Bad actors have an infinite number of attempts on your accounts and only have to be right once. Successfully fending off each and every attack is almost impossible.
Your data, your responsibility. Don’t rely on the cloud provider to backup your data – they don’t – or snapshots alone. You need:
Isolate your backups from production across security boundaries with dedicated backup accounts and resources. Security boundaries for each cloud include:
Limit granted permissions and access rights of users to only what is required to perform tasks using Identity and Access Management (IAM), role‑based access control (RBAC) and multi‑factor authentication). Routinely add, delete, and rotate credentials to prevent privilege creep.
Ensure the integrity of backups through a write once, read many (WORM) state of immutability e.g., Amazon S3 Object Lock and immutable storage for Azure Blob Storage. This will prevent encryption, editing or deletion of backups should the attacker be successful.
Utilize cloud provider encryption technologies like AWS KMS or Azure Key Vault to prevent attackers gaining additional leverage or double extortion. Exfiltration of sensitive data is now the third largest cloud security concern.