Whether your organisation is backing up data locally, or working with an external provider, security must be an integral part of the backup process. Most organisations go to great lengths to protect their data. Creating a backup process that is potentially insecure could completely undermine such an organisation’s security efforts.
There are countless steps that an organisation could take to improve the security around backing up data, but most fall into three best practises.
- Control access to backup resources. A good backup solution should support Role Based Access Control (RBAC). An RBAC mechanism allows administrators to grant backup operators the ability to perform specific tasks, without giving them full access to the entire backup system. A backup application’s access control mechanism should also perform audit logging of all backup and recovery related activities.
- Encrypt at all stages of the process. This is often referred to as protecting data at rest and in flight. Protecting data at rest means encrypting the backup media. This can refer to storage level encryption of a backup storage array, or to the encryption of backup tapes. In any case, encryption should be enabled regardless of the backup media type that is being used.
Encryption in flight means encrypting data as it flows across the network on its way to being backed up. The in-flight encryption requirements will vary depending on the backup architecture that is being used. In many organisations, data flows from the protected resource (the server that is being backed up) to a backup server, and then from a backup server to a backup target (the backup storage media). The data should be encrypted in each stage of its journey.
Although backing up data in flight is often a function of the backup software, agentless backup applications may lack a native network encryption mechanism. In these situations, the IT staff may need to enable an external form of encryption such as IPSec. Some organisations take security a step further by routing backup data across a dedicated network segment or a dedicated VLAN in an effort to isolate the data from other network traffic.
- Establish a chain of custody for your data. The logistics behind a chain of custody will vary widely depending on how an organisation structures its backup processes. In any case, the chain of custody establishes documented accountability for anyone handling backup data. If an organisation uses a courier service to ship backup tapes offsite for example, then a chain of custody could be used to track the whereabouts of backup tapes at a given moment.
Ultimately, there is no magic formula to establishing a secure backup process. Backup security means adhering to industry best practises while implementing processes that mandate accountability for anyone with access to the backups.
To learn more about data backup best practises, see the article ‘Celebrating World Backup Day: Three Ways to Create a Smarter Data Backup Strategy.’