Disk based backups are gaining a lot of momentum in backup and disaster recovery market, due to the fact that they are more secure than their tape based counterparts. In general, backup tapes are vulnerable to data spill when lost, stolen or fall off a truck. Whereas, their counterparts i.e. disk backups offer more security because they never leave the data center.
As a general rule, most enterprise data centers encrypt disks that store backups and some even invest on self-encrypting drives. But there is also more to disk-based backup protection than storage encryption.
Currently available security mechanisms protect disk-based backups depending on the storage architecture in use. In this practice, they are two main points of potential vulnerability-
- The interconnect between the backup client and backup server
- And the interconnect between the backup server and storage
Once the disk based backup appliance is encrypted, the user need not have to worry about someone stealing a disk out of the backup appliance, as it is totally encrypted and physical access to the disk is presumably controlled.
But what will happen, when a hacker intercepts the data en route to the storage or gains access to the storage array.
Therefore, all those IT admins who are concerned about data security from data breaches need to examine the communication link between the resources that are being backed-up and the backup server.
All modern day backup appliances offer encryption services to backed-up traffic. But in order to improve security for data in flight, more steps like ones specified below need to be taken
To organizations which have heavily virtualized environments, it is a good idea to create a dedicated virtual network that exists solely for the purpose of carrying backup traffic. This will improve security through isolation because backup traffic will never traverse the same virtual network segment as general user traffic.
The user or the IT admin also needs to protect their backup server with the help of Firewall. By doing so, one can ensure that only specific devices communicate with the backup server.
Also, storage connectivity can also prove as a potential vulnerability, although the risks vary widely depending on the types of storage connectivity used. For example, if the backup server uses a NAS or a FC/Ethernet SAN, the user might consider using an isolated Ethernet segment to connect the backup server to the backup target. Also, the storage admin needs to review the permissions that have been assigned to the storage target, to ensure only authorized users are allowed reading and writing data. If the environment involves more than one backup admin, then the overall focus should stay on the fact that no single person has excessive data access permissions.
If a backup server uses a SAN as a backup target, then the SAN’s architectural design may also present security vulnerabilities. To see why this is the case, think about how an IP network is constructed.
Traditionally, an IP network is often divided into several different security domains. There is typically a demilitarized zone, a private network and perhaps a security domain used for a back-end database server. Each of these domains is logically isolated from one another.
The problem with this isolation is that any or all of the security domains on your IP network could potentially tie into a SAN. This may not initially be considered to be a risk if the SAN is based on Fibre Channel storage. However, if a hacker thinks to launch an attack against your IP network and take control of a server connected to the SAN, that compromised server could be used to launch an attack against the SAN. Thus, a safe way to overcome this trouble is to physically isolate the backup storage and to use a dedicated array and dedicated connectivity to the backup server.
Finally, disk based backups are not subjected to the same security risks as their tape based backup counterparts. In most cases of disk based backup environments, it is often the storage architecture and the corresponding permissions that present a risk, as opposed to the media/tactics itself
StoneFly, a wholly owned subsidiary of Dynamic Network Factory offers backup and Disaster recovery appliances free from all these security vulnerabilities and concerns.
All its backup products are being offered with SSL-encrypted data transmissions over the network and are also enabled with 256-bit AES encryption for backed up data.
So, the user data is safe and secure in StoneFly disk based backup appliances.
To know more technicalities call 510.265.1616 or click on StoneFly disk based backup appliance web page.