Today’s forecast for data backups: mostly cloudy with a chance of being hacked; scattered malware infections; but later becoming more secure after taking better precautions. And there’s your trouble… not enough of the right precautions.
Fortunately, the Cloud Security Alliance (CSA) are on top of this. They’re ‘the world’s leading organisation dedicated to defining and raising awareness of best practices to help ensure a secure cloud computing environment.’ Here’s a summary of what they reckon you should be addressing first (read here for the full report) – it’s known as the Notorious Nine:
1. Data loss
It’s certainly the greatest threat to data security. Since your backup data is in the hands of the cloud service provider, a lot of trust is placed in that relationship.
The agreement with both your cloud service provider and your backup service provider needs to ensure that measures to protect against accidental deletion and unauthorised access are in place and that some form of redundancy exists to protect against data loss.
2. Data breaches
Your company’s confidential information can accidentally or deliberately be read by an unauthorised third party. When your cloud backup server is on a shared platform, without being designed for multi-tenancy, it could result in other tenants gaining access to your databases.
The easiest way to mitigate this is by encrypting your cloud backups on transfer through the network and also during storage on the backup server database.
3. Account or service traffic hijacking
When someone hijacks your accounts it’s because they got hold of your credentials, either through phishing, cross-site scripting, or social engineering techniques. Once this has happened, who knows what the perpetrators will get up to?
Take control of your backup accounts by not sharing accounts between employees, not re-using credentials across accounts, and also by implementing two-factor authentication as part of the log-on/sign-in process.
4. Unsecured interfaces and API’s
APIs provide greater flexibility in implementing a backup solution and also allow greater automation capabilities. However, with a solution that is so integrated with third parties, some control is inadvertently relinquished. This can make the data being transferred vulnerable to network eavesdropping and manipulation.
Here, the CSA recommends, ‘…it is critical for consumers of those services to understand the security implications associated with the usage, management, orchestration and monitoring of cloud services.’
5. Denial of Service
Denial-of-service or more commonly known as DDoS (distributed denial-of-service) attacks are nothing new and you’ll know you’re being targeted when your IT systems seem to come to a grinding halt. Since the reason for this degradation in performance is because the attacker is consuming as much computing resources as are available, this can leave you unable to access valuable backups or you might get billed by your cloud service provider for processing you never intended.
The Cloud Controls Matrix (CCM) has four controls to help mitigate this threat: IS-04, OP-03, RS-07 and SA-04 and has to do with resource planning and application security.
6. Malicious insiders
These include current as well as former employees, or any other business partner with confidential knowledge of your business. A malicious insider can leave your business especially vulnerable since they usually know which data security measures to circumvent.
Better IT policies around credential and role management will help prevent unauthorised access to your backup data.
7. Abuse of cloud services
Since your cloud backups make use of services that give you access to vast amounts of computing power, this power can be abused if it falls into the wrong hands, such as constructing a denial-of-service attack or trying to brute-force crack an encryption key.
Remedial recommendations can be found under CCM controls IS-24 and IS-26 which help define the legal parameters of the abuse and also describe an ‘acceptable use’ policy.
8. Insufficient due diligence
Cloud services are inherently complex in their hardware and software configurations. Additional factors come into play with distributed environments where legalities exist around data ownership across borders.
Before adopting full-scale cloud backups, your cloud service provider should be scrutinised for compliance to legislation such as the ‘Safe Harbour‘ agreement and other data protection regulations relevant to your region.
9. Shared technology vulnerabilities
Virtual machines and containers (like Docker) aim to provide isolated computing environments but sometimes data security vulnerabilities exist that can leave gaps in the boundaries between environments. These software vulnerabilities on cloud backup servers could render any number of customers vulnerable to data loss.
By tightening IT policies around better encryption, user access management, early software patching, and proper testing will help prevent loopholes from being exploited.