Best Practices for Secure Hybrid and Multi-Cloud Backup

Cloud computing has become ubiquitous and has reached the point where nearly half of all workloads run in the cloud. Currently, most organizations operate a combination of on-premises and public cloud workloads, known as a hybrid cloud. Typically, they keep key services within their data centers and use the cloud for customer-facing services, software applications and flexible data storage. The hybrid cloud model is ideal because it is not always possible, or even wise, to move everything to a hosted cloud for reasons like cost, performance and compliance.

A hybrid cloud is a combination of one or more types of public and private cloud architectures together with on-premise servers. A multi-cloud comprises two or more public cloud services. Predominant cloud architectures include Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Users appreciate the resiliency of the cloud and commonly adopt more flexible data retention practices than are the norm for on-premise data centers. According to Veeam’s 2023 Cloud Protection Trends report, nearly 50% don’t keep cloud data for longer than one year. Additionally, 34% believe that PaaS services like file shares do not need to be backed up, despite cloud-hosted data facing an equal volume and magnitude of cyber threats. We must do more to protect and secure our cloud data to ensure resilience.

These data retention policies offer little protection against inadvertent deletions or the growing threat of ransomware. In Veeam’s 2023 Ransomware Trends Report, 85% of surveyed organizations experienced at least one ransomware attack in the preceding year.

It’s only a matter of time before most companies experience a cyberattack. Even with the best ransomware defenses, bad actors can still penetrate as their attack vectors evolve and become more sophisticated. Tactics include phishing attacks, drive-by malware attacks from infected sites, and scanning your systems for vulnerabilities, such as unpatched software and account compromise.

Hackers only need to find one vulnerability to infect your system, and fending off every attack is difficult. Your ability to resist will depend on the steps you take to harden and protect your networks. Providing secure backups as a last line of defense against ransomware attacks is equally important.

Hybrid Cloud Security: The Importance of Prevention

Prevention is an essential part of any hybrid cloud security strategy that seeks to mitigate the risk of data loss because of security threats like ransomware. If you can prevent cybercriminals from breaching your cyber defenses, you can divert a ransomware attack. At the very least, you may detect an attack and respond before your data is encrypted or exfiltrated.

Cloud service providers are contractually obliged to protect their systems against intrusion and attack in accordance with their own shared responsibility models and SLAs. However, this liability does not extend to your data or to how you set up your network. It is the users’ responsibility to protect their data and systems in hybrid- and multi-clouds against cyber threats.

Important steps to harden your systems against attack include:

• Software patches. Keep all software and firmware up to date, and apply security patches as soon as they are released.
• System configuration. Avoid security gaps and vulnerabilities caused by configuration errors with your network, instances and virtual machines (VMs).
• Network segregation. Segregate your network into multiple partitions or domains using physical and virtual networks to prevent a single point of entry.
• Access control. Adopt least-privilege access controls, especially with sensitive networks and data.
• System monitoring. Continually monitor your networks for unusual CPU and network traffic, including detailed logging with built-in alerts.

Best Practices for Secure Cloud Backup and Recovery

As with any disaster recovery (DR) disaster recovery strategy, you need a robust contingency plan on how to respond to a ransomware attack. This plan should be dynamic and constantly reviewed to reflect organizational changes and adapted to new and developing threats.

Remember that ransomware extortionists are continually improving their tactics. Their goal is to make it impossible for you to recover from an attack unless you pay the ransom. To this extent, 93% of ransomware attacks now target your backups. This means it is essential to ensure your backup strategy is robust and secure against attack.

Let’s take a deep dive into hybrid and multi-cloud security best practices.

1. Follow the 3-2-1 Rule

The first and most important point to note is that your cloud provider is not responsible for backing up your data. While cloud providers synchronize data to mirror sites, this is to provide a fallback if the primary data center goes down. It is not a backup. If you are the victim of a ransomware attack, the constant synchronization means that both data sets will be encrypted.

Your backup strategy should, ideally, be based on the tried and tested 3-2-1 backup rule. This rule describes the minimum number of copies of data you should keep together with techniques to reduce the risk of loss due to common factors or events.

The digits in the rule explain how it works:

• The first digit of the 3-2-1 rule says you should always have three copies of your data.
• The second digit specifies that you should store your backups on two different types of media.
• The last digit implies that you should keep one copy offsite, whether that is on-premises to the cloud, intra cloud across regions or from one cloud to another.

2. Logically Air Gap Your Backups

The notion of a physical air gap for backups is long instantiated. However, in the cloud where data is constantly connected to the network, how do you achieve this air gap? We need look no further than the cloud providers well-architected frameworks or best practices that help us understand where security boundaries lie and how to keep backup resources separate from production. Note that there are subtly different security considerations between clouds; AWS it is accounts, Azure it is subscriptions and Google Cloud it is projects.

It is highly advised to utilize a dedicated account, subscription or project for your backups. Also, backup copies can be stored on on-premises storage like hardened Linux repositories, or immutable object storage, also possible on-premises or on another cloud altogether.

When constructing strategies that make your data cyber resilient and recoverable in a disaster, there are pros and cons to using either air-gapped or immutable storage. It’s a better idea to use both methods together to create an ultra-secure, resilient copy.

3. Immutability Ensures Integrity

The concept of an immutable backup is that the data can’t ever be changed. You can’t modify, delete or overwrite the data. Importantly, a hacker can’t encrypt an immutable file. So, immutable backups are secure backup files that you can rely on.

Most immutable solutions use write-once-read-many (WORM) technologies that lock the data. Examples include Amazon S3 Object Lock and immutable storage for Azure Blob. With immutability in the cloud, it is normal to specify a retention period, after which time, the data will be unlocked and can be subsequently deleted in line with data retention requirements or when controlling cloud storage spend. An alternative is to add a legal hold that overrides the retention period until specifically unlocked by an authorized user.

One provision exists regarding immutability — the data must be uncorrupted and free of malware or ransomware before being saved. If it isn’t, the data can be corrupted or encrypted when you attempt to use these files for recovery.

4. Principle of Least Privilege (PoLP)

Limit privileges to those required for each user, system, or application to perform their specific tasks or functions. This rule applies equally to backup and recovery operations and other employees’ tasks. You can also use Separation of Duties, where you have more than one employee responsible for key duties, ensuring no one has complete control over a key task. Leverage the following principles:

• Identity and access management (IAM): Use granular IAM roles to create fine-grain control over resource access and permissible actions. Continuously audit IAM roles and delete permissions no longer required, as well as rotating access keys for IAM users. A Zero Trust architecture, where users, devices, and applications are only given access to what they need when they need it, is also useful.
• Role-based access control (RBAC): RBAC is similar in principle to IAM, with some overlap. From a backup and recovery lens, RBAC can help entitle users to specific access to backup and recovery functions. For example, recovery roles can be limited to restore-only exercises to empower application owners to self-service recovery without the ability to edit admin-level settings or backup policies.
• Multifactor authentication: MFA is a robust system of authenticating users when they log into corporate systems, helping to prevent brute force and man-in-the-middle (MITM) attacks. It works by requiring the person who is attempting to log in to supply at least one piece of additional information that’s unique to that user in addition to their login password. This could be a security question or a one-time password sent to the user’s mobile device. Alternatives include a digital signature or biometric identification, such as a fingerprint or facial recognition.

These approaches ensure attackers can’t access and attack data backups. They also help you maintain data compliance requirements in the cloud concerning data privacy and residency.

5. Encryption to Prevent Theft

Even though cybercriminals can’t encrypt your immutable backups, if they access the backup data, they may be able to exfiltrate the backup data and hold it ransom.

Most cloud providers provide several mechanisms for encrypting your data. Examples include AWS Key Management Service (AWS KMS) and Microsoft Azure Key Vault. Implementation is very straightforward, especially when using default keys, however it is advisable to utilize self-managed keys for greater control.

6. Backup Metadata

Backing up metadata helps prevent ransomware attacks and ensures data integrity. Metadata carries critical information, such as creation and modification dates, who has access permission to the data, and its attributes. Backing up metadata means you can restore key files to their original state if you’re the subject of a ransomware attack. It preserves file system structure, information about user permissions and access controls, and audit and compliance trails. It also provides context and organizational information that helps recover significant volumes of data quickly.

7. Disaster Recovery Planning

The worst thing any business can do is wait until it’s the subject of a ransomware or hacking attack to plan for disaster recovery. Instead, you should make sure that your disaster recovery plan to restore systems and data is up to date. Remember, there’s a difference between disaster recovery and simple data restoration. Don’t tamper with the entire network unless necessary. The ideal situation is to develop plans for each scenario.

8. Conduct Regular Backup and Recovery Testing

Regularly test your backup and recovery procedures, within your  cloud backup solutions. It’s imperative to confirm that the systems function correctly, and data can be restored quickly and efficiently in case of an attack. Tests should be scheduled regularly, and your IT team should be trained to understand the steps needed to restore your data. Regular and thorough testing of these processes ensures fast data recovery, reduces downtime, and helps meet recovery time objectives (RTOs). Regular testing helps maintain uninterrupted business operations and keeps your team sharp and ready in case of any disaster.

The following webinar includes more ideas for creating a secure cloud backup.

Monitoring and Incident Response

In addition to the above procedures, it is crucial to continuously monitor your systems for signs of ransomware attacks. Also, you should have a detailed plan outlining the actions to take in the event of a ransomware attack. Essential steps include:

• Continuous monitoring. Implement threat-monitoring tools that allow you to continually monitor hybrid- and multi-cloud environments for unusual activity and abnormal network behavior that may indicate malicious activities.
• Threat detection. Install security software to detect and eliminate cybersecurity threats, including phishing, malware, ransomware and zero-day exploits. Protect against new and unknown threats using AI-enabled detection engines that block suspicious processes and activities.
• Incident response plan. Prepare a comprehensive ransomware response plan detailing specific personnel and actions to take in response to a ransomware attack, including isolation of infected systems, ransomware containment and eradication strategies.
• Automated remediation. Employ automated tools to detect and block malware and ransomware attacks by disabling and isolating infected endpoints, systems and software.
• Forensic analysis. Establish procedures for forensic analysis, such as recovering system logs and data stored in flash memories so that it is possible to determine the sequence of events and identify the type of ransomware.

Team training is an essential aspect of incident response and ransomware recovery. You should thoroughly train team members on the principles and practices of effective ransomware in cybersecurity incident response.

Choosing the Best Cloud Backup Solution

The responsibility for data protection starts and ends with you. Although public and private clouds offer guarantees regarding data security, they relate to data loss and corruption due to a failure of part or all their cloud data centers. For example, AWS guarantees a certain level of data in your ability and availability related to their service level agreement. However, AWS isn’t responsible for data loss due to accidental deletion, malware, and ransomware.

Consider the following when choosing a backup solution:

• Security features: These features should include encryption, multifactor authentication, and compliance with standards such as HIPAA and GDPR.
• Backups: Automated backups are essential, but so are incremental backups. You also want a form of versioning that allows you to maintain multiple versions of files that let you recover after an issue from various points in time.
• Recovery: A cloud backup system should offer the ability to make granular restores, such as individual files, fast recovery in the event of a huge data loss, and geographic redundancy that allows you to store your data in multiple locations in the case of a regional data loss.
• Scalability: It’s crucial to scale storage as your data grows.
• Ease-of-use: You want your software to be user-friendly and easy to navigate and manage. It should also be easy to generate detailed reports on backup status and activities.
• Cost: Billing should be clear and predictable without any hidden fees.
• Customer support: The vendor should provide knowledgeable staff with 24/7 availability. The SLA should include guaranteed uptime and performance standards.
• Integration: Ensure there aren’t any compatibility issues with your operating systems and applications.

It’s essential to determine appropriate backup policies and where and how to secure your backup data. You must also determine the optimal network and security configurations for your organizational needs. In this context, you should treat hybrid cloud security with the same rigor you do for your on-premises data centers.

Securing Hybrid and Multi-Cloud Backups

Strong cloud IaaS, PaaS, and SaaS services across AWS, Azure, Google Cloud, Microsoft 365, Salesforce, and more offer compelling alternatives to companies seeking to expand their IT services. While hybrid cloud strategies often solve many problems, they also come with challenges. As cybercriminals improve at exploiting the resulting software and network vulnerabilities, your company faces a real threat of data theft and ransomware.

The answer to this threat lies in effective ransomware prevention strategies and thorough mediation policies. These include hybrid and multi-security measures, such as network segregation, security software, and strong multifactor authentication policies. However, given the almost certainty of a successful ransomware attack, you also need a strong backup strategy. Utilizing logical air gaps, PoLP, immutability, encryption, and an effective backup plan can help you recover from a ransomware incident with strong recovery time and recovery point objectives to minimize lost time and business. Learn more about secure cloud backup protection strategies and best practices in our  new ebook, “Mastering Hybrid Cloud Costs, Security and Management.”