Cloud computing has become ubiquitous and has reached the point where nearly half of all workloads run in the cloud. Currently, most organizations operate a combination of on-premise and cloud workloads, known as a hybrid cloud. Typically, they keep key services within their data centers and use the cloud for customer-facing services, software applications and flexible data storage. The hybrid cloud model is ideal because it is not always possible, or even wise, to move everything to the cloud for reasons like cost, performance and compliance.
A hybrid cloud is a combination of one or more types of public and private cloud architectures together with on-premise servers. A multi-cloud comprises two or more public cloud services. Predominant cloud architectures include Infrastructure as a Service (IaaS), Platform as a Service (PaaS) and Software as a Service (SaaS). Users appreciate the resiliency of the cloud and commonly adopt more flexible data retention practices than are the norm for on-premise data centers. According to Veeam’s 2023 Cloud Protection Trends report, nearly 50% don’t keep cloud data for longer than one year. Additionally, 34% believe that PaaS services like file shares do not need to be backed up, despite cloud-hosted data facing an equal volume and magnitude of cyber threats. We must do more to protect and secure our cloud data to ensure resilience.
These data retention policies offer little protection against inadvertent deletions or the growing threat of ransomware. In Veeam’s 2023 Ransomware Trends Report, 85% of surveyed organizations experienced at least one ransomware attack in the preceding year.
For most companies, it is only a matter of time before they experience a cyberattack. Their ability to resist will depend on the steps they take to harden and protect their networks. Equally important is the provision of secure backups as a last line of defense against ransomware attacks.
Our new infographic, “Best Practices for Secure Cloud Backup” highlights 5 measures you must put in place to secure your hybrid- and multi‑cloud strategy. Read on to learn more about the best hybrid and multi-cloud security practices.
Hybrid Cloud Security: The Importance of Prevention
Prevention is an essential part of any hybrid cloud security strategy that seeks to mitigate the risk of data loss because of security threats like ransomware. If you can prevent cybercriminals from breaching your cyber defenses, you can divert a ransomware attack. At the very least, you may detect an attack and respond before your data is encrypted or exfiltrated.
Cloud service providers are contractually obliged to protect their systems against intrusion and attack in accordance with their own shared responsibility models and SLAs. However, this liability does not extend to your data or to how you set up your network. It is the users’ responsibility to protect their data and systems in hybrid- and multi-clouds against cyber threats.
Important steps to harden your systems against attack include:
- Software patches. Keep all software and firmware up to date, and apply security patches as soon as they are released.
- System configuration. Avoid security gaps and vulnerabilities caused by configuration errors with your network, instances and virtual machines (VMs).
- Network segregation. Segregate your network into multiple partitions or domains using physical and virtual networks to prevent a single point of entry.
- Access control. Adopt least-privilege access controls, especially with sensitive networks and data.
- System monitoring.Continually monitor your networks for unusual CPU and network traffic, including detailed logging with built-in alerts.
Even with the best ransomware defenses, bad actors get through as their attack vectors evolve and become more sophisticated. Determined hackers often target specific organizations, seeking every possible opportunity to breach their defenses. Tactics include phishing attacks that appear to be genuine emails that trick unsuspecting employees into opening infected email attachments. Others include drive-by malware attacks from infected sites and scanning your systems for vulnerabilities, such as unpatched software and account compromise.
Hackers need to find just one vulnerability to infect your system, and fending off every attack is difficult. You need a second line of defense to fall back on, incorporating secure backup practices that ensure the integrity of data and the ability to make a clean recovery.
Best Practices for Secure Cloud Backup and Recovery
As with any disaster recovery strategy, you need a robust contingency plan on how to respond to a ransomware attack. This plan should be dynamic and constantly reviewed to reflect organizational changes and adapted to new and developing threats.
Remember that ransomware extortionists are continually improving their tactics. Their goal is to make it impossible for you to recover from an attack unless you pay the ransom. To this extent, 93% of ransomware attacks now target your backups. This means it is essential to ensure your backup strategy is robust and secure against attack.
Let’s take a deep dive into hybrid- and multi-cloud security best practices.
1. Follow the 3-2-1 Rule
The first and most important point to note is that your cloud provider is not responsible for backing up your data. While cloud providers synchronize data to mirror sites, this is to provide a fallback if the primary data center goes down. It is not a backup. If you are the victim of a ransomware attack, the constant synchronization means that both data sets will be encrypted.
Your backup strategy should, ideally, be based on the tried and tested 3-2-1 backup rule. This rule describes the minimum number of copies of data you should keep together with techniques to reduce the risk of loss due to common factors or events.
The digits in the rule explain how it works:
- The first digit of the 3-2-1 rule says you should always have three copies of your data.
- The second digit specifies that you should store your backups on two different types of media.
- The last digit implies that you should keep one copy offsite, whether that is on-premises to the cloud, intra cloud across regions or from one cloud to another.
2. Logically Air Gap Your Backups
The notion of a physical air gap for backups is long instantiated. However, in the cloud where data is constantly connected to the network, how do you achieve this air gap? We need look no further than the cloud providers well-architected frameworks or best practices that help us understand where security boundaries lie and how to keep backup resources separate from production. Note that there are subtly different security considerations between clouds; AWS it is accounts, Azure it is subscriptions and Google Cloud it is projects.
It is highly advised to utilize a dedicated account, subscription or project for your backups. Also, backup copies can be stored on on-premises storage like hardened Linux repositories, or immutable object storage, also possible on-premises or on another cloud altogether.
3. Priciple of Least Privilege (PoLP)
Limit privileges to those required for each user, system or application to perform their specific tasks or functions. This rule applies equally to backup and recovery operations as to other employee tasks. Leverage the following principles:
- Identity and access management (IAM): Use granular IAM roles to create fine-grain control over resource access and permissible actions. Continuously audit IAM roles and delete permissions no longer required, as well as rotating access keys for IAM users.
- Role-based access control (RBAC): RBAC is similar in principle to IAM, with some overlap. From a backup and recovery lens, RBAC can help entitle users specific access to backup and recovery functions. For example, recovery roles can be limited to restore only exercises to empower application owners to self-service recovery, without the ability to edit admin-level settings or backup policies.
- Multifactor authentication: MFA is a robust system of authenticating users when they log into corporate systems, helping to prevent brute force and man-in-the-middle (MITM) attacks. It works by requiring the person who is attempting to log in to supply at least one piece of additional information that’s unique to that user in addition to their login password. This could be a security question or a one-time password sent to the user’s mobile device. Alternatives include a digital signature or biometric identification, such as a fingerprint or facial recognition.
These approaches ensure attackers can’t access and attack data backups. They also help you maintain data compliance requirements in the cloud concerning data privacy and residency.
4. Immutability Ensures Integrity
The concept of an immutable backup is that the data can’t ever be changed. You can’t modify, delete or overwrite the data. Importantly, a hacker can’t encrypt an immutable file. So, immutable backups are secure backup files that you can rely on.
Most immutable solutions use write-once-read-many (WORM) technologies that lock the data. Examples include Amazon S3 Object Lock and immutable storage for Azure Blob. With immutability in the cloud, it is normal to specify a retention period, after which time, the data will be unlocked and can be subsequently deleted in line with data retention requirements or when controlling cloud storage spend. An alternative is to add a legal hold that overrides the retention period until specifically unlocked by an authorized user.
There is one provision regarding immutability, and that is that the data must be uncorrupted and free of malware or ransomware before being saved. If this is not the case, the data can be corrupted or encrypted when you attempt to use these files for backup recovery purposes.
5. Encryption to Prevent Theft
Even though cybercriminals can’t encrypt your immutable backups, if they access the backup data, they may be able to exfiltrate the backup data and hold you ransom in this regard.
Most cloud providers provide several mechanisms for encrypting your data. Examples include AWS Key Management Service (AWS KMS) and Microsoft Azure Key Vault. Implementation is very straightforward, especially when using default keys, however it is advisable to utilize self-managed keys for greater control.
Monitoring and Incident Response
In addition to the above procedures, it is crucial to continuously monitor your systems for signs of ransomware attacks. Also, you should have a detailed plan outlining the actions to take in the event of a ransomware attack. Essential steps include:
- Continuous monitoring. Implement threat-monitoring tools that allow you to continually monitor hybrid- and multi-cloud environments for unusual activity and abnormal network behavior that may indicate malicious activities.
- Threat detection. Install security software to detect and eliminate cybersecurity threats, including phishing, malware, ransomware and zero-day exploits. Protect against new and unknown threats using AI-enabled detection engines that block suspicious processes and activities.
- Incident response plan. Prepare a comprehensive ransomware response plan detailing specific personnel and actions to take in response to a ransomware attack, including isolation of infected systems, ransomware containment and eradication strategies.
- Automated remediation. Employ automated tools to detect and block malware and ransomware attacks by disabling and isolating infected endpoints, systems and software.
- Forensic analysis. Establish procedures for forensic analysis, such as recovering system logs and data stored in flash memories so that it is possible to determine the sequence of events and identify the type of ransomware.
An essential aspect of incident response and ransomware recovery is team training. You should thoroughly train team members on the principles and practices of effective ransomware and cybersecurity incident response.
The responsibility for data protection starts and ends with you. Although public and private clouds offer guarantees regarding data security, these relate to data loss and corruption due to a failure of part or all of their cloud data centers.
For example, AWS guarantees a certain level of data durability and availability related to their service level agreement. However, AWS is not responsible for data loss due to accidental deletions, malware and ransomware.
It is essential to determine appropriate backup policies and where and how to secure your backup data. You also need to determine the optimal network and security configurations related to your organizational needs. In this context, you should treat hybrid cloud security with the same rigor as you do for your on-premise data centers, unlike those mentioned earlier in this article.
Fortunately, you’re not alone. Veeam’s backup and recovery solutions can help you efficiently and securely manage, backup and recover your data from anywhere across the hybrid cloud.
Securing Hybrid and Multi-Cloud Backups
Robust cloud IaaS, PaaS and SaaS services across AWS, Azure, Google Cloud, Microsoft 365, Salesforce and more offer compelling alternatives to companies seeking to expand their IT services. While hybrid cloud strategies often solve many problems, they also come with challenges, with cybercriminals are becoming better at exploiting the resulting software and network vulnerabilities. Your company faces a real threat of data theft and ransomware.
The answer to this threat lies in a combination of effective ransomware prevention strategies and robust remediation policies. These include hybrid- and multi-cloud security measures, such as network segmentation, security software and robust multifactor authentication policies.
But given the almost inevitability of a successful ransomware attack, you also need a robust backup strategy. Utilizing practices like logical air-gaps, PoLP, immutability, encryption and more, an effective backup plan can help you recover from a ransomware incident with minimal downtime and reputational damage.
Learn more about secure cloud backup protection strategies and best practices in our Best Practices for Secure Cloud Backup infographic from Veeam.