BCR-08 Backup
Summary
Periodically backing up data stored in the cloud is critical to ensure business continuity and operational resilience. Backups must be implemented in a way that protects the confidentiality, integrity and availability of the data. Regular testing is required to verify that data can be successfully restored from backups when needed.
Where did this come from?
This control comes from the CSA Cloud Controls Matrix v4.0.10 released on 2023-09-26. The CCM provides a controls framework for cloud computing and is considered a de-facto standard for cloud security and privacy. The full CCM can be downloaded from https://cloudsecurityalliance.org/artifacts/cloud-controls-matrix-v4
Additional reference material on data backup in the cloud includes:
Who should care?
This control is relevant to:
- Cloud architects designing resilient systems
- Cloud operations teams responsible for ensuring data durability
- Compliance managers needing to meet data retention obligations
- Business continuity managers planning for disaster recovery
- Application owners with critical data stored in the cloud
What is the risk?
Without proper backups, data loss events could have severe consequences:
- Accidental deletion, corruption or overwrite of critical data
- Malicious destruction of data by threat actors (ransomware)
- Loss of data access due to misconfiguration or account issues
- Physical loss of data centers due to disaster or infrastructure failure
The extent and impact depends on factors like amount and sensitivity of data, backup frequency, retention periods, immutability of backups etc. In a worst case scenario, lack of usable backups could put a company out of business.
What's the care factor?
For most cloud use cases, backup is a fundamental control that enables recovery from data loss incidents. The effort required to implement appropriate backups is generally a worthwhile investment compared to the alternative.
However, the priority and required level of rigor depends on the criticality and sensitivity of the data. Compliance requirements may also dictate certain standards. A careful risk assessment should be done to determine the right balance.
When is it relevant?
Backups are relevant for any data stored in the cloud that has value to the business and needs to be preserved. This includes:
- Databases
- File stores
- Application configuration data
- Machine images
- Audit logs
Ephemeral data like message queues or streaming data may not require long-term backups. Read-only/immutable data stores are inherently more resilient. Backup may also be less important in dev/test environments.
What are the trade-offs?
Backup comes with some costs and considerations:
- Storage costs for backup data which can become significant at scale
- Compute costs for running backup processes
- Network bandwidth costs for transferring backup data
- Increased attack surface from backup systems and credentials
- Complexity in backup architecture to cover all required data sources
- Increased recovery time if backups stored in "cold" storage tiers
How to make it happen?
- Discovery - Identify and classify all data assets requiring backup
- Requirements - Determine RPO, RTO, retention periods, immutability needs
- Design - Select appropriate backup destinations, topologies, schedule
- Access Control - Configure RBAC permissions for least-privilege backup access
- Implement - Deploy backup agents/processes and configure jobs
- Monitor - Track backup metrics and alert on failures or anomalies
- Test - Regularly perform test restores to verify backup integrity
- Secure - Ensure encryption of data in-transit and at-rest, monitor for exposure
- Lifecycle - Setup appropriate retention policies and deletion workflows
- Document - Record backup procedures, schedules, escalation paths
What are some gotchas?
- Backup requires specific IAM permissions like
s3:PutObject
, ec2:CreateSnapshot
etc. - Backup credentials are high value targets, ensure careful handling
- Large volumes of data may require significant time to backup, consider incremental approaches
- Not all cloud services have native backup capabilities, 3rd party tooling may be required
- Cross-region and cross-account backups add complexity but improve resilience
- RTO is impacted by restore procedures, test and optimize
- Compliance regs may require specific handling of regulated data in backups
What are the alternatives?
- Synchronous replication to multiple AZs/regions for hot standby
- Storage services with built-in redundancy and versioning (e.g. S3)
- Chaos engineering to build resilient, self-healing architecture
- Reliance on SaaS vendor's backups (potentially high risk)
Explore further
?