Best Practices
for Secure Cloud Backup
5 measures you must put in place to secure your hybrid- and multi‑cloud strategy
Prevention
- Constantly apply patches against vulnerabilities and avoid misconfigurations to prevent exploitation
- Least privilege access, network isolation and segregation to minimize blast radius
- Monitor, log and alert on repeat access failures and unusual CPU spikes
Remediation
Bad actors have an infinite number of attempts on your accounts and only have to be right once. Successfully fending off each and every attack is almost impossible.
Secure backup and clean recovery are your last line of defense
So, what are the best practices for secure cloud backup and recovery
Your data, your responsibility. Don’t rely on the cloud provider to backup your data – they don’t – or snapshots alone. You need:
- 3 copies of your data: Production, snapshots and backups stored on
- 2 different media: Typically volumes and object storage with
- 1 offsite: Either a different region, different cloud, or on‑premises
Isolate your backups from production across security boundaries with dedicated backup accounts and resources. Security boundaries for each cloud include:
Limit granted permissions and access rights of users to only what is required to perform tasks using Identity and Access Management (IAM), role‑based access control (RBAC) and multi‑factor authentication). Routinely add, delete, and rotate credentials to prevent privilege creep.
Ensure the integrity of backups through a write once, read many (WORM) state of immutability e.g., Amazon S3 Object Lock and immutable storage for Azure Blob Storage. This will prevent encryption, editing or deletion of backups should the attacker be successful.
Utilize cloud provider encryption technologies like AWS KMS or Azure Key Vault to prevent attackers gaining additional leverage or double extortion. Exfiltration of sensitive data is now the third largest cloud security concern.
Ready to protect and secure your hybrid- and multi‑cloud environment?