Part of:How to safeguard data backups against ransomware
Encryption is a powerful tool to keep sensitive data out of the wrong hands. To ensure recoverability after a disruption, data backup encryption is vital.
The key to data integrity is reliability and trust at all times. Backups are a vital part of data and application recoverability and must always be secure.
Encryption is essential to data protection, and backups are no exception. Data backup encryption adds another layer of protection from major threats, including "unauthorized access, exfiltration and unauthorized data restores," said Christophe Bertrand, a practice director at TechTarget's Enterprise Strategy Group (ESG).
"Encrypting backups can aid in regulatory compliance and protect an organization from criminal activity. Many regulations discuss encryption in a broad sense, and the rule of thumb should really be that this applies to backups as well," Bertrand said. "As data is backed up from point A to point B, encrypting the data in flight is highly recommended so that it can't be intercepted."
Encryption in transit vs. encryption at rest
Encryption in transit involves encrypting data that is moving across the network, said Jack Poller, a senior analyst at ESG. Any web transaction using Secure Sockets Layer/Transport Layer Security, or SSL/TLS -- such as HTTPS -- is encrypted in transit. This protects the data from an attacker that can see data moving across the network, for example, via a Wi-Fi connection.
Encryption at rest involves encrypting data that is stored on disk or in the backup system. This protects the data if an attacker has access to the data storage system. While some backup applications create backup files in a proprietary format, additional protection is necessary to keep potential attackers from easily accessing and reading these files or repositories.
Protect backups from exfiltration and other attacks
If data backups are not encrypted, an attacker could gain access to the backup system and exfiltrate backup data, Poller said.
Exfiltrated backup data that is encrypted has no value to cybercriminals because malicious actors and the public can't read the data.
"This is a typical method of operation of ransomware actors who double dip by both preventing the organization from accessing their own data and holding exfiltrated data hostage. [It requires] a separate payment to prevent the public exposure of the data," he said.
If data is encrypted, only individuals who hold the keys can make sense of the data. Exfiltrated backup data that is encrypted has no value to cybercriminals because malicious actors and the public can't read the data, Poller said.
This is a last layer of defense, protecting the organization in the worst case, and is part of a defense-in-depth strategy.
Mind the data regulations
In general, most data security and data privacy regulations apply to backup data, just as they apply to any other data sets. Organizations must encrypt any sensitive or regulated information to ensure that data is protected in case of exfiltration or inadvertent public exposure.
Specific regulations that apply to backup data include the following:
Typical data privacy regulations, such as GDPR, CCPA and HIPAA, which seek to protect personally identifiable information and personal health information.
Financial regulations including SOC 2 and others that protect financial and payment information.
Cybersecurity and insurance regulations, such as the Cyber Incident Reporting for Critical Infrastructure Act, or CIRCIA.
When it comes to hardening your cyber-resilience overall, there are no downsides, Bertrand said. Still, there might be tradeoffs. Encryption is computationally expensive, and it affects the time and possibly the cost of the backup and recovery process, he noted.
"In some cases, backup encryption can incur performance penalties, but modern solutions handle security by design in general, including encryption, at scale," Bertrand said.
In addition, encryption alone is not enough to protect data, so organizations must manage multiple encryption keys.
"It's not sufficient to protect all data in the organization with one key -- if an attacker gets access to the key, they get access to all data," Bertrand said. "The same for backups: Get access to the key, get access to all data in the backup data set. Therefore, organizations need to have separate keys for divisible, distinct chunks of data -- including distinct chunks of backup data."
Next Steps
Protect against current and future threats with encryption
Dig Deeper on Data backup security
Cohesity adds confidential computing to FortKnoxBy: TimMcCarthy
Laminar security posture tech now part of Rubrik platformBy: TimMcCarthy
Veeam leads funding round for SaaS backup provider AlcionBy: PaulCrocetti
Veeam ransomware protection highlighted in Kasten, detectionBy: PaulCrocetti
Part of:How to safeguard data backups against ransomware
Article 3 of 3
Up Next
Can ransomware infect backups? 3 tips to protect dataBacking up data is one way to guard against threats such as ransomware, but attacks designed to infect backups can compromise data protection efforts.
Offline backups are a key part of a ransomware protection planRansomware resilience relies not on a single tool, but on several layered protections. Offline backups are a critical layer in a ransomware protection strategy.
Use backup encryption to protect data from would-be thievesEncryption is a powerful tool to keep sensitive data out of the wrong hands. To ensure recoverability after a disruption, data backup encryption is vital.
This protects the data from an attacker that can see data moving across the network, for example, via a Wi-Fi connection. Encryption at rest involves encrypting data that is stored on disk or in the backup system. This protects the data if an attacker has access to the data storage system.
Encryption is used to protect data from being stolen, changed, or compromised and works by scrambling data into a secret code that can only be unlocked with a unique digital key.
Encrypting backups gives you personal control over your personal information. It's a level of protection that goes way beyond an email password, for example. If your iPhone gets stolen or you leave your computer or iPad on an airplane, your information is locked securely with the password only you know.
In simple words, encryption protects sensitive data from prying eyes by scrambling ordinary text (plaintext) into a form (ciphertext) that is impossible to read without the proper decryption key. An example of basic encryption is swapping each letter with the one that holds its opposite position in the alphabet.
Encryption is the process of converting data into an unusable form and does not itself stop hacking or data theft. Instead, it prevents stolen content from being used, since the hacker or thief cannot see it in plaintext format.
No matter how highly-encrypted your data is, it is still susceptible to being transmitted to the wrong recipient via email, or otherwise shared via incorrect attachments or unsecured encryption keys.
Weaknesses in how encryption keys are generated can also create vulnerabilities. For example, keys generated by simple mathematical functions instead of secure random number generation make it possible for attackers to more easily guess the keys through cryptanalysis.
If users forget their password and lose their recovery key, the device will be inaccessible to them, and they will be locked out just like an intruder. Data in transit isn't protected, so data shared between devices and through email is still vulnerable to hacking.
There are three main key lengths that AES can work with – 256-bit, 192-bit, and 128-bit. AES-256 is widely considered to be the most secure encryption method out there, combining both resistance to cyberattacks and encryption/decryption speed.
AES. The Advanced Encryption Standard (AES) is the trusted standard algorithm used by the United States government, as well as other organizations. ...
Data encryption is a security method where information is encoded and can only be accessed or decrypted by a user with the correct encryption key. Encrypted data, also known as ciphertext, appears scrambled or unreadable to a person or entity accessing without permission.
Encryption safeguards much of the information that is transmitted over the internet, including financial transactions, personal information, and communications. It ensures the authenticity of information and sources, making sure that data have not been altered in transit and that the sender is correctly identified.
To encrypt during backup, you must specify an encryption algorithm, and an encryptor to secure the encryption key. The following are the supported encryption options: Encryption Algorithm: The supported encryption algorithms are: AES 128, AES 192, AES 256, and Triple DES. Encryptor: A certificate or asymmetric Key.
Encryption is the process of concealing data by using a code. After encryption, in order to read or use the concealed data, the code used during encryption must be known. This process is called decryption. Encryption and decryption are used to allow access to data only to those who have the code.
It is especially effective to protect data against unauthorised access if the device storing the encrypted data is lost or stolen. Depending on the circ*mstances, an effective and appropriate encryption solution can also be a means of demonstrating compliance with the security requirements of the UK GDPR.
Police may use several traditional investigative techniques to obtain plaintext from encrypted data, most commonly through surveillance, search and seizure, and questioning.
Data encryption protects your sensitive data by rendering it inaccessible, even if stolen. Decrypting well-encrypted data without the key is theoretically possible, but it would require all of the world's computing power and many years to succeed. Data that has been encrypted can be stolen, but only in encrypted form.
Introduction: My name is Clemencia Bogisich Ret, I am a super, outstanding, graceful, friendly, vast, comfortable, agreeable person who loves writing and wants to share my knowledge and understanding with you.
We notice you're using an ad blocker
Without advertising income, we can't keep making this site awesome for you.
