At present I work for a backup company making sure that when your server goes down, you will be able to recover the data. The big question that comes up is the security of that data off-site. Traditional backup software would simply make a copy of your file and place it onto a drive someplace else. Then when changes were made it would write a new file to another folder. Later software then placed all those backed up files into a container file and did a differential or incremental into a new file. The main issue with these backups is that once the file is at a remote location, there are extra security issues that need accounted for.
Your data is only as safe as what is protecting it. Lets take for example an extremely locked down database server that you spent many hours protecting. Your backup admin then has the needed permissions to perform that backup and sends the data over to their backup server on another subnet. It is very possible that the backup data could be easily reached by an outsider by compromising the backup server instead of the production server. A lot of hard work goes down the drain when the same safety precautions are not applied to the backup server as is the production server. Sometimes it can be entirely possible for a company to have multiple backup servers in separate subnets so that production servers can have their backup servers locked down to high standards while a users backup server would be somewhere locked down but not needing to meet high standards such as PCI compliance.
This all boils down to your company's policy for their backups. A lot of IT admin that I speak to do not have this policy in place but is best practice for their sake and their company. Items are to be included such as over-the-wire encryption, encryption at rest, password authentication to retrieve data, and general requirements for making sure the server is secure. While this does venture into another topic I will cover later, it presents an initial headache that acts as insurance for later. In the event of a data breach, by ensuring the backup server has met the requirements of IT policy, as defined by management, it protects the IT admin.
The procedures for making sure your backups are secure can be quite different for a lot of companies. This goes back to how they are securing their data. One procedure or process could simply be an encrypted backup on an encrypted USB drive. This may be enough for a small company to walk the backup to a bank safe once a week. Another process or procedure may be to ensure that a backup server meets strict industry standards such as PCI compliance. For larger companies it is not feasible to secure all their data at a bank vault weekly so they must make sure the server is protected from outside threats.
Before deciding on a backup software to use it is very important to cover where and how the backed up data will be stored. Each piece of software you find will have many options for your needs and by generating a list or going off company policy you can ensure that everything is meeting the security industry standards your company has agreed to abide by.
No comments:
Post a Comment