How Secure Are Your Cloud Backups?
In a treacherous cyber-security environment that’s seeing malvertising (malicious advertising), ransomware and other attacks on the rise, enterprises are seeking a safe option for keeping their sensitive operational data, applications and intellectual property secure from the threat of theft, data breaches, file corruption, and malicious encryption.
Being able to restore systems and networks to a clean state after damage has occurred – or simply to ensure that day to day file maintenance proceeds unhindered – makes it essential for organizations and individuals to have pristine backups of their vital information available at all times.
Performing and testing backups regularly requires some investment in time and labor – and for this reason, many prefer to offload this responsibility to a backup service hosted and administered in the cloud. But even with the adoption of cloud services increasing, entrusting mission-critical or confidential data to a third party still raises some concerns.
On the one hand, data that’s regularly backed up or synchronized (synced) to a cloud service is safer from loss than information that’s archived and handled in-house. But on the other, cloud hosted services may present a greater opportunity for data to be stolen or compromised.
‘The Treacherous 12’
During a conference earlier this year, the Cloud Security Alliance (CSA) published its list of the top twelve cloud-based threats which enterprises will face in 2016. Their so-called ‘Treacherous 12’ covers a range of factors which could adversely affect users of cloud backup services.
1. Data breaches
Distributed cloud storage servers may hold terabytes of corporate data, including financial information, user credentials, health records, and intellectual property – value targets for potential thieves and hackers. Loss of this data could mean huge financial costs, lawsuits from affected parties, fines for regulatory compliance breaches, and a negative impact on brand images and reputations.
While cloud services typically protect their facilities with strong security controls, the CSA recommends that enterprises use encryption and multi-factor authentication to increase the protection of their data from breaches.
2. Compromised authentication and credentials
Weak passwords and poor management of encryption and security keys or certificates, flawed allocation of privileges and access rights for specific jobs, and neglecting to revoke access from users who have left an organization or shifted roles are among the factors contributing to data breaches and cyber-attacks.
Users should be aware of their cloud provider’s policy on storing identities. If credentials or encryption keys are held in a central location that’s publicly accessible, there are risks involved. Precautions such as one time only passwords, smart cards and multi-factor authentication (e.g. SMS text code verification) can help mitigate these risks.
3. Hacked APIs and user interfaces
Application Programming Interfaces (APIs) are a feature offered by many cloud providers, allowing IT staff or third party consultants to tweak their administrative console software and user interfaces. In the process, these APIs (often accessible from the public internet) may become compromised, or provide access to user credentials. The CSA recommends rigorous code and application testing.
4. System vulnerabilities and exploits
With enterprises sharing infrastructure, databases, memory, and other resources on a multi-tenant cloud platform, there’s scope for system and software flaws to be exploited by malicious actors. Organizations can do much of the preventative work themselves, but should also consult with their service providers to determine what measures they have for vulnerability scanning, system updates, and security patching.
5. Hijacked Accounts
Cloud architecture may provide hackers with opportunities to “listen in” on transactions, manipulate data, or use cloud-based applications and resources to stage other attacks. Phishing and other fraudulent activities may also give perpetrators access to user accounts.
Account credentials should not be shared between users and services, and account activities should be monitored so that each transaction is traceable to a specific user.
6. Malicious Insiders
Disgruntled current or former employees, and individuals recruited or extorted to sabotage or gain access to sensitive corporate data may target crucial elements of a cloud service, such as its encryption technology. Even simple human error may contribute to giving intruders access, or in compromising systems and data.
Organizations should clearly define duties and those responsible for them, and restrict network and resource access to the lowest level required for users to do their jobs. They should also keep activity logs, audit and monitor network use, and control access to encryption keys and processes.
7. Advanced persistent threats (APTs)
These may involve the infiltration of corporate networks, and a gradual process of siphoning off information from them. Unsecured connections to third party networks, phishing, direct assault, and booby-trapped USB devices may allow malware onto systems and backups.
A good cloud provider will use sophisticated techniques to avoid APTs – but organizations are advised to be on the lookout for signs of infiltration, and to use security awareness training to educate their users.
8. Permanent loss of data
Cyber-attackers have been known to permanently erase data on cloud servers in an attempt to cause harm – though this is a rare occurrence. And natural disasters or catastrophic power outages can have an effect on cloud data storage.
For this reason, cloud providers usually operate from protected sites (beefed up physical security, video surveillance etc.) in fair weather locations. They may also advise clients to distribute their data across multiple zones, and use partitioning technology to ensure exclusive access to specific portions of their infrastructure.
9. Lack Of Due Diligence
Organizations are advised to study and understand the implications of using cloud technology and applications, before entering a service contract. That simple.
10. Abuses Of Service
To guard against the hijack of cloud resources for dubious or criminal purposes, providers should scan activities on their networks, and make tools available to their clients for monitoring their cloud environments. There should also be a procedure for clients to report on cases of abuse.
11. Denial of Service (DoS) Attacks
Having pristine backups is useless, if you can’t gain access to them. And that’s what Denial of Service or DoS attacks are dedicated to ensuring. They range from low-level attacks targeting specific applications, web servers or databases to full-blown assaults on major networks (Distributed Denial of Service or DDoS).
A capable backup provider will have a plan in place to reduce the effects of attacks before they occur, and to allow administrators access to essential data and resources.
12. The Shared Environment
With cloud architectures based on shared infrastructure, applications and resources, there’s potential for damage to spread from one area of vulnerability to a host of others.
The CSA advises providers to use a multi-part strategy with intrusion detection systems (IDS) and multi-part authentication on all hosts and networks, the splitting up of networks into logical segments, and the automated security patching of all shared resources.
The Need For Encryption
Encryption (scrambling, so it can’t be read) of data while it’s in transit may be done using backup client software at the source (i.e., within the organization) – which can lead to headaches over the management of passwords and encryption keys. It may alternatively be accomplished using a secure transmission tunnel or Virtual Private Network (VPN), or via a data transfer protocol (like FTPS or sFTP) which allows for encryption.
In any event, the cloud backup option you choose should come with an assured method of data encryption.
The Need For Compliance, Authorization and Integrity
Not all cloud providers were created equal. The one you choose for backups should use technology and techniques in keeping with any regulations and compliance regimes required by your industry (e.g. Sarbanes Oxley for financial transactions, or HIPAA in the health sector).
Within their own network, the provider should have protocols and tools in place to ensure that client data isn’t accessible to unauthorized parties, and that information stored on their servers is secured against tampering.
Ultimately, it’s down to each organization to decide the ideal mix of on-site and cloud storage of operational data and backup files. It’s also the responsibility of the enterprise to ensure that users are made aware of their rights and roles with regard to data handling, and are educated in secure practices.