When the public cloud first appeared, security between tenants in a system was a major issue. Traditional noncloud vendors jumped on the opportunity to slam the cloud approach, but cloud service providers have proven that they have the resources and on-board expertise to make their environments secure.
But are these cloud backups as safe as the old tape in the salt mine approach? Let's break the secure cloud backup question into component risk vectors.
First, black hats trying to read stored data can be easily blocked. Most good backup software enables Advanced Encryption Standard-class encryption, with possible super-encryption in the manner of the Triple Data Encryption Standard. As long as the keys are kept within a very small group of the data owner's staff, the data won't be published by WikiLeaks.
Ransomware attacks, which render data inaccessible, are still an issue, though. A solution for secure cloud backup is to limit credentials to those administrators who work on the backups regularly and to keep an access log to spot anomalies in access, such as downloading critical files. With tight access control, ransomware has limited ways to get to the backup images. Deleting files is another form of attack, with the same antidote approaches as ransomware.
Making the backup repository read-only for existing content and enabling add-only for new content is one way to secure cloud backup and increase protection against ransomware-type attacks. This is write-once, read-only access. In other words, data in the backup archive cannot be overwritten, changed or deleted. If the ransomware black hat can't change the file, it should be very safe. This approach is similar to taking snapshots, and it creates the ability to roll back the archive to a point in time for a clean recovery.
But do risks still exist? The human factor should never be underestimated when trying to achieve secure cloud backup. For example, a coder might botch a revision of the backup code. You should therefore test all upgrades thoroughly and generally be conservative about making them happen.
Replication protection and geo-dispersion make the cloud seem foolproof against data loss, but it's a good idea to keep a second copy of the data and make it hard to open. This provides a fallback if all else fails.
Explore the CIA model for secure cloud storage backups
Protect your data in the public cloud
Guide to cloud backup best practices