Backup security considerations

Topic: Security basics

Backups contain the same sensitive data as production; protect them with access control, encryption, and integrity checks. Ensure backups are not writable by the same threat that could corrupt production. Use this when designing or auditing backup and restore.

Intent: How-to

Quick answer

  • Backups should be encrypted at rest and in transit. Use a key that is not stored only with the backup (e.g. KMS or separate vault) so a compromise of the backup store does not expose data.
  • Restrict who can read, delete, or restore backups. Use separate credentials and least privilege so the same account that runs the app cannot delete or alter backups. Audit backup and restore actions.
  • Verify backup integrity (checksums, test restores) so you know backups are usable and unchanged. Protect backup metadata and catalogs so an attacker cannot hide that a restore was run.

Prerequisites

Steps

  1. Encrypt backups

    Encrypt backup data at rest; use TLS in transit. Prefer a KMS or key separate from the backup storage so compromise of storage does not give the key. Document key management and recovery.

  2. Restrict access

    Only backup and restore roles should access backup storage. Do not grant the same credentials that run production to delete or overwrite backups. Use IAM or ACLs; audit who accessed backups.

  3. Verify integrity

    Use checksums or integrity checks; run periodic test restores so you know backups are valid. Protect backup catalogs and logs so an attacker cannot hide restore or delete activity.

  4. Plan for ransomware

    Keep offline or immutable copies so ransomware cannot encrypt backups. Have a restore runbook and test it; ensure backup credentials are not the same as production so one compromise does not get both.

Summary

Encrypt backups; restrict access to backup storage; verify integrity and test restores. Protect backups from the same threat that could hit production; use separate credentials and immutable or offline copies where appropriate.

Prerequisites

Steps

Step 1: Encrypt backups

Encrypt at rest and in transit. Use a key in a KMS or vault, not only with the backup store.

Step 2: Restrict access

Limit who can read, delete, or restore. Use separate roles from production; audit backup access.

Step 3: Verify integrity

Use checksums; run test restores. Protect catalogs and logs so tampering is visible.

Step 4: Plan for ransomware

Use immutable or offline copies; separate credentials; test restore and runbooks.

Verification

Backups are encrypted and access-controlled; integrity is checked and restores are tested; ransomware scenario is covered.

Troubleshooting

Backup key with data — Move key to KMS; rotate and re-encrypt. Same creds for prod and backup — Split roles and credentials so one compromise does not affect both.

Next steps

Continue to