Everyone seems to be on the online backup bandwagon. It's convenient, it requires little effort, and it'll ensure you get those backups completed and offsite once and for all. Oh, it adds a much-needed
But wait a minute. The marketing minds can put a positive twist on anything. Online data backup offers a lot of value, however, there are downsides you absolutely need to be aware of. There's too high a price to pay to bury your head in the sand over something so important. Here's what you need to consider:
- You still have to make sure you're backing up what matters. Every network I've come across has unstructured data scattered across hundreds, often thousands, of unprotected islands. Users almost always have critical business files on their local systems. Is every file critical to your business getting backed up? What about Macintosh and Linux systems -- are they supported? Furthermore, does your online backup service allow you to back up everything, including the OS? Probably not, if it can't handle open files. How's that going to affect your business continuity and/or recovery time when a drive in one of your laptops or servers dies? That's easily a day or more worth of work just to get a base install up and running. You'll still have to factor in restoration time, which can be considerable if you have to download a lot of data.
- Capacity planning is something you'll want to consider, too. Are you going to end up needing more online backup space than you originally thought? Not having enough space to store what really needs to be protected is not only a financial issue, but it could also end up being a business continuity/disaster recovery concern. You have to think ahead about what you're going to rely on if something happens to all of your critical servers and workstations, or even your building.
- In the event an unauthorized outsider or rogue employee obtains login credentials into the online backup environment, what happens if they try to restore data to their system? Once they're in, will they have free rein to everything you've backed up?
- There are several scenarios that can create a false sense of security that everything's backed up and secure: 1) you have open files in Outlook, Word and so on when the backup runs, and those files don't get backed up because the service you're using can't handle open files; 2) users shut their systems down or Microsoft decides your computers need to reboot due to a forced patch and the backup never completes; and 3) the Internet connection at your business and especially at your users' offsite locations drop and the backups don't complete. Given the speed differential and the Internet component in the equation with online backups, the window of "backup opportunity" can narrow considerably and something's bound to come up and get overlooked.
- If you're backing up multiple systems to an online repository, there are bandwidth issues you've got to consider. Is this process -- especially during the initial full backup phase -- going to gobble up precious Internet bandwidth and prevent your customers from reaching your online presence or your employees from getting their work done? You also can't overlook the local resource requirements -- especially if file compression takes place on the system before data is uploaded. Is something like this going to get in the way of your users doing what they need to do like virus scans and disk defragmentation often do?
- Once backup data is removed from your online provider -- be it a single file or an entire backup set -- is it actually removed or does it linger online forever? This could create data retention and e-discovery liabilities. Better ask your lawyer.
- Is the data encrypted once it's uploaded? This is typically the case and not a big issue you need to be concerned with. The risk comes into play, however, if you ever forget your online backup password(s). This is especially important if your users are responsible for their own backups, which I think is very risky.
- Is the data encrypted in transit? Securing data in transit is typically not a high priority to me but there are some exceptions so you need to find out for sure. All it would take is some loophole in a service provider's process that allows data to be backed up or restored over an unsecured channel from, say, a user's unsecured wireless network.
- Perhaps most importantly is the security of the Web interface used to manage your online backups. Building on the previous point, it's ironic that so many businesses tout their online services as being secure because they use SSL. It's hardly that simple. With any Web site/application -- even if there's a thin-client component on the user end -- there are way more things to be concerned with. I often find weak login mechanisms that don't lock accounts after so many failed attempts, minimal password requirements, URLs that can be manipulated leading to command execution and directory traversal and on and on. In my work, I've seen enough businesses put systems on the Web that are riddled with security holes all the while assuming that a firewall, SSL and passwords equal security. Further rubbing salt in the wound all of these Web weaknesses can be exploited even when SSL is enabled. So now the attacker has an encrypted channel to carry out his misdeeds.
I dislike dealing with the administrative issues and security risks related to internal backup as much as anyone else. I do think there is promise in online backup. Just don't assume the grass is greener -- and more secure -- on the other side. Bottom line: know what you're getting into. Ask your vendor or prospective vendors about these issues and plan things out internally before you jump in. After all, it's your data … and your business.
About the author: Kevin Beaver is an information security consultant, speaker, and expert witness with Atlanta-based Principle Logic, LLC. Having worked for himself over the past seven years, Kevin specializes in performing independent security assessments and helping IT professionals enhance their careers through his Security On Wheels information security audio books and blog. He has also authored/co-authored seven books on information security including Hacking For Dummies and Hacking Wireless Networks For Dummies (Wiley). Kevin can be reached by email.
This was first published in April 2009