Security Strategy: Cloud Backups for Ransomware Protection

An increasing number of companies are using a new data and recovery architecture that incorporates cloud-based storage due to the threat of ransomware and data-specific attacks. For business continuity and disaster recovery (BCDR) reasons, many established businesses maintain numerous levels of backups and replicated data. However, some companies are starting to think about isolated backups due to the threat of ransomware. These backups can’t be reached or accessed from the main corporate environment without many administrative authentication/authorization adjustments and/or changes to the infrastructure. The following are common strategies for preventing ransomware attacks on cloud backups:

• Creating new network segments for the backups inside companies’ environments, protected by a “deny all” firewall; the segment’s rules are only loosened when data is required for replication or when it’s needed.
• Establishing new, isolated cloud backups using similar on-premises and cloud-based network restrictions mentioned before; alternately, the isolated backups could be in a secondary or backup data center.
• Requiring the cooperative entry of login passwords and multifactor authentication data by numerous administrators.

Creating Strategies for Cloud Backups

The planning phase of cloud backup ransomware protection strategies should cover the following distinct areas of any company:

• IT Operations – Teams in charge of IT operations should consider what kinds of data to cloud backups and how long to store it.
• BCDR Planning – The data must be in line with standard metrics for BCDR planning teams, including mean time to recovery, recovery time objective, recovery point objective, and others.
• Information Security – It’s vitally necessary that sensitive data need to be copied and stored with care. Consequently, security teams want to concentrate not just on the kinds of data that are backed up, but also on the security controls that the cloud offers to protect the data.
• Legal and Compliance – Ensuring that all archival and storage requirements meet industry and best practices standards, any required legal and regulatory needs should be taken care of as soon as possible.

Asking Cloud Storage Providers These Data Security Questions

These questions covering everything from data center security to storage architecture and network security, storage management, and security processes should be asked to cloud storage providers by the companies.

Data Center Security

The initial questions should focus on the physical security of vendors’ data centers and the people who run systems and applications within the environments. Among the questions are the following:

• Are the physical accesses to data centers restricted? Which security measures, like biometric retina scanners, are required for access? Companies should expect providers to keep strict physical access controls in place at the locations.
• Are the data centers staffed and managed 24/7/365? If yes, how are the shift changes managed?
• Do the data centers have audit logs and video surveillance recording visitors’ arrival and departure times? How is video surveillance being monitored?
• Are background checks being done on employees with management or physical access to the infrastructure? What kind of checks are made, and how frequently?
• Are there intrusion warnings and written response strategies in place if the data centers’ physical security is compromised?

Storage Architecture and Network Security

The broad security design considerations that are in place in the cloud provider environment need to be understood by organizations. These controls are regarded as essential components of security programs, which every well-developed program should incorporate. Think about the following standards:

• What methods of authentication are required for users to access storage components and areas? Strong authentication should be required of storage administrators.
• Are there secure settings that require default password changes during the installation process? Secure settings should reject all services, features, and functions unless explicitly activated by users, with a default deny posture for all configuration controls.
• What kinds of security event monitoring and logging are employed? Any platforms and applications must be capable of detecting and logging security events. Security alerts should be sent to management consoles, element managers, pagers, email, and other sources by users. Even though the data is often only available to cloud provider personnel, users should be aware of the technologies and processes in place.
• How is multi-tenancy implemented, and what technologies are employed to segment and isolate the data of different tenants? Virtual firewalls, hypervisors, isolation tools and strategies for storage area networks (SANs), and network segmentation are all possible solutions. Cloud providers need to be willing to discuss the methods they use to secure data on shared platforms.
• How frequently are network device user permissions and passwords audited? Cloud providers need to evaluate users’ permissions and passwords regularly ensuring they’re still valid and updated.
• Are systems serving each client physically and logically separated from other network zones? Internet access, production databases, development and staging areas, and internal applications and components should all have their own firewalled zones.

Storage Access and Management Security

Managing access restrictions and session security for storage environment access needs to be a top priority for both enterprise users and cloud provider administrators. To protect against security risks, including ransomware, cloud storage needs to be evaluated using the following criteria:

• Are users’ credentials encrypted in management tools and other administrative applications? If so, what type, and how frequently is the encryption tested? Additionally, is it possible to configure and enforce password length, type, and time in the storage management application?
• What types of secure connectivity to the cloud storage system are permitted? Is it possible to use more secure communication protocols, including Secure Sockets Layer/Transport Layer Security or Secure Shell?
• Is there a timeout for active user sessions?
• Are numerous administrator profiles supported by the management tools to provide granular security levels? Administrative applications for accessing and setting cloud storage should include options for restricting administrator access depending on time, day, function, and other factors. All administrator actions should be recorded for auditing and alerting purposes, and the logs should be accessible to companies’ security teams.
• Is it possible to set granular roles and privileges in the cloud storage management application? The capability should be mandatory to preserve the proper division of roles and implement the concepts of least privilege.

Security Processes

Most of the cloud storage providers’ attention on security-oriented processes should be on software testing and development security, patching, and vulnerability management. The following are some questions to ask:

• Are cloud storage providers testing hardware and software in fully secured and patched configurations to assess servers’ vulnerability and networks and applications?
• Are there processes in place at the providers to track and report security vulnerabilities detected in cloud storage products? As part of its incident response operations, the providers should distinguish between general notifications and contact options for specific clients.
• What notification and escalation procedures are in place in the event of security breaches or other seriously potential security incidents?
• Are there established and documented mechanisms in place for internally distributing critical software patches and noncritical security updates?
• Are there standard procedures in place for testing security during development and quality assurance cycles? It should include checking source code for high-priority vulnerabilities, including the Open Web Application Security Project’s Top 10, buffer overflows, improper authentication, and session handling.

Cloud storage extends existing data backup solutions used by mature companies. On-premises conventional backups using tape or disk, large-scale replication of virtual data contents with SAN/network-attached storage integration, and secondary backups using tape or disk transmitted to off-premises backup providers are among the options available. For newer circumstances, including ransomware worries, segregated short-term backups of end-user content and/or core data center important assets can be considered.

With ransomware groups targeting companies with cloud backups, it’s important for companies to remain vigilant of the current threat landscape and keep backups of data off-site to prevent potential ransomware threats. At SpearTip, we offer a layered security system designed to protect our client’s critical assets, including those of companies’ clients. With real-time monitoring and alerting capabilities, our service helps safeguard against cyberattacks and data theft. Companies can enhance their security maturity with Cloud application protection supported by our team of experienced professionals in our 24/7/365 Security Operations Center. In the event of a critical alert, the team in our 24/7/365 SOC will leverage ShadowSpear to respond to and remediate threats within monitored environments.  The protection offered safeguards various applications, including Microsoft 365, Google Workspace, Salesforce, email tenants, and more, minimizing disruption so companies can focus on running their business and supporting their clients’ operations.

If your company is experiencing a breach, call our Security Operations Center at 833.997.7327 to speak directly with an engineer.