CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | September 20178CIOReviewCYBERSECURITY CONSIDERATIONS IN SELECTING AN ENTERPRISE BACKUP SOLUTIONBy Lester Godsey, CISO and Ihaab Dais, Security Architect, City of MesaEndpoint protection seems to be the cybersecurity word of the day, with the news being dominated by ransomware and leaked hacker tools. However, security professionals across the board will tell you that cybersecurity should be in the forefront of all enterprise decisions, including that of backup solutions. Consider the following:· Depending on your architecture, backups may contain all your organization's data in a single location. Even if it is tiered using a 3-2-1 approach, your backup application is a single point of data ingress and egress. Think of it this way--threat actors know that there is at least one enterprise service that virtually touches every piece of data that your organization cares about. · If you are looking at storing data offsite, how vulnerable is your data in transit? This isn't to suggest that transport isn't an onsite concern but it is amplified when stored in the public cloud. How well does your backup handle key management? Encryption is only as good as the key management used to encrypt it. · Backups are a service ripe for disruption. Whether as a diversionary attack or a strategic effort to disrupt an organization's ability to recover from malware, backups are a key component in one's DR/BC readiness.As you tackle your selection process, consider the CIA triad model--confidentiality, integrity and availability. Are the backup solutions you're looking adequately addressing these from a cybersecurity perspective? Below are some criteria you may want to incorporate into your evaluation process, based on this model:CONFIDENTIALITY· At a minimum, your backups should support encryption at rest and in flight. Some data types, such as Criminal Justice Information Services (CJIS) require data to be encrypted in both states depending on its location. · Operationally, how do you provide backup services? For example, if your help desk is responsible for restores but not backups, make sure your enterprise backup application can grant your help desk restore permissions only. Along these lines, your IT staff shouldn't need root or full admin rights to perform daily tasks. Make sure your application leverages service accounts for those sorts of elevated activities. Principle of least privilege applies to enterprise backups as well.· Clients should not have the ability to either browse or worse, directly access the backup repository. The enterprise backup Lester GodseyIN MY OPINIONEven if it is tiered using a 3-2-1 approach, your backup application is a single point of data ingress and egress
< Page 7 | Page 9 >