Data Protection Best Practice: Encrypting Backups

Today I want to talk about backups, and the importance of encrypting them, everywhere. When people think of encrypted backups, the usual first thoughts are around portable backups such as tape and USB or backups outside of your trust domain such as cloud storage.

This is a great starting point, and if you’re not currently encrypting these I urge you to do so as these are normally your highest risk backups. But here’s a an emerging scenario to consider.

Security is a constant battle of escalations, attempting to out-do the efforts of each other. Whilst we’re seeing an industry reacting to ransomware threats with immutability, these malicious actors have also moved on from just encrypting your data. Now these bad actors are attempting to steal your data and extort a ransom to prevent leaking the data.

Scary stuff right? It’s for this reason and more that backups are being targeted for data exfiltration. Consider the positives a good backup meets.

Storage and Bandwidth Efficiency

Now malicious actors are after copies of our data, wouldn’t it make their life so much easier if a copy of all the victim’s data was compressed and deduplicated to ensure they could retrieve the data as fast as possible… oh wait, that’s our backups!

To ensure we can retain more data, we actively attempt to make it consume the minimal required space, but this makes our backup data a better target for malicious actors as they are able to:

  • Send the backup over a lower throughput connection faster
  • More easily ingest a copy of the victim’s data
  • Have a higher chance of avoiding triggering any monitoring alerts

Application Aware Processing

Sometimes the victim’s data isn’t structured as traditional files on a share but stored within databases. If ransomware encrypted the production database and logs, can we be sure they’ll actually recover? If the criminals were competent in your database technology they could trigger a manual backup but that’s more likely to draw attention.

A properly configured backup job will have already interacted with the necessary applications to ensure the data is recoverable, bypassing all of the complications above. This means a backed up database with application aware processing enabled is more likely to give a good set of data to share during extortion, allowing the bad actors to interrogate the database and find sensitive information.

Server Configurations

Important during a reconnaissance phase of an attack is gaining as much information as possible about the environment. If a backup has been extracted and egressed to a remote location, it would be possible to run an isolated copy of every workload protected by the backup. This enables the exploration of attack vectors without triggering any security systems of the victim and potentially even allowing for partial or full automation of a cyber attack in the production environment, hitting all security weak points in rapid succession or in parallel to cripple the victim completely.

What if I use data encryption at rest on my backup repository?

Encrypting the data at rest in this manner will protect against the physical theft of the storage or if someone managed to compromise a system’s remote management platform such as iDRAC or iLO and booted a different platform via an ISO, as they wouldn’t necessarily have the key to read the data (though such a foothold would make this be easier to circumvent).

However whilst your repository is online during a “business as usual” scenario, the data needs to be readable by Veeam, which therefore means anyone else with the appropriate security permissions to access the repository can also by extension, access the data, without needing the decryption keys for the any data encrypted at rest.

Before you enable Backup Encryption on all of your backup jobs, read this.

If you’ve already got backup jobs configured without encryption enabled, you should know that by enabling encryption, your next backup will be a full backup and this could increase your storage requirements considerably, especially if you rely on reverse incremental to avoid storing multiple backup chains.

If you rely on ReFS/XFS based fast clone this still applies, as the blocks can’t be shared due to them not being identical anymore, due to one version of the block being encrypted and one version unencrypted. After your first encrypted backup you’ll be able to leverage this technology for subsequent backups however.

Lastly should you leverage data duplication storage repositories from Veeam’s partners or even Microsoft’s built in Data Duplication service within Windows Server, Veeam will encrypt the data before it is made visible to the storage appliance during the write operation, this will negatively impact deduplication. You can find an example of Veeam explicitly stating this here under the encryption subheading.

Instead encryption can still be achieved to protect against physical storage theft by enabling native encryption at rest on supported devices directly. Extra care should then be given to minimize allowed connectivity to these devices to prevent data theft due to the previously highlighted concerns around relying solely on encryption at rest.

Different vendors will have varying feature support within their deduplicating storage devices so be sure to validate that data encryption is a supported scenario for your device first.

Image by Mati Mango

By micoolpaul

Technical Consultant at Nexus Open Systems. Focusing on Veeam, VMware & Microsoft Productivity and Infrastructure stacks.

Leave a comment

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s