Sergey Nivens - Fotolia
Whether in the in-house data center or in the cloud, IT is moving toward a converged backup and disaster recovery environment based on storage drives.
One common theme is that, in backup files, there is a lot of data that is essentially forgotten. It typically doesn't get much management time, and the risk of illicit access is thus significantly higher.
It's a crucial practice to encrypt backups properly. This means two things: a good encryption algorithm and then proper key management. Let's look at each of these, because they are not superficial issues.
Standards and practices to encrypt backups
The brain trust behind industry encryption standards is always worried that compute power and human cleverness will find ways to break mainstream encryption methods. There are plenty of teams working to do just that, in both the criminal and government spaces. Currently, most recognize Advanced Encryption Standard 256 as a viable encryption method. But there are worries about it, and you should pay attention to any announcements of a crack in this area.
All data at rest must be encrypted. The recently announced Intel vulnerabilities to Spectre and Meltdown highlight just how difficult multi-tenant protection really is. Best practice is to assume that black hats will get to your data at some point.
With virtualized storage, data in motion between the servers and appliances also needs encrypting. That's because man-in-the-middle attacks in the virtualized model should be expected. Best practice, then, is to encrypt at source the data that you are storing, and make sure you encrypt backups.
Remember to compress data prior to when you encrypt backups. Encrypted files will not compress at all. If background compression and deduplication are targeted for the backed-up data, you'll need a permissions mechanism and a key manager that provides appropriate keys to the backup suite.
Key management is crucial. First, avoid virtual or real drives that will back up data for you, unless the only copy of the key is kept within your own systems. Personally, I avoid drive-based encryption altogether since an incident where there were only 32 key options on one particular self-encrypting drive family, making cracking it an effort for a 10-year-old.
There are complications if you want to encrypt backups and use them for background data analytics or DevOps work. Good key control software is needed in this situation, since I'm assuming that you aren't using the method of having just one password and sticking it up on a Post-it note.