In one of my past projects, the official website of the company got severely compromised by a sophisticated java script injection that went till the code. This was a simple public php website that served as the company's frontend to the world. The hack was so severely that google kept giving un-secure website alert for weeks. No matter what we did from the reinstalling the website on new hosts or even changing the datacenter, the injection kept resurfacing. At last one thing came to our rescue - a backup copy on one of the team's machine.
That incident taught me a very important lesson for a lifetime. Backups are not just copies, they are the backbones for disaster recovery.
Every global compliance be it PCI, PII or PHI require to have on-line and scheduled backups or off-site backups for critical systems and data. Weekly full backup, daily diffs and 2 hourly transaction backups or better must be placed.
Backups must be encrypted if necessary. Support must be considered for low-cost encrypted archives if available.If required, backup policy must include specific provisions for transactional DB and auth systems ensuring consistency at restore. These backups must be tested by restoring regularly to prove they work.
5 Compliance Ready Backups Policy to meet RTO/RPO numbers:
1. Regular and Scheduled Backups:
One of the compulsory requirement for any disaster recovery(DR) plan is to have regular and scheduled backups. These backups act as the safety net, ensuring that in the event of data loss, corruption, or a cyber-attack, the organisation can swiftly restore critical systems and data to a functional state. Compliance regulations often mandate specific backup frequencies and types to ensure minimal data loss and quick recovery times.
Weekly Full Backups: A full backup captures the entire dataset, providing a comprehensive snapshot of all data at a particular point in time. Performing weekly full backups ensures that there is always a recent complete copy of the data, which serves as a reliable restoration point.
Daily Differential Backups: Differential backups capture all changes made since the last full backup. These backups are smaller and quicker than full backups, making them practical for daily use. They bridge the gap between full backups, ensuring that the most recent data changes are preserved without the need for extensive storage space.
Two-Hourly Transaction Backups: For critical systems and data, particularly in environments with high transaction volumes such as financial institutions, more frequent backups are necessary. Two-hourly transaction backups ensure that even the most recent data is protected. These frequent backups minimise the risk of significant data loss in the event of a system failure.
2. Off-Site Backups: Enhancing Data Security:
Storing backups off-site is a crucial strategy for safeguarding data against physical disasters such as fires, floods, or theft. Off-site backups ensure that even if the primary data center is compromised, a secure copy of the data remains intact in a separate location. This geographical diversification is a critical component of a robust disaster recovery plan.
3. Encryption: Protecting Data Integrity and Confidentiality:
Data security is a top priority, especially when dealing with sensitive information. Encrypting backups is essential to protect data from unauthorised access. Compliance regulations often mandate encryption to ensure that even if backup data is intercepted or stolen, it remains unreadable without the appropriate decryption keys.
Low-Cost Encrypted Archives: Organisations should consider the availability of low-cost encrypted archives. These solutions provide a cost-effective means of securing backup data without compromising on encryption standards. Utilising such archives can significantly reduce storage costs while maintaining compliance with data protection regulations.
4. Specific Provisions for Transactional Databases and Authentication Systems:
Transactional databases and authentication systems require special attention in backup policies. Ensuring data consistency during backup and restoration processes is critical to maintain the integrity of these systems.
Transactional Databases: For databases handling continuous transactions, it is imperative to use backup solutions that support point-in-time recovery. This ensures that the database can be restored to a specific state, preserving the consistency of transactions and preventing data corruption.
Authentication Systems: Authentication systems often store sensitive information such as user credentials and access controls. Backing up these systems requires stringent measures to ensure that the backup and restoration processes do not compromise security. It is essential to maintain the confidentiality and integrity of authentication data throughout the backup lifecycle.
5. Regular Testing: Proving the Reliability of Backups
Creating backups is only part of the solution; ensuring their reliability through regular testing is equally important. Organisations must routinely test their backups by performing restoration drills. These tests validate that the backups are complete, uncorrupted, and can be restored within acceptable timeframes.
Testing Scenarios: Testing should cover a range of scenarios, including partial restorations, full restorations, and restoration of specific critical systems. This comprehensive approach ensures that all potential recovery needs are addressed.
Documentation and Review: Every backup test should be thoroughly documented, including the procedures followed, the time taken for restoration, and any issues encountered. Regular reviews of these tests help identify areas for improvement and ensure ongoing compliance with DR regulations.
Summary:
Incorporating these best practices not only meets compliance requirements but also fortifies an organisation's ability to recover swiftly and efficiently from any data-related catastrophe, ensuring business continuity and data integrity.
However, some additional considerations come into play based on where the backups are stored as below:
Cloud: Cloud backup solutions offer automated, frequent backups with minimal disruption to operations. Data is often stored in multiple locations, providing redundancy and reducing the risk of data loss. Additionally, cloud backups are scalable, allowing businesses to adjust storage capacity as needed without investing in additional hardware.
However, Organisations with Data localisation and confidentiality compliance must consider where these backups are being stored by the Cloud provider. It might break compliance regulations like OJK or ISAE3000 if the backups are stored outside the country or being shared with Cloud partners. That’s where a mandatory NDA comes into play.
On-Premise: On-premise backups require significant investment in hardware and software. They also necessitate rigorous processes to ensure data is backed up regularly and stored securely. Physical backups can be vulnerable to local disasters, such as fires or floods, unless they are regularly moved to an off-site location. The management and maintenance of these backups can be resource-intensive.
As described in the beginning, backups coves the very first requirement in any compliance certification. By implementing a structured backup policy organisations can ensure the resilience of their critical systems and data.
If you like this article, don't forget to like 👍 and share by reposting ♻️ in your network. Follow Kamalika Majumder for more.
Don’t let your best-selling product suffer due to an
unstable, vulnerable & mutable infrastructure
Thanks & Regards
Kamalika Majumder
Commenti