What backup security measures protect against data breaches?

Hardly a day goes by when there isn't news of a new data breach.

Even though each one has been unique, the breaches have collectively demonstrated that hackers will exploit any available resource in an effort to gain access to data. This includes backup systems. The question therefore becomes a matter of how best to protect backups.

Backup security measures inevitably vary from one organization to the next. For example, protections for tape-based backup are different from protection for disk backups.

If your organization is backing up to tape (or other removable media), then one of the most important backup security measures to consider is that the tape could walk right out the door. As such, it is important to physically restrict access and to ensure that, if a tape is stolen, its data is unusable. You can accomplish this protection through certificate-based encryption.

Having the tape drives reside in a data center already provides some degree of physical protection, because a random person off of the street probably can't just walk in unimpeded. However, there are other backup security measures you can take. If, for example, tape backups run overnight, then schedule the backup jobs so that they complete just as the backup operator is arriving for work in the morning. That way, the backup operator can immediately remove and secure the tapes.

In the case of disk-based backups, the backup storage must be physically secured against theft, but there are also other considerations. Make sure that the backup target is on a dedicated network backbone that only includes backup servers and targets. Additionally, all traffic in and out of the backup servers should be encrypted using Internet Protocol Security or something similar. You can add an additional layer of security by moving backup traffic -- between your backup servers and the resources that they are protecting -- to a dedicated virtual LAN.

Just as an organization needs backup security measures for tapes to be protected against theft, the disks in your backup appliance need protection as well. Encrypt the disks using BitLocker or something similar. It's also important to have a rigid protocol in place for securely disposing of used backup disks whenever they are replaced.

If you opt to use cloud-based backups, then set up a dedicated account for use with those backups, rather than using your cloud administrator account. Some organizations have also been known to use erasure coding techniques to stripe backups across multiple clouds, as a way of preventing any one cloud provider from having a complete and readable copy of the data. This technique can also provide a degree of redundancy that enables you to restore your data, even if a particular provider drops offline. Finally, if you are using a cloud storage gateway, then make sure to follow all of the manufacturers' recommendations for securely configuring the device.