InfoSec / Cyber

A digital city with a dome around it showing protection, a white padlock at the top. Cyber resilience in white text. Data Protection Education DPO badge

Resistant Cloud Backups

The NCSC has recently published an article about creating resistant cloud backups as a way to be more resistant to the effects of destructive ransomware.

We all know that backups are an essential part of an organisation's cyber strategy and making regular backups is the most effective way to recover from a destructive ransomware attack, where an attacker's aim is to destroy or erase a victim's data. 

The guidance advises there are two main ways to backup:
  1. by saving copies to physically disconnected backup storage that you are entirely responsible for managing
  2. by saving copies to a cloud-based backup service that handles some of this responsibility for you
Analysis of incidents shows that in the early stages of a destructive ransomware attack, actors often target backups and infrastructure, deleting or destroying the data stored there to make it harder for the victim to recover their data, and more likely to pay the ransom. This puts data in cloud-based backup services at particular risk from ransomware actors, unless additional measures are taken to protect it.

As cloud-based backup services won’t necessarily be resistant to ransomware attacks by default, these principles set out the functions a service should offer, so that it can be considered resistant to destruction by ransomware.


Principle 1. Backups should be resilient to destructive actions

Principle 2. A backup system should be configured so that it isn’t possible to deny all customer access

Principle 3. The service allows a customer to restore from a backup version, even if later versions become corrupted

Principle 4. Robust key management for data-at-rest protection is in use

Principle 5. Alerts are triggered if significant changes are made, or privileged actions are attempted

The full guidance can be read here: Principles for ransomware resistant cloud backups.

DPE have published further backup guidance here:

The Data Protection Education Knowledge Bank has an Information and Cyber Security Checklist available which covers backups (viewable with a valid DPE subscription):


Search