Something that I think is often over looked when it comes to backups is security. I’m not referring to physical security (e.g. locking the media up in a vault), but rather making sure that the backups aren’t being abused. There are plenty of horror stories kicking around about folks who have their backups wiped out. This might be due to a malicious admin, bad hardware, or (more and more common) something like Cryptolocker.
Those are all very serious, but the good news (if you can call it that) is that in those cases you know how your backups have been abused. What if your backups were being abused but the data was never destroyed? What if someone was reading your backups and you had no idea?
What I am getting at is securing your backups against folks who could use your backups to get data that they are after. Let’s use payroll as an example as it tends to be something that every company has to deal with. Suppose our malicious admin (let’s call him Damian) wants to find out how much his boss makes. What’s to stop him from grabbing a backup and perusing the data? Well in a lot of cases you need to log why you are doing a restore in the software, so there is at least some sort of audit trail. Maybe if the backups are kept offsite, there might be some sort of audit log that can be, and should be, reviewed (e.g. signing in at a facility).
Let’s assume there is no physical signs to look for. What do we do if Damian decides to import the backup on another machine (say his laptop) and peruse the data that way. Would the company ever know? Unless the backup software actually alters the media, and only if someone checks the media, then no, nobody would ever know.
So how do you protect against this? Good question … One way that comes to mind is some sort of division of responsibility. Say the backup software allows for encryption. Maybe have some protocol in place where someone (Andrew) knows the passphrase to decrypt the media, but Damian handles the media. In this scenario neither Andrew or Damian could actually abuse the backups. The downside to this approach is that you require two folks in the event of a recovery. This may not be a big deal for day to day operations, but if you ever find yourself in a DR situation then you’ll be hurting.
I don’t really have a good answer on how to prevent this. Some software ties encryption keys to the server, but if our malicious admin handles those backups as well, well then they can circumvent the problem. Ultimately the organization needs to have faith in their employees. Something like this could easily go undetected, and the more you try to prevent it, the more likely you are to interfere with someone’s job. Yes, you can delegate, but at the end of the day, somebody holds the keys to the kingdom – you need to trust them.
Just some food for thought for today’s post.