I got told the other day that “backups are ‘uncool’ in a security world”.
Backups are a vital part of any information assurance strategy but are often overlooked because information security is often too focused on keeping the baddies out through the vast array of tool-sets available which then drives waves of scanning, software patching, monitoring and security hardening, but in doing so, takes an eye off the ball with regard to backups.
Backup is primarily concerned with making sure systems and data remain safe, available and consistent, this is also the primary goals of information security, and while operational teams are tasked with the day-to-day operation, information security are ultimately responsible for protecting that backup data.
Consider how backups apply when considered in the context of the three pillars of information security:-
Controls should be in place to manage and monitor access to backup devices, media, and data
- Who has access to your backup data?
- Who authorises access to backup data?
- Is access to backup data and systems revoked if an authorised person leaves/moves?
- Are data protection operation logs reviewed to identify and investigate ad-hoc restores and changes in backup policy?
- To what degree can an authorised person examine the backup data?
- To what degree can an unauthorised person affect the backup data?
This is the classic focus of information security – keeping the systems and their data protected from threats which cause inappropriate changes. The tools and techniques are plentiful in this aspect, but backups require some further observance in order to maintain assurance of integrity
- How is the data handled from source to destination?
- Who authorises changes in backup retention and frequency?
- Are ad-hoc restores and changes in backup policy appropriate and authorised?
- How many backup failures would it take for integrity to become an information assurance issue?
An unscheduled outage can prove just as fatal to a client as a ‘classical’ security breach, and in these situations, the availability of backup data is key
- Can you recover a system to a given point-in-time in order to perform a post-mortem or restore a system to a state prior to known compromise?
- Can you prove how and where the data was moved? (it might be missing!)
- Does the current RPO and RTO reflect real business availability needs? (would it be good enough to bail you and your customer out of a security incident?)
- How is backup data destroyed/recycled/leaked?
- Who defines backup retention policies, and do they comply with business and legal requirements?
- Who is responsible for compliance such that data is kept for an appropriate amount of time, or more importantly, ensure that aged data is safely purged at an appropriate time?
- How many backup failures would it take for backup availability to become an information assurance issue?
- Should information security care about backups?
- Do backups register on your list for making data ‘secure’?
There is a clear role for information security within the context of backups in terms of managing access and monitoring events, the question is – does it go further?
As mundane as backups are, they provide the foundation for availability and integrity in the event of compromise because it can often provide the only available regression plan which could be used in many cases to undo what has been done and return the compromised system and its data to a pre-compromised state, which should be achieved within the agreed RTO and RPO.
The strength of the foundation means that information security should be jealously keen to ensure that this “get-out-of-jail-free” card does not slip out of their proverbial ‘back-pocket’.