Best Practices
for Secure Cloud Backup

5 measures you must put in place to secure your hybrid- and multi‑cloud strategy

of organizations are moderately to extremely concerned about cloud security2
of organizations suffered at least one ransomware attack in the past 12 months1
1 in 4
organizations paid the ransom and never got their data back1
Here are 5 best practices you must be following to lock down your cloud architecture, prevent and overcome threats, and keep your business running.


  • Constantly apply patches against vulnerabilities and avoid misconfigurations to prevent exploitation
  • Least privilege access, network isolation and segregation to minimize blast radius
  • Monitor, log and alert on repeat access failures and unusual CPU spikes


Bad actors have an infinite number of attempts on your accounts and only have to be right once. Successfully fending off each and every attack is almost impossible.

Secure backup and clean recovery are your last line of defense


So, what are the best practices for  secure cloud backup and  recovery

when targeting backups has become standard operating procedure with over 93% of ransomware attacks explicitly targeting backups?1
Follow the 3-2-1 rule

Your data, your responsibility. Don’t rely on the cloud provider to backup your data – they don’t – or snapshots alone. You need:

  • 3 copies of your data: Production, snapshots and backups stored on
  • 2 different media: Typically volumes and object storage with
  • 1 offsite: Either a different region, different cloud, or on‑premises
Logically separate

Isolate your backups from production across security boundaries with dedicated backup accounts and resources. Security boundaries for each cloud include:

  • AWS: Accounts
  • Azure: Subscriptions
  • Google Cloud: Projects
  • 3
    Least privilege access

    Limit granted permissions and access rights of users to only what is required to perform tasks using Identity and Access Management (IAM), role‑based access control (RBAC) and multi‑factor authentication). Routinely add, delete, and rotate credentials to prevent privilege creep.


    Ensure the integrity of backups through a write once, read many (WORM) state of immutability e.g., Amazon S3 Object Lock and immutable storage for Azure Blob Storage. This will prevent encryption, editing or deletion of backups should the attacker be successful.

    Encrypt to prevent theft

    Utilize cloud provider encryption technologies like AWS KMS or Azure Key Vault to prevent attackers gaining additional leverage or double extortion. Exfiltration of sensitive data is now the third largest cloud security concern.

    Ready to protect and secure your hybrid- and multi‑cloud environment?