Because data security can be a very confusing topic, I’ll approach this discussion in three pragmatic ways:
- How secure are cloud backups against various forms of attack?
- How does this level of security compare with other popular forms of on-premise backups – swapping USB or RDX disks, and on-premise NAS backups.
- How should a typical SMB choose between the different options?
- BackupAssist provides in-built security mechanisms (known as authenticated encryption) that preserve the privacy and integrity of cloud backup data, and cloud providers will provide multi-factor authentication to secure access to the storage account. Read more about the security of cloud backups.
- The authenticated encryption used in BackupAssist addresses requirements laid out by data handling regulations such as GDPR and HIPAA.
- We rate cloud offsite backups as secure as or better than swapping USB or RDX disks in a typical SMB setting. Both systems have pros and cons. Our comparison between cloud and hard disk backup security.
- Choosing whether to use the cloud, or swapping hard disks, can be a simple decision based on 2 questions – volume of data and reliability of Internet connection. See our recommendations.
We also stress that no security mechanism is infallible – just look at state sponsored or military level hacking attacks against classified government systems.
Your goal as an SMB is to be secure enough so that you can withstand and be resilient to all risks that you’re likely to face – including ransomware and hacking. In this article, we talk about security in this practical sense – not the extreme cases of hundreds of hackers attacking your business over months or years.
How secure is my backup data in the cloud?
In a practical sense, the benefit of having a cloud backup far outweighs the very slim chance of the data being compromised and misused. There are several layers of security provided by BackupAssist backup products and the cloud provider that make the overall security of cloud backups as good as traditional on-premise backups.
Let’s delve into it.
What is data security?
Security is a broad term that can be debated and analyzed in many ways. For the average SMB, we can define it as:
|Is my data going to be there when I need it?||Availability|
|Will my data be private from everyone else?||Confidentiality|
|Can my data be sabotaged?||Integrity|
The BackupAssist backup system comprises two parts – the backup software, and the cloud storage provider.
Security provided by BackupAssist
BackupAssist uses encryption, integrity checking and cryptographic hashes to protect your backup data. This mitigates against attacks even if your cloud storage account is breached.
|Mitigated Event||Is it secure?||As long as…|
|Data theft & leakage||Yes, even if your cloud storage is breached. It is impractical for the cloud provider or an attacker to read your data.||… you keep your encryption password private.|
|Malware injection into backups||Yes. Impractical for attacker to inject malware into your system images.||… you keep your encryption password private.|
|Data tampering||Yes. Impractical for an attacker to alter data without detection.||… you keep your encryption password private.|
If you keep your encryption password private and strong, it will be impractical (i.e. impossible in every practical sense) for a cloud provider or an attacker to breach your data. Even if an attacker had every computer in the world trying to brute force the encryption, it would take thousands or millions of years.
Therefore, it is vitally important to keep your encryption password private; a breached password will make the entire security system ineffective.
Encryption is also a key method of satisfying regulations that govern data handling and security. For example, GDPR Article 32 states that “Personal data must be secured to a level appropriate to the risk, by technical and organisational measures including pseudonymisation and encryption…”
Similarly, HIPAA regulations call for encryption of protected health information (PHI). The security mechanisms implemented in BackupAssist products enable you to comply with these laws.
Security provided by your cloud provider
|Aspect||Is it secure?||As long as…|
|Account hijack||Yes. Authentication systems have improved dramatically to prevent unauthorized parties accessing your account.||… you keep your cloud credentials private and use multi-factor authentication, and use a separate account just for backup.|
|Accidental loss of data||Yes. The cloud provider will use redundant hardware and perform backups to achieve its durability SLAs.||… the cloud provider meets its SLA, and you pay your bills on time so the cloud provider doesn’t delete your account.|
If possible, for better security of your cloud backup, we recommend that your backup data is stored in a separate storage account to your normal operational accounts.
For example, if you host a website in the AWS cloud, and you wish to store your backup data in AWS S3, you’ll get better security by signing up for two separate accounts instead of using just one. Your web developers or devops engineers (often outsourced) will generally have administrative “root level” access to your AWS account, and can make catastrophic mistakes in configuration. By having two completely separate accounts, any mistakes made by your web developers in your operational account won’t affect the security of your cloud backup, because it’s in a completely separate account.
Cloud backup security compared to traditional on-premise backup security
In our opinion, cloud backups are:
- as secure as swapping out hard disks, and
- more secure than on-premise NAS backups.
How do we reach this conclusion?
In a practical sense, overall security is a matter of effectiveness, combining how secure a mechanism is, together with how likely it is to be used properly.
Let’s consider the top 3 options that SMBs have when setting up backups of their systems.
- Cloud backups – either with BackupAssist ER (full system) or BackupAssist Classic (files)
- USB or RDX Hard Drive backups – swapping out disks based on a rotation schedule, to give calendar based history: daily / weekly / monthly, etc.
- NAS backups – where the NAS is usually on the LAN and used to store backups via a network share.
|Type of backup||Strengths||Weaknesses||Comments|
|=1st||Cloud offsite backups||
||Cyber takeover is unlikely if best practices are followed.|
|=1st||Swapping hard disks||
||Offers the only 100% guarantee against online cyber threats.|
|3rd||On-premise NAS backups||
||Can be strengthened by NAS to NAS replication.|
Let’s break down how each option performs in three major risk scenarios.
Risk of cyber takeover – a hacker overtakes your network and gains privileged (administrator) access.
- Cloud offsite – good protection, as the cloud backup is accessed via a different protocol to your local backups, and therefore not vulnerable to conventional SMB-based attacks. Ransomware won’t be able to attack the cloud backup as it doesn’t speak the “same language”. There is a possibility that the attacker can tamper with the backup software, and we are currently improving our mitigations against this.
- Swapping hard disks – excellent protection, as a hard disk that is offline and disconnected from any computer is the only way to guarantee it cannot be hacked. Note: you should never reconnect a backup hard drive to a machine that may have ransomware on it.
- On-premise NAS backups – mediocre to fair protection, depending on the version and security configuration of the network share or NAS device. Older versions of the SMB protocol suffered from eavesdropping attacks on SMB traffic and NTLM authentication, enabling brute force attacks to eventually unlock access to the backups on NAS devices.
Risk of human error
- Cloud offsite – excellent protection, as human action is not required for the system to work.
- Swapping hard disks – mediocre protection, as human errors compromise the backup scheme, meaning recovery points and offsite protection will be less than ideal. This can occur if:
- the disk is not swapped out
- the wrong disk is connected
- the disk is not taken offsite
- the disk is misplaced or lost.
- On-premise NAS backups – excellent protection, as human action is not required. However, the administrator must configure the security of the NAS well.
Risk of destruction of premises
- Cloud offsite – excellent protection – there is no geographical limit to where you can store your backups, so it’s easy to choose a location in a different city or region.
- Swapping hard disks – very good protection, as an offsite hard disk will protect against the hard drive being destroyed by fire or natural disaster. However, large scale natural disasters such as earthquakes and tsunamis may also destroy the backup disks, so the protection is not infallible.
- On-premise NAS backups – poor protection, as the NAS is likely to be destroyed along with your server.
As you can see in this summary table, each storage location has its strengths and weaknesses.
|Cloud backup||USB/RDX disk backup||On-premise NAS backup|
|Cyber takeover||Very good||Excellent||Mediocre to fair|
|Physical destruction||Excellent||Very good||Poor|
From the table, you can draw your own conclusions. Our own view is that cloud backups are as secure as USB/RDX disk backups, and we perform a combination of both in our data backup strategy.
How do you choose?
For the majority of SMBs, the decision doesn’t have to be hard. Here are two questions we recommend considering:
- How much data do you have?
- What’s more reliable – your Internet connection, or human process?
|I have less than 2TB of data||I have more than 2TB of data|
|Internet connection is more reliable||Cloud offsite backups – practical and reliable.||Cloud backups are a great supplement to on-premise backups.|
|Human process is more reliable||Swapping hard disks because it’s more reliable.||Swapping hard disks is more practical for large volumes of data.|
When it comes to backups, as long as you can maintain the privacy of the data (which can be achieved with the security mechanisms mentioned above), the more backups you have, the better.
We believe the choice shouldn’t be between “A” or “B”, but instead, how can I have “A and B”. That’s why:
- BackupAssist ER allows you to perform disk-to-disk-to-cloud backups, so you have system backups on-premise and in the cloud.
- BackupAssist Classic with the Cloud Offsite add-on allows you to have on-premise system backups, and file backups in the cloud.
Achieving excellent data security is a moving target, as technologies evolve and cyber threats emerge.
We’re continually researching and working on enhancements to data security. Stay tuned for news about this topic!
If you have any questions, feel free to contact our Client Success team, and we’ll be happy to chat.