While data owners are responsible for determining data access rules, data life cycle, and data usage, they must also ensure that data is backed up and stored in alternate locations to ensure that it can be restored. An organization must determine how data is stored, including data in use and data that is backed up. The operations team also must determine which data is backed up, how often the data is backed up, and the method of backup used. For example, the Payment Card Industry Data Security Standard (PCI DSS) enumerates requirements that payment card industry players should meet to secure and monitor their networks, protect cardholder data, manage vulnerabilities, implement strong access controls, and maintain security policies. While protecting data on a device is always a good idea, in many cases an organization must comply with an external standard regarding the minimum protection provided to the data on the storage device. Learn More Buy Data Storage, Backup, and Recovery You should also configure your S3 buckets so they can only be written to by your backup application.CompTIA Advanced Security Practitioner (CASP ) CAS-004 Cert Guide, 3rd Edition If you set the full immutable flag when copying backups to the cloud, even the cloud admin can’t delete it the flag will automatically delete itself once the retention period passes. Unlike tape or on-premises storage with immutable features, cloud storage can be truly immutable. If you have the time to write a copy to tape and send it offsite, a hacker is going to have a hard time getting ahold of it. The same is true of RDX, the removable disk-drive technology that behaves a little like tape. Tape is getting a resurgence in popularity because it is impervious to electronic attacks if it’s offline. One important thing to note, however, is that this feature is easily disabled by anyone with root, so a bad actor with escalated privileges can unset the flag and delete backups. When it’s enabled, nobody-attackers included-can delete backup files once they’re written, so it offers some protection. If your backup software supports it, use Linux’s immutability flag on your backups. Storing backups on a different OS helps build an air gap to protect the backups. They should be running a different operating system, especially if your main backup server is Windows, which is often a target for ransomware attacks. Most backup systems have the concept of media servers or storage servers where backups are stored. Store backups on a different operating system It’s best to have this conversation before you buy, but most products have a way to do this. Instead, ask your backup-software or deduplication vendor for a more secure way to connect the two. This includes locally attached disk arrays formatted as the F:\ drive or a deduplication appliance mounted via NFS or SMB. Bad actors can’t encrypt, delete, or exfiltrate backups they cannot see as files, so don’t give them that option. This recommendation is less obvious than the others but may be the most important. That key is far too easy for adversaries to access once they manage to escalate privileges, and once it is accessed, your encryption keys are vulnerable. It will likely cost more than key management that’s built into your backup system, but it’s well worth considering, especially if your system stores its keys inside a database that is encrypted only with the Windows machine key. Reduce the likelihood that the bad actors will get their hands on both the encrypted data and the keys necessary to decrypt it by using a third-party key management system.
0 Comments
Leave a Reply. |
Details
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |