your data is encrypted before it leaves your network? Should all of your data be encrypted or only private and sensitive data? If the latter, are you confident enough in your data classification procedures to ensure no private or sensitive data is left unencrypted?
If your backup service is subpoenaed, it may be legally compelled to turn over your data. If the data is encrypted and only you have access to the decryption (private) key, then the backup service will only be able to turn over encrypted data. Some business, such as law firms, that maintain confidential information for clients may want to consider such scenarios.
In addition to protecting the confidentiality data, security teams must address integrity and availability of data. Consider how you will verify the integrity of backups; regular test restores can help mitigate the risk of finding a corrupt backup only when you need to restore from it.
With regards to availability, be sure to define recovery point objectives and recovery time objectives with your backup service provider. The recovery point objective is the point in the past which was the time of the last backup. After that point, data may be lost. Some business operations can function with a prior day recovery point while others might need a recovery point within the last hour or less. Also define recovery time objectives with backup service providers; this is the time from which you make a request to have data restored and it is actually restored. Again, some business operations can tolerate longer recovery time objectives than others.
Any cloud service should have well-defined service-level agreements (SLAs); these should include performance agreements and compensation for the customer when those SLAs are missed.
Ask the Expert:
Want to ask Dan Sullivan a question about cloud security? Submit your question now via email. (All questions are anonymous.)
Don't miss this tutorial on cloud backup best practices
Dig Deeper on Cloud Data Storage, Encryption and Data Protection Best Practices
Related Q&A from Dan Sullivan
Docker's recent upgrade introduced support for hardware signing and in the future, automated security analysis on Docker images. Expert Dan Sullivan ... Continue Reading
Cisco's new project Contiv automates operational policies for containerized applications in the cloud. Expert Dan Sullivan explains the benefits of ... Continue Reading
Dropbox API abused by attackers posing as legitimate users in a huge spear phishing campaign. Expert Dan Sullivan explains how to mitigate the risks ... Continue Reading