Online Backups: Evaluate the Risk

The SANS reading room recently published an article entitled: Online Backup: Worth the Risk?

Of course I wanted to know what folks at SANS had to say about online backups. The synopsis of this article is that there are many laws and regulatory bodies governing data security and if a business is to trust another organization with sensitive data, how can you ensure that the other organization (the online backup provider) is meeting all of these requirements?

This is one of the big questions that businesses are dealing with as they evaluate whether to make the leap into "cloud computing". One problem is that cloud computing is such a nebulous term. If we can't define what it means, then how to we speak intelligently about it? For the purposes of this article, I will use the more specific term "cloud storage" and define it as "storing data on a medium owned by a provider and connecting to the provider over the Internet". That's really the essence of what online backup is.

The article enumerates many of the regulations that data security may fall under and asks the question of how to ensure that your "cloud storage" provider meets these regulations. I'm going to take it one step further and ask "how do you ensure that your cloud storage provider has the same or better security controls in place that you do?" It is understandable to simply concern yourself with regulation, because that's what the auditors will nail you one. But when you get right down to it, you really want to make sure that your data is "safe" and that you won't be reading on the Internet one day how your provider got hacked and your data is now in the hands of the bad guys, because that means lawsuits and lost revenue.

The clear answer to these valid questions is transparency. We have been trained to think of the cloud as some black box in the sky that no one is allowed visibility into. Where is Amazon keeping your data? What controls do they have around it? Are they monitoring their network for intruders? You don't know because it's just out there in the cloud. These are the questions that we at Data Knoxx tackled when we designed our service offering. How are businesses and consumers going to trust us with their data?

Moving forward, let's address the questions brought up in the article specifically:

Where does the online provider store the data?
150ft underground in Lenexa, Kansas. Come tour the facility if you like.

Which Jurisdiction Controls Stored Data at the CSP?
The United States Government and the State of Kansas

What security controls are in place at the online backup provider?

Physical Access Control - Perimeter secured by 150ft of limestone, manually verified sign-in process with biometric suite-level access controls.

Network Design - VLAN-based access controlled by Cisco hardware devices. Principle of least-privilege used when configuring network devices

Server Configuration - Servers using hardened Linux kernels, host-based intrusion detection on all servers configured to notify operators of unexpected system changes or network traffic, change management policies in force, principles of least-privilege.

Monitoring - all systems monitored using local and remote monitors

Vulnerability Scanning - Internal and External vulnerability scans executed on a determined schedule; findings addressed immediately

Secure Protocols - only secure protocols and authentication in use for all systems

What encryption is used?

User has a choice of encryption algorithms. Recommend using AES-256.

Who has access to the Recovery Key?

Only the user. Recovery key must be entered whether restoring from the web or the backup client. All restores are logged and auditable.

Is everything needed for recovery available?

This is dependent on how the user sets up the backup plans. Data Knoxx is available to assist with backup and recovery planning.

Is there sufficient bandwidth?

This is also dependent on the backup plan and the client should consider this when designing their plan. Again, Data Knoxx is available to assist.

How is Recovery Access Controlled?

Recovery is controlled by the user-defined key. This key must be stored in a secure location that is available in the event of disaster (i.e. don't store it on the server that's being backed up)

Is CSP Compliant with Regulatory Frameworks?

Data Knoxx is compliant with requirements outlined in HIPAA (the other spells this wrong) and SOX. If additional compliance is required, we will certainly work with clients to ensure that compliance is met and will work with the auditors to complete the successful audit.

Does the Provider have a Liability Agreement?

These agreements can be agreed upon at the time of signing (hence the term 'agreement').

Does the Provider have a Service Level Agreement?

Rather than having a boiler-plate SLA, Data Knoxx prefers to negotiate a mutually-agreeable SLA with any client that requires one. Our SLA to this point: we have never missed a backup because our servers were unavailable.

Conclusion

While many may read the article and come away thinking that it raises many questions about whether online backups are safe or not, it reassures us at Data Knoxx that our business plan was the correct one; be open and transparent about our systems and our security.

I encourage all businesses to ask these hard questions to their online backup provider. After all, it's your data and without it, you're not in business.

Security Week

Last week was a bit of a "security week" for me. I attended "SANS546 Detecting Hackers for System Administrators", listened in on the SANS webcast on the Advanced Persistent Threat (APT), and started work on my GSEC certification.

A few notes to start out with: I highly recommend the SANS546 course for any Systems Administrator, Network Administrator, IT Manager, or anyone else that needs to know details on how to maintain security in a network. This course gets beyond the basics of setting up a firewall, making sure your systems are patched, and virus scanning installed. It demonstrates first hand why you have to go beyond these basic steps and gets into Defense in Depth, host-based and network-based IDS, network sniffing, baselining, and detecting malware. The best thing I took away from this course: You can't identify the bad stuff if you don't know what the good stuff looks like.

Second, the webcast on the Advanced Persistent Threat scared the bejesus out of me. For those not familiar with the APT, it is essentially a well-coordinated, continuous effort by professional crackers located in China to break into government and corporate networks in the US. These people are VERY GOOD at what they do! My biggest take-away from this webcast: Treat your network like a garden instead of a fortress. You can't just put up the walls and assume the bad guys will stay out. You need to be continuously looking for the weeds in your garden and removing them promptly.

The two bold statements above are so important because it does not matter how strong your fortress is, a persistent and knowledgeable "bad guy" will get in. Consider this scenario: through reconnaissance, I determine that your CFO likes to play Farmville on Facebook (cringe). So I send him an email "from Facebook" saying that he has qualified for 500 free points and all he has to do is watch a video. A link is included, which actually goes to my malicious site. When he clicks on the video, a popup comes up saying "You must install this codec to watch the video". He clicks it and my malicious program is installed.

The malicious program is custom-built, so no AV signatures exist for it yet (i.e. Anti-Virus doesn't have a chance of recognizing it). My program now starts collecting the CFO's email messages and sending them off to my server. No firewall will block this because outbound traffic, especially web traffic, is generally allowed.

The only way of catching this program is to "know the good stuff" so that your IDS system or log reviews will catch the bad process, files, or network traffic. Even at that, it's very hard. So you have to be diligent. Is one workstation connecting out to other workstations? That's not normal.

Now I know what you're thinking: Just train your users not to click on stupid stuff.

Doesn't work. Yes, you should include security awareness training as part of your security plan, but it's not sufficient. People will click on stupid stuff.

I will definitely be increasing the intrusion detection capabilities of Data Knoxx as a result of my Security Week.

I would be very interested to hear people's response to these points and discuss them further. Feel free to comment or email me directly.