The key to data integrity is reliability and trust at all times. Backups are a vital part of data and application recoverability and must always be secure.
Encryption is essential to data protection, and backups are no exception. Data backup encryption adds another layer of protection from major threats, including “unauthorized access, exfiltration and unauthorized data restores,” said Christophe Bertrand, a practice director at TechTarget’s Enterprise Strategy Group (ESG).
“Encrypting backups can aid in regulatory compliance and protect an organization from criminal activity. Many regulations discuss encryption in a broad sense, and the rule of thumb should really be that this applies to backups as well,” Bertrand said. “As data is backed up from point A to point B, encrypting the data in flight is highly recommended so that it can’t be intercepted.”
Encryption in transit vs. encryption at rest
Encryption in transit involves encrypting data that is moving across the network, said Jack Poller, a senior analyst at ESG. Any web transaction using Secure Sockets Layer/Transport Layer Security, or SSL/TLS — such as HTTPS — is encrypted in transit. This protects the data from an attacker that can see data moving across the network, for example, via a Wi-Fi connection.
Encryption at rest involves encrypting data that is stored on disk or in the backup system. This protects the data if an attacker has access to the data storage system. While some backup applications create backup files in a proprietary format, additional protection is necessary to keep potential attackers from easily accessing and reading these files or repositories.
[embedded content]
Protect backups from exfiltration and other attacks
If data backups are not encrypted, an attacker could gain access to the backup system and exfiltrate backup data, Poller said.
“This is a typical method of operation of ransomware actors who double dip by both preventing the organization from accessing their own data and holding exfiltrated data hostage. [It requires] a separate payment to prevent the public exposure of the data,” he said.
If data is encrypted, only individuals who hold the keys can make sense of the data. Exfiltrated backup data that is encrypted has no value to cybercriminals because malicious actors and the public can’t read the data, Poller said.
This is a last layer of defense, protecting the organization in the worst case, and is part of a defense-in-depth strategy.
Mind the data regulations
In general, most data security and data privacy regulations apply to backup data, just as they apply to any other data sets. Organizations must encrypt any sensitive or regulated information to ensure that data is protected in case of exfiltration or inadvertent public exposure.
Specific regulations that apply to backup data include the following:
- Typical data privacy regulations, such as GDPR, CCPA and HIPAA, which seek to protect personally identifiable information and personal health information.
- Financial regulations including SOC 2 and others that protect financial and payment information.
- Cybersecurity and insurance regulations, such as the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA.
When it comes to hardening your cyber-resilience overall, there are no downsides, Bertrand said. Still, there might be tradeoffs. Encryption is computationally expensive, and it affects the time and possibly the cost of the backup and recovery process, he noted.
“In some cases, backup encryption can incur performance penalties, but modern solutions handle security by design in general, including encryption, at scale,” Bertrand said.
In addition, encryption alone is not enough to protect data, so organizations must manage multiple encryption keys.
“It’s not sufficient to protect all data in the organization with one key — if an attacker gets access to the key, they get access to all data,” Bertrand said. “The same for backups: Get access to the key, get access to all data in the backup data set. Therefore, organizations need to have separate keys for divisible, distinct chunks of data — including distinct chunks of backup data.”