The increasing rate of threats incorporating ransomware and data-specific attacks is prompting many organizations to implement a new data backup and recovery model that includes cloud-based storage.
Most mature enterprises have several tiers of backups and replicated data for business continuity and disaster recovery (BCDR) purposes. But the specter of ransomware is driving some organizations to consider isolated backups. These are backups that aren't reachable or accessible from the core corporate environment without making infrastructure changes and/or requiring numerous administrative authentication/authorization adjustments.
Common tactics for cloud backup ransomware protection include the following:
- Building a new network segment within the organization's environment for these backups, with a "deny all" firewall protecting the segment. These rules are only relaxed when the data is needed or for replication.
- Creating a new, isolated cloud-based backup using both on-premises and cloud-based network restrictions similar to those just mentioned. Alternately, this isolated backup could be in a secondary or backup data center.
- Requiring multiple administrators to collaboratively enter credentials and multifactor authentication information.
Getting started: Developing a strategy
To develop a cloud backup ransomware protection strategy, there are some distinct areas of the organization that should be involved in the planning phase:
- IT operations. IT operations teams should look at the types of data to back up and how long the data should be stored.
- BCDR planning. For BCDR planning teams, the data should be aligned to standard metrics, such as mean time to recovery, recovery time objective, recovery point objective and others.
- Infosec.The sensitivity of the data stored and replicated is critically important. As a result, security teams should focus not only on the types of data backed up, but any and all security controls available in the cloud to help protect this data.
- Legal/compliance. Any required legal and regulatory needs should be addressed early to make sure all storage and archival requirements meet industry and best practices requirements.
Organizations should ask their cloud storage providers a series of questions about the physical security of their data centers and the personnel who operate systems and applications within those environments. These questions include the following:
- Is physical access to the data center restricted? Which security methods are required for access -- for example, biometric retina scanners? Enterprises should expect providers to maintain strong physical access controls at these facilities.
- Is the data center staffed and monitored 24/7? If so, how are shift changes handled?
- Does the data center have video surveillance and audit logs tracking visitors and their times of entry and exit? How is video surveillance monitored?
- Are background checks performed on employees with physical or managerial access to the infrastructure? What type of checks are performed, and how often?
- Are there intrusion alerts, and is there a documented response plan in case of a breach of physical security at the data centers?
Storage architecture and network security
Organizations must be cognizant of the general security design considerations in place in the cloud provider environment. These controls are considered fundamental security program elements that any mature program should support. Consider the following criteria:
- What authentication methods are required for users when accessing storage components and areas? In particular, a provider's storage administrators should have strong authentication requirements.
- Are there secure configurations that mandate default password changes as part of the installation process? Secure configurations should deny any and all services, features and functions unless users specifically activate them, providing a default deny stance for all configuration controls.
- What types of security event monitoring and logging are in use? Any platforms and applications must provide the ability to detect security events and log them accordingly. Users should have the ability to send security alerts to management consoles, element managers, pagers, email and other sources. In many cases, this data will only be available to cloud provider teams, but users should be aware of what technologies and processes are in place.
- How is multi-tenancy deployed, and what technologies are used to segment and isolate different tenants' data? Virtual firewalls, hypervisors and storage area network (SAN) isolation tools and techniques, and network segmentation are all viable options. Cloud providers should be willing to disclose what they use to protect data on shared platforms.
- Are network device user permissions and passwords audited, and how often?
- Are systems servicing each customer segregated from other network zones, both logically and physically? There should be separate firewalled zones for internet access, production databases, development and staging areas, and internal applications and components.
Storage access and management security
Managing access controls and session security for access to the storage environment should be of paramount concern for both cloud provider administrators and enterprise users. To defend against common security threats, such as ransomware, cloud storage should be assessed based on the following criteria:
- Do management tools and other administrative applications store user passwords in an encrypted format? If so, what type, and is this encryption tested regularly? Also, does the storage management application enable configuration and enforcement of password length, type and duration?
- What types of secure connectivity are permitted to the cloud storage infrastructure? Are more secure communications protocols, like SSL, TLS or SSH, supported?
- Is there an active user session timeout?
- Do the management tools support multiple administrator profiles to provide granular security levels? Administrative applications for accessing and configuring cloud storage should have configuration options that restrict administrator access based upon time, day, function and other attributes. All administrator action should be logged for auditing and alerting, and logs should be available to enterprise security teams.
- Can the cloud storage management application define granular roles and privileges? To maintain proper separation of duties and enforce the principle of least privilege, this capability should be considered mandatory.
The majority of the focus on security-oriented processes within a cloud storage provider should be on software testing and development security, as well as patching and vulnerability management.
Questions to ask include the following:
- Does the cloud storage provider test hardware and software in fully secured and patched configurations to assess the vulnerability of the servers, networks and applications?
- Is a process in place at the provider to track and report security vulnerabilities discovered within the cloud storage products? The provider should also delineate between general announcements and contact methods for particular customers as a part of its incident response processes.
- What notification and escalation procedures are followed if security breaches or other potentially serious security incidents are encountered?
- Is there an established and documented process for the distribution of critical software patches and noncritical security updates internally?
- Is there an established process for testing security in the development and quality assurance cycles? This should include scanning source code for top issues -- among them the Open Web Application Security Project Top 10, buffer overflows, poor authentication and session handling.
Cloud-based storage will supplement data backup strategies already employed by mature organizations. Those strategies include on-premises standard backups using tape or disk or large-scale replication of virtual data contents with SAN/network-attached storage integration, as well as secondary backups using tape or disk sent to an off-premises backup provider. Finally, for newer scenarios, such as ransomware concerns, short-term isolated backups for end-user content and/or core data center critical assets can be considered.