The dynamics of tracing the security of your data within a public or hybrid cloud infrastructure can become frustrating considering the possible constraints of locality, shared responsibility and other modalities of access to your data.
This begs questions like: Do I have visibility and control over my data? How do I access my data? Who presently has access to my data? What is being accessed and why? And is my data safe? With increased cloud adoption, these kinds of questions are becoming increasingly crucial due to data/information governance concerns such as privacy, location and jurisdiction policies, ownership, security controls, custodianship, information management policies among others.
Backups are not an exception as some of these concerns may apply to them. Presently, the use of concepts such as the data security lifecycle have proven to be effective in helping with some of the data/information governance concerns as demonstrated in the next sections.
What is a Data Security Lifecycle?
A data security lifecycle is essentially a tool used to help understand security boundaries and controls around data. By looking at your backups from the lens of a data security lifecycle, you stand a chance of understanding the security boundaries and controls that are present and may be needed to secure your backups. The phases that constitute a data security lifecycle are creation, storage, use, sharing, archival and destruction. Your backups, or even your data, may not always pass through all these phases but the lifecycle gives you an opportunity to take care of your security needs in the event that your data backups go through all the phases of the life cycle.
Security Through the Phases
When making use of the data security lifecycle, you might consider evaluating the present and missing security boundaries and controls in place in each and every relevant phase. You may have to strike a balance between confidentiality, integrity and availability concerns in all the phases. Security controls like authentication, authorization, data validation, logging and encryption are what you have to actually implement through the phases to achieve the confidentiality, integrity and/or availability of your backups.
Backup Ninja’s Case
Backup Creation and Storage Phases
For creation and storage, such an example would be generating a database's dump onto a filesystem. In such a case, you may have a lot to think about in terms of securing the dump. That could SSH access to your server where the dump resides, file permissions, data integrity or file encryption. Also, with automated backup solutions, timing-attacks can be leveraged at this point to access your data before it is encrypted. Backup Ninja gives you visibility of your backups, at a glance, without having to always access them via methods like SSH. That gives you opportunities to limit access to your backups via such methods.
Backup Use (Restoration) Phase
At the point of restoration, you may have to consider data integrity/validation and the security controls around the data that is in use. It will be helpful to really think about how the data can be accessed at this phase and what control you can put around your restored data to prevent it from unauthorized access.
Backup Sharing/Transfer Phase
Sharing may involve moving data from one location to another in the form of encrypted/unencrypted backups, after creation or after restoration. Also, data integrity and encryption in-transit may be ideal to secure your backups at this phase.
Locations and Access Entitlement
The data security lifecycle addresses the phases your data backups may go through but doesn't address its location and access across different cloud environments. Having data in different locations or possibly moving between different environments may be as a result of location and jurisdiction policies, operational or privacy concerns. Considering that you may have your backups in different locations and operating environments, you will need to track the data security lifecycle phases of your data backups in their respective locations and operating environments.
Functions, Actors, and Controls
There are generally three actions that can be done to data. These are:
- Read - This occurs at the point that the data backup is needed, including creation of the backup and restoration.
- Process - Perform a transaction on the data; restore a data backup and use it e.t.c.
- Store - Hold the data backup in some storage.
These refer to the functions that can be performed on your data. The conceptual mappings below can help you to track the actions that can be done to your backups hence the security controls you may need to control the actions to your backups.
Controls restrict the possible actions that can be operated on your data backups down to the allowed actions. The conceptual mapping below can help you restrict the implementation track and implement controls with the considerations of the many locations that your data may reside in.
Tracing your Backups with Backup Ninja
With Backup Ninja, you gain visibility into the creation, restoration (use) and retention (destruction) of your backups. At the point when your backup is created, it’s easy for you to trace the subsequent creation of your backups by navigating to the Backups menu as shown below. You also have the opportunity to put your data back into use by supplying an encryption key and selecting the Restore option as highlighted on the diagram below.
Also, navigating through the activity log gives you visibility of the exact time that the backup is created as in the diagram below.
From the viewpoint of the destruction of your backup, you can define the retention policy when creating backup schedules as shown below.
Conclusion
Cloud adoption comes with its own set of security challenges. Making use of the data security lifecycle can help you think through what you need to prioritize to cater for your data/information governance concerns. Overall, it's prudent to understand where your backups live at the different stages of the life cycle. Backup Ninja gives you full control and visibility of your backups.