Guess who else likes your backups in the Cloud?

Having just finished the excellent Dickinson series on Apple TV+, I keep getting one of Emily Dickinson’s most famous refrains rolling around in my head:

Because I could not stop for Death –
He kindly stopped for me –
The Carriage held but just Ourselves –
And Immortality.

Because I could not stop for Death, Emily Dickinson.

Now, I’m not suggesting that Emily Dickinson was thinking about the public cloud when she wrote arguably her most famous poem1, but like “don’t run with scissors”, I think her poem also at least partly reflects on running too fast to an objective – so much so that you don’t notice the risks. 2

Cloud Security Is Your Responsibility

If you’re operating in the public cloud, you should be very much aware of the shared responsibility model:

AWS Shared Responsibility Model

I’ve said for a while that your backup environment has to be secured to the same level of paranoia as your most mission-critical systems: it represents a terrifying potential attack vector for your entire organisation if unsecured, and also represents an easy target for data breach situations. I.e., why would attackers scour your network for dozens or more systems if they can get access to everything by compromising the backup server?

And we’re now at the point where backup servers running in the public cloud are becoming very attractive to attackers.

Backups are one the most, if not the most, important defense against ransomware, but if not configured properly, attackers will use it against you.

Recently the DoppelPaymer Ransomware operators published on their leak site the Admin user name and password for a non-paying victim’s Veeam backup software.

Ransomware Attackers Use Your Cloud Backups Against You, Lawrence Abrams, March 3, 2020. (Bleeping Computer.)

Lawrence Abrams from the above article quoted someone behind the Maze ransomware software as follows:

“Yes, we download them. It is very useful. No need to search for sensitive information, it is definitely contained in backups. If backups in the cloud it is even easier, you just login to cloud and download it from your server, full invisibility to “data breach detection software”. Clouds is about security, right?”

Ibid.

Backups are very useful. Not just to your business, but to people who might attack your business. People who might be looking to hold your business to ransom or exfiltrate your data. Backups in the cloud are “even easier” to get to.

If you don’t secure them properly. Regardless of whether you have backup services in public cloud, on-premises, or both, you have to secure them of course. But in the public cloud, you might have a broader spread of groups involved in the setup and run. Last year, I wrote about how backup servers, poorly secured, represent a significant security threat. I also wrote about how Data Domain is one of the most important pieces of infrastructure that you can deploy to help secure your backup environment, and much of that holds true even in a virtualized or cloud-based environment – so long as the underpinning infrastructure has been suitably secured.

When I was starting in IT, infrastructure was the castle, and security was a moat surrounding it. You had firewalls and DMZs, but everything inside the network was trusted. Over time we’ve matured, but backup servers were often perversely left out of the security model. So we moved away from relying exclusively on the moat to having every door in the castle locked. However, your backup server is the skeleton key that opens any door. If that’s not protected … well, ransomware developers and hackers will love you.

There’s a lot more I have to say about data protection security in the public cloud in Protecting Information Assets and IT Infrastructure in the Cloud, but I think it’s worth ending with a simple statement:

Backups are the keys to your kingdom.

Footnotes

  1. If she were, that would indeed make her an even more remarkable person.
  2. And let’s face it unless the author writes a definitive “This is what I meant…” statement next to a piece of work, all interpretations are inherently subjective.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.