CIOReview
Sign In

Subscribe to our Weekly Newsletter to get latest updates to your inbox
| | September 20179CIOReviewapplication should be the only way to execute these functions. This is akin to how current versions of web servers disable directory browsing. INTEGRITY· How secure are the services (or daemons if your solution is *NIX-based) that your enterprise backup solution uses? For example, many Windows-based applications leverage the Volume Shadow Service. How easy is it for a threat actor to manipulate this service? At a minimum, this could be a way for someone to disrupt your backups. Worse, this could be their way into your data. · Does the enterprise backup solution provide APIs or web services for your SIEM (Security Information and Event Management) product to consume? If they do, are these services capturing event IDs and other data important to you? If you don't have a SIEM hopefully your organization has a strategy to securely copy your backup log data into a secondary logging source, such as a separate syslog server. Without either, how do you know if your backups aren't compromised? A clean set of backup logs will go a long way to validate this.AVAILABILITY· At the core of backups is data restoration. This is even more critical in the face of malware attacks today, especially ransomware. If your organization is successfully attacked by ransomware you basically have two choices: pay the ransom or restore from backups. Does the enterprise solution meet your RTO and RPO requirements and do they factor in cybersecurity attacks and recovery?· Look for enterprise backup solutions that don't require clients to connect to CIFS-mounted locations. With the increasing number of malware attacks leveraging SMB vulnerabilities this has become a bigger issue. · If your organization is opting in part or looking to completely outsource data backups, what are the security practices of your provider's data center? Examples of data center industry standards to look for are SOC2 Type 2, SSAE 16 and FedRAMP for government agencies. What you should look for is dependent upon the type of organization you are and the type of data to be stored. There is a lot to consider with any enterprise backup solution/service purchase and it is easy to get lost in the details. Try taking a step back and consider the following:· Map out how the proposed backup solution would fit in your organization architecturally. Identify all the points that your data is handed off or directed with (especially outside your network if hosted) and ask yourself if there are security concerns at any of those points. If so, what has the vendor done to mitigate them?· Map out how the backup solution would fit in your organization from a service perspective. How is security provisioning handled? Are permissions granular enough for how you operate? How easy and quick is it to restore data in cases such as ransomware attacks? · Read reviews from trusted sources, preferably those that you know. If looking at third party reviews, focus on ones that will share their testing methodology. Also, look at whether or not their studies are financed by independent groups or by vendors in that space. If the latter, you may want to question their motivation and approach. This has been a point of contention in the cybersecurity vendor space. Lastly, make sure someone from your cybersecurity team is involved in your backup procurement. By letting them have a voice in the selection process, you will ensure if your next enterprise backup solution is prepared to address any security concern that may arise. Ihaab Dais
< Page 8 | Page 10 >