Creating a Secure Backup and Recovery Strategy

Securing the data in your organization is critical, for obvious reasons, but many overlook the fact that almost of your organization’s data is stored on backup media. Usually, access to the data on a backup device is not audited in the same manner that access to the file system of Windows is monitored by event auditing. It is for this reason that you will need to have a secure backup and restore strategy. In this section, you will learn the essentials of designing a secure backup strategy and you will be able to create a plan for secure backups and restores.

To build a secure strategy for backups, you must implement the following:

Secure offsite storage To ensure that your system can be recovered, there must be a recent copy of your data at a location other than where it originated. The offsite location should be secure and not susceptible to its own disasters or theft.

Secure onsite storage In addition to having backup media off site, you will also want to keep a copy of your data that is easier for you to access. It should not, however, be stored with the original data. For example, you should store your backup media in a different room or floor so that, should a disaster occur to only the original data, the onsite backup will not be compromised. If the backup contains sensitive data, which it usually does, keep it in a locked area such as a safe. For enhanced protection, store it in a fireproof, heat-resistant safe. A fireproof safe is not enough; most media will melt when it reaches a certain temperature.

Write protection To make sure that backup media is not accidentally overwritten, you should write-protect the media. Many backup utilities provide functionality that writes an expiration date to the media header that, by default, will prevent the backup media from being used again until after the expiration date.

Data classification When a disaster occurs, you will want to bring the most critical services and data up first. This task can be eased by classifying the backups based on the recovery priority. Your organization’s mission-critical data will have a shorter recovery time priority than other data, for example.

Appropriate backup centralization Security is usually easier to maintain on backups if they are all handled centrally, but for business reasons, this may not be possible. You will need to take both business and recoverability into account when determining where backups should occur.

Secure backup schedule You will need to create a schedule that includes incremental, differential, and complete backups to provide for recovery in an appropriate amount of time. Most media can be used reliably 20 times before it begins to degrade, so you should devise a schedule that deals with this sufficiently. For example, in a round-robin scheme, a separate tape is used for each day of the week. After 20 weeks, a new tape is used and the original is archived. Other types of backup schedules include grandfathering and equal rotation.

In the following sections we will show you the guidelines when backing up or restoring your data.

Secure Backup Guidelines

There are certain best practices that will increase your level of security as it pertains to the media you are backing up to. The following list includes some of the most common techniques that should be used to secure your backup media:

Use the best backup media that you can afford, taking into account a proper rotation. Backup media is not the place to save on your IT budget.

Physically secure the backup media so that only the appropriate persons can gain access to it. Every day the media used to back up data gets smaller and smaller, making it almost impossible to detect in someone’s bag or pocket. You can, in some cases, encrypt the data on the media to prevent unauthorized access to it. If it’s encrypted, make sure that you have the necessary means to decrypt it should it be required.

Keep the media labeled appropriately. Label the media based on the classification that represents the data on the media. For example, “Mission Critical 3/29/2004 3:17AM” would be an appropriate label.

Do not change the classification of backup media once it has been used to store a backup. Even data that has been erased or overwritten may still be retrievable.

Remove media from rotation prior to failure and destroy it completely to prevent unauthorized theft from your company’s waste. Destroy media completely by crushing, incinerating, shredding, or even melting it. If you intend on reusing media, erase it first using a secure data erasure utility.

Keep track of all backup media. Make sure that all media is signed in and out so that at any given moment, you can find out the location of each and every piece of media.

Periodically verify the integrity of the media. Make sure the media is devoid of viruses, worms, and other security compromises. If you detect a virus on your system, you should verify that the data is not also infected.

Centralize the backup strategy as much as possible. Know that some of the users may back up their own data on an insecure medium. Any sensitive data should be kept off of the workstations in your environment. Emergency repair disks contain the Security Account Manager (SAM) database for the local machine and can be used to crack the passwords in it using a utility like LC4.

Secure Restore Guidelines

There are some important steps that you should take to securely restore data. The following list includes some of the most common techniques:

Test the restore process. The only way that you can be certain that the backup is effective and working is to restore from it. You should do periodic recovery drills, similar to a building’s fire drill, to evaluate the effectiveness of the restore process and the validity of the data. Regardless of what a backup log states, you don’t have a verifiably successful backup until it has been tested and proven to work.

Perform recovery drills in a secure location to prevent unauthorized access to the data that has been restored. Make sure that the machines that you are restoring your data to are properly secured. The restore servers will have the sensitive data on them at the conclusion of the restore and should be secured just as much as the production server.

Evaluate backup logs regularly. Many backup applications will report a “success” even when several files are skipped.

Once sensitive data has been restored to the secure test server, use a secure erasure utility to remove all traces of the data from its disks. In some cases, you may want to follow the Department of Defense standard (DoD 5200.28-STD) for how to completely remove traces of data.