The COVID-19 pandemic has had its fair share of influence on world media but of interest is the sheer amount of cyber attacks that have escalated since it began. Interestingly enough, is the news of a 667 percentage rise in Coronavirus-Related attacks since the beginning of March 2020. Downplaying the possibility of being attacked is far from the wisdom gained from corporations who have spent millions in setting up security controls, yet they still succumb to data breaches. This goes right down to medium and small businesses who have had their databases wiped off by ransomware. Point to note is that having an 'Assume Breach' mentality is ideal in all situations as you are devising your security strategies. At the point that your data gets stolen, you need to have been ready.
Backing up your database stands out as one of the most fundamental steps you need to get ready. On top of that is the question of whether your backup can stand the test of time and security. In that case, the exception rather than the norm is to ensure that you backup regularly, that your backups are secure and available. In this blog, we talk about Backup Ninja's approach to backup security.
Striking a Balance Between Confidentiality, Integrity and Availability
Of most importance to consider for backup security is if you are using proper encryption schemes to protect your backups. With backups, as it is with your general security, it's always a matter of striking a balance between confidentiality, integrity and availability. Not forgetting, other security considerations like identification, authentication, authorization and auditing.
If you have confidential information which can be personal identifiable information (PII) or intellectual property, you may be drawn to considering encryption schemes that provide confidentiality and integrity and probably less availability. If not, you may be drawn to the aspects of integrity and availability much more than confidentiality. Below we discuss briefly how Backup Ninja works.
How Backup Ninja Works
The creation of the backups will normally take place on your database host. You will install the “bartender agent” on your preferred servers and in the process you get to choose where to store the backup, locally or in the cloud. To top it all, you get to choose if they want the backup compressed/encrypted or not before it's stored while setting up your backup schedule.
Database Dump Process
The “bartender agent” will normally access your database with a set of credentials (database username and password). These are created and stored in a configuration file (/etc/bartender.yaml), in your database server, during the installation process. It is important to consider hardening your database server at the operating system level to ensure that only authorized parties have access to the credentials or other sensitive files in your host. Hardening can be achieved using benchmarks and hardening tools like CIS or OpenSCAP that are free and readily available.
Backup Encryption Process
A backup schedule is created via the Backup Ninja Web portal, and the backup job is passed to the agent. The agent will then use an encryption key that is provisioned at source. The key is stored on the backup jobs directory (/var/lib/backup-agents/jobs/) in a configuration file, on your database server, with a filename denoting the name of the backup schedule that was specified on the Backup Ninja Web App. The key is used to encrypt the database dump before it is stored. It is necessary for you to consider giving the proper permissions to this path. Without the proper permission to this path, it may lead to disclosure of the encryption keys.
Encryption-at-Rest (Backup Encryption)
Backup Ninja makes use of the Advanced Encryption Standard (AES) which is basically a symmetric encryption key cipher and subset of a block cipher with a key-length of 256 bits. The key that is used for encryption is the same key that will be used for decryption. The mode used for encryption is the Output Feedback Mode (OFB) which is a mode of operation applicable to block ciphers that generates key-stream blocks, which are then XORed with the plain-text blocks to get the cipher text. This mode is normally used when there is no tolerance for error propagation; that ensures the sanctity of your backups. AES encryption caters for confidentiality of your backups in-transit and at-rest.
Below is an illustration of the encryption process by the Bartender Agent.
Backup Ninja leverages TLS communication. The agent makes use of TLS for all network transmissions. TLS caters for confidentiality of your data in-transit. The TLS version used is 1.2 with a cipher suite as described in the string ECDHE-RSA-AES256-GCM-SHA384 which describes a set of algorithms used in the suite as follows:-
ECDHE (Elliptic Curve Diffie-Hellman Ephemeral) as the key exchange algorithm which dictates the manner by which symmetric keys will be exchanged.
RSA (Rivest-Shamir-Adleman) as the authentication algorithm which dictates how server authentication and client authentication will be carried out).
AES256 (Advanced Encryption Standard with key-length of 256-bits) as the bulk encryption algorithm which dictates which symmetric key algorithm will be used to encrypt the actual data being transmitted i.e. tokens and other sensitive data.
GCM (Galois/Counter Mode) as the mode of operation that is used with the AES256 symmetric block-cipher described above.
SHA384 (Secure Hash Algorithm which produces a 384-bit hash value) as the message authentication code (MAC) algorithm that dictates the method that the connection will use to carry out data integrity checks.
For maximum security, you shouldn’t keep the backup in the same datacenter as your database server. If there is a fire or theft, both copies of the data could be lost if they are kept together.
Backup Ninja supports a number of cloud storage providers, and takes care of uploading the encrypted backup files in the location of your choice. It is possible to upload the backups in more than one cloud storage vendor, or a combination of on-premises and cloud storage targets.
Leveraging the use of Backup Ninja for your database backups gives you assurance of regular and secure backups. By getting Backup Ninja you reduce the possibility of succumbing to data breaches and potentially heavy fines that may be imposed on you due to data privacy regulations