Securing Your Backup Environment

“Ransomware” has become the IT buzzword of the year, and rightfully so. The attacks have come quickly and often. As the adage indicates, “It’s not if your company will be hit, but when will the attack occur?” To further validate this adage, the biggest concern for IT leaders is making sure their company does not become a headline on the local news. So, companies have been working towards improving their security posture through a variety of ways, including endpoint protection, user training, zero trust, content filtering, network segmentation, etc. The challenge remains that to be fully protected against a security event, you must harden your entire technology stack. And that includes your backup environment.

There are a variety of areas that must be addressed, like certificate management, encryption, port security and others, but for now I will focus on account security. Account security is typically the “low hanging fruit” when it comes to improving your security elements, but it is also sometimes overlooked.  There are three types of account access used by most backup systems: Local Accounts, Domain or External Accounts, API Access. 

While reviewing security hardening guides of several leading backup vendors, I have built a list of some general best practice steps to secure each of these account types.

Local Accounts – Local to the system and maintained by the local administrator.

• Enable MFA – Multi-factor authentication is not always available, however it is critical to enable, when possible. This remains a straightforward improvement to protect against a corrupt local account.
• Store credentials in a secure vault – This is a life best practice applicable for any user credential.
• Separate primary and secondary credentials – I think we have all fallen victim to repurposing the same local credentials across production and secondary systems. It makes our life, as admins, easier.  Creating unique local accounts for each system provides an added layer of protection against a breach.
• Admin access should be the exception – Not the rule. Day-to-day administration should be done using users with the least privilege to get their jobs done.

Domain Accounts – Accounts in an external identity store, like Active Directory

• Only use for application / end user level actions – Try to keep destructive actions like SLA changes, backup deletion and removal of archival locations limited to local accounts.
• Align RBAC requirements – Identify the groups requiring access and limit their rights to a minimum set of privileges.
• MFA with SSO – Protect against a compromised domain account by enabling MFA along with SSO.
• Leave target replication system out of AD – Protect against a compromised domain credentials by utilizing local accounts on your target backup systems.

API Access – Provided via local or domain account

• Create a new account for each automation task.
• Assign a custom role with specific privileges.
• Limit access of destructive actions, such as SLA changes and the ability to delete.

I think most would agree these best practice steps would apply to most areas of security and general IT account management.  However, from my experience as a Solution Architect, many of these areas remain the exception, rather than the norm.  At ivision, we have a full team of Solution Architects and subject matter experts to help you continue improving the security posture of your backup environment.  Check out our security solutions, and please let us know how we can help!