Many storage professionals responsible for backups believe that the mere existence of a process for replicating sensitive data is all that's needed to keep the organization secure. But that's only half the battle. It's what can be done with the data backups after the fact that introduces an entirely different set of risks that are often overlooked. Here are 10 ways you can ensure that your data backups are secure:
- Ensure your security policies include backup-related systems within their scope. Practically every type of security policy -- from access controls to physical security to system monitoring -- applies directly to data backups.
- Include your data backup systems in your disaster recovery and incident response plans. Data backups can be breached, compromised or destroyed. Be it a malware outbreak, employee break-in or hurricane -- otherwise good backups can be adversely affected and you need to have a plan outlining what you're going to do if that time comes.
- Assign backup software access rights only to those who have a business need to be involved in the backup process. Be sure not to overlook any Web-based interfaces that provide backup access and keep your original backup software media secured as well.
- Store your backups offsite or at least in another building. I know this sounds pretty basic, but I still see it a lot. A fire or other incident could be all that's needed to take out your data center and your backups in one fell swoop.
- However you choose to store your backups -- be it on tape, network-attached storage (NAS), or external drives -- be sure to control access to the room/car/house in which the backups stored. Handle your backup media as you would any other critical hardware.
- Use a fireproof and media-rated safe. Many people store their backups in a "fireproof" safe, but typically one that's only rated for paper storage. Backup media such as tapes, optical disks and magnetic drives have a lower burning/melting point than paper and a standard fireproof safe only serves to provide a false sense of security.
- Find out the security measures that your vendors for offsite storage, data center and courier services are taking to ensure that your backups remain safe in their hands. Although lawyers like good contracts, they're not enough. Contracts do offer fallback measures but they won't keep sensitive data from being exposed in the first place, so make sure reasonable and consistent security measures are taking place with any vendor that has a hand in your backups.
- Password-protect your backups at a minimum. Passwords aren't foolproof because some people with special skills and tools may be able to crack the code, but it is a level of security that should be considered. That said, password-protection is better than nothing, and at least provides a layer of security.
- Encrypt your backups if your software and hardware support it. As with laptop computers and other mobile devices, portable backup media need to be encrypted with strong passphrases especially if they're ever removed from the premises. Encryption implemented and managed in the right way serves as an excellent last layer of defense. It also helps provide peace of mind knowing that the worst outcome is that you'll have to buy new backup media -- especially when it comes to compliance and data breach notifications.
- You've heard it a thousand times but it deserves repeating: Your backups are only as good as what's on the backup media. There are two sides to this coin. First, make sure your backing up everything that's important. Most backups are server-centric but what about all of that unstructured data scattered about on your workstations and mobile devices that isn't getting backed up? Second, test your backups occasionally -- especially if you're using tape. There's nothing worse than recovering from a loss and only to find out you backed up the wrong data or no data at all.
Odds are that many of these data backup weaknesses exist in your shop. It'll pay to find out where you're vulnerable before you're impacted. Look at both your data backup processes and systems to identity where the gaps are. Or hire an unbiased third-party to find the holes. It's usually little problems like these that are not so obvious to uncover but oh so painful when the time comes.
About the author: Kevin Beaver is an independent information security consultant, keynote speaker, and expert witness with Atlanta-based Principle Logic LLC where he specializes in performing independent information security assessments. Kevin has authored/co-authored seven books on information security including "Hacking For Dummies" and "Hacking Wireless Networks For Dummies". He's also the creator of the Security On Wheels information security audio books and blog providing security learning for IT professionals on the go. Kevin can be reached at email@example.com.
Do you have comments on this tip? Let us know.
Please let others know how useful this tip was via the rating scale below. Do you know a helpful backup tip, timesaver or workaround? Email the editors to talk about writing for SearchDataBackup.com.
This was first published in November 2008