Don’t Compromise Security When Backing Up Data

Brien Posey


Whether an organization is backing up data locally, or working with an external provider, security must be an integral part of the backup process. Most organizations go to great lengths to protect their data. Creating a backup process that is potentially insecure could completely undermine such an organization’s security efforts.

There are countless steps that an organization could take to improve the security around backing up data, but most fall into three best practices.

The first of these best practices is to control access to backup resources. A good backup solution should support Role Based Access Control (RBAC). An RBAC mechanism allows administrators to grant backup operators the ability to perform specific tasks, without giving them full access to the entire backup system. A backup application’s access control mechanism should also perform audit logging of all backup and recovery related activities.

A second best practice for backing up data should be to encrypt at all stages of the process. This is often referred to as protecting data at rest and in flight.

Protecting data at rest means encrypting the backup media. This can refer to storage level encryption of a backup storage array, or to the encryption of backup tapes. In any case, encryption should be enabled regardless of the backup media type that is being used.

Encryption in flight means encrypting data as it flows across the network on its way to being backed up. The in-flight encryption requirements will vary depending on the backup architecture that is being used. In many organizations, data flows from the protected resource (the server that is being backed up) to a backup server, and then from a backup server to a backup target (the backup storage media). The data should be encrypted in each stage of its journey.

Although backing up data in flight is often a function of the backup software, agentless backup applications may lack a native network encryption mechanism. In these situations, the IT staff may need to enable an external form of encryption such as IPSec. Some organizations take security a step further by routing backup data across a dedicated network segment or a dedicated VLAN in an effort to isolate the data from other network traffic.

A third best practice for backup security is to establish a chain of custody for your data. The logistics behind a chain of custody will vary widely depending on how an organization structures its backup processes. In any case, the chain of custody establishes documented accountability for anyone handling backup data. If an organization uses a courier service to ship backup tapes offsite for example, then a chain of custody could be used to track the whereabouts of backup tapes at a given moment.

Ultimately, there is no magic formula to establishing a secure backup process. Backup security means adhering to industry best practices while implementing processes that mandate accountability for anyone with access to the backups.


More in Privacy & Security