SaaS backup vendors often tout they provide easy and intuitive ways to manage data backups, turning a once laborious process of swapping platters and tapes into just a few clicks in a web console. But these same SaaS products have also created new vectors for malicious cyberattacks, unintentional human error and even acts of God.
For years, backup experts and vendors have noted that backup as a service (BaaS) vendors, in most circumstances, have protected themselves against being liable for lost or stolen data. They also face their own challenges of balancing speedy product development with data security.
Cybercriminals look for cracks in BaaS vendor security because customer data is useful for shaking down not only a business target but also the vendor, putting its reputation on the line, said Brent Ellis, an analyst at Forrester Research.
"Any BaaS vendor is going to be a hot target," Ellis said. "[Hackers are] going to target those vendors that are part of your supply chain in your business. You need to think of your backup system as part of your security apparatus."
Smash and grab
Two recent attacks on backup services include a data breach of Rubrik, a cybersecurity and backup vendor, and Western Digital, which operates the My Cloud service for backups of customer data including photos and videos.
Rubrik attributed the breach to a known zero-day vulnerability of the GoAnywhere Managed File Transfer software from Fortra, another cybersecurity company. This flaw affected more businesses than just Rubrik, including Hatch Bank, Procter and Gamble, and Saks Fifth Avenue.
A criminal group, propped up by Russian connections, claimed responsibility for the Fortra vulnerability attacks and has threatened to post information from those hacks to a data leak site.
Western Digital, meanwhile, claims to have suffered a "network security incident" that resulted in attackers absconding with data from the company's systems. Although My Cloud and other Western Digital services returned after 11 days, the company has yet to confirm specifics of what data was taken and how.
Even if a company's SaaS backup data is stored soundly in a data center, there's still the potential for loss through a natural disaster.
OVHCloud, a European cloud and data storage provider, saw data for more than 100 of its clients go up in smoke following a massive fire of one of its data centers in Strasbourg, France, several years ago. Now the company is facing litigation from customers as local fire services indicated a lack of on-site fire prevention systems, among other concerns.
Michael Mestrovich, vice president and CISO at Rubrik, who disclosed the Rubrik breach in a blog post, said the affected data did not include customer data or data under the protection of Rubik products. Instead the vulnerability let attackers access information in a non-production IT testing environment.
Following the attack, Rubrik conducted a forensic analysis to track possible entry points for hacker, including a review of data snapshots and an audit from a third party, Mestrovich said in a follow-up interview with TechTarget Editorial.
A former CISO for the CIA and the U.S. Department of State, Mestrovich said Rubrik is aware of its importance in customer technology stacks, including that it can serve as a last line of defense from an attack. But the continued push for vendors to ship new products as well as human error by either the customer or vendor still leaves some vulnerability gaps.
"We're in the same boat every corporate or public entity is in," Mestrovich said. "There are many more things you need to protect than you have time or dollars to ultimately do."
Rubrik divides itself into several operational environments, including IT business operations, software environments and SaaS applications, with varying levels of security and hard walls to contain data.
"The ability for anyone to have rights or privileges in any other environment is severely limited," Mestrovich said.
Rubrik's public acknowledgement of the breach and remediation is a good faith gesture to its customers, according to Ellis.
"They're a hot target," he said. "Any BaaS vendor is going to be a hot target. [But] they're in a better position than most to know what's going on."
Michael MestrovichVice president and CISO, Rubrik
Keeping tabs on what services a backup SaaS vendor uses within its own stack should be top of mind when selecting backup SaaS services, said Krista Macomber, analyst at Futurum Research.
Customers should ask about encryption standards, network multitenancy separation and infrastructure patching cycles as well as work with a BaaS vendor that uses standards aligned with their own.
"It's fair game to ask these tough questions," Macomber said. "The vendor should be able to provide that level of visibility so that the customer has an understanding of how their information is being handled."
Brian Spanswick, CISO and head of IT at Cohesity, a data protection and cybersecurity vendor, said he expects such questions from customers. Like Mestrovich, he supports developer teams remaining nimble in using new services but asks questions akin to Macomber's suggestions before approval.
"I'm not outsourcing my security," he said. "My security posture requirements have to be met and supported by those vendors."
Savvy attackers are aware that backups are a crucial part of a company's recovery process, making the destruction or removal of these files an important part of the shakedown, noted Christophe Bertrand, analyst at TechTarget's Enterprise Strategy Group.
"They take away how you can recover," Bertrand said. "If they're going to ransom you, that's even better."
When considering SaaS backup options, Bertrand said customers should prioritize snapshot immutability, which can prevent changes to enterprise data if data is stolen or an important control plane is accessed.
Assessing how a specific backup vendor handles its security and performs backups can also dictate strategy, Ellis added. He noted DropBox, a popular file storage service, changed its operating environment from AWS to on-premises several years ago. Those sorts of changes can affect previous security and data sovereignty assumptions, requiring customers to stay already of service agreement changes.
IT teams should also continue to implement and stress the importance of multifactor authentication or multi-user approval, as the process gives yet another check against misuse, Ellis said.
Customers and vendors alike cannot assume even their most stalwart practices give them immunity, Bertrand said, as the number of individuals looking for a ransomware payday have time to lie in wait for opportunity.
"You have hundreds of thousands of people who are going after software vendors and looking at code [for weaknesses]," Bertrand said.
Even the most secure code is still vulnerable to human error through social engineering campaigns or misconfigurations, making a combination of training and rigorous testing important to maintain working backups, Spanswick said.
"I don't trust training alone as a way to create the level of security necessary to be trusted with customers' data," he said. "Most of the cyber events I've dealt with in my career have been social engineering and insider threats."
Keeping abreast of the best security hygiene practices will ultimately benefit backup security, Macomber said. Attacks that affect enterprise security result in compromised backups and could introduce the possibility of ransomware.
"Backups and data protection play a specific role in the security stack," she said. "You can't have a conversation on one without the other."
Tim McCarthy is a journalist from the Merrimack Valley of Massachusetts. He covers cloud and data storage news.