7 ways to secure backup data

You need to see your backups the way bad actors do: an invaluable resource that can be turned against your organization if you don’t protect them correctly.

Ransomware attacks focus on backup servers to either encrypt their data so they can’t restore other systems or to capture company IP and use it for extortion. Neither is a good outcome, so do everything you can to protect your backup data. Here’s how.

Encrypt backups

Encrypted backup data cannot be used to extort your company. Attackers might be able to exfiltrate it, but it will be useless without the keys. Encryption technology has evolved to a point that this can be handled with relative ease, allowing you to encrypt all backups wherever they are stored.

Use third-party key management

Reduce the likelihood that the bad actors will get their hands on both the encrypted data and the keys necessary to decrypt it by using a third-party key management system. It will likely cost more than key management that’s built into your backup system, but it’s well worth considering, especially if your system stores its keys inside a database that is encrypted only with the Windows machine key. That key is far too easy for adversaries to access once they manage to escalate privileges, and once it is accessed, your encryption keys are vulnerable.

Do not store backups as files

This recommendation is less obvious than the others but may be the most important. Bad actors can’t encrypt, delete, or exfiltrate backups they cannot see as files, so don’t give them that option. This includes locally attached disk arrays formatted as the F: drive or a deduplication appliance mounted via NFS or SMB. Instead, ask your backup-software or deduplication vendor for a more secure way to connect the two. It’s best to have this conversation before you buy, but most products have a way to do this.

Store backups on a different operating system

Most backup systems have the concept of media servers or storage servers where backups are stored. They should be running a different operating system, especially if your main backup server is Windows, which is often a target for ransomware attacks. Storing backups on a different OS helps build an air gap to protect the backups.

Use immutable on-premises storage

If your backup software supports it, use Linux’s immutability flag on your backups. When it’s enabled, nobody—attackers included—can delete backup files once they’re written, so it offers some protection. One important thing to note, however, is that this feature is easily disabled by anyone with root, so a bad actor with escalated privileges can unset the flag and delete backups.

Copy to tape or RDX

Tape is getting a resurgence in popularity because it is impervious to electronic attacks if it’s offline. The same is true of RDX, the removable disk-drive technology that behaves a little like tape. If you have the time to write a copy to tape and send it offsite, a hacker is going to have a hard time getting ahold of it.

Create a copy on immutable cloud storage

Unlike tape or on-premises storage with immutable features, cloud storage can be truly immutable. If you set the full immutable flag when copying backups to the cloud, even the cloud admin can’t delete it; the flag will automatically delete itself once the retention period passes. You should also configure your S3 buckets so they can only be written to by your backup application.