Launched in 2016, the National Cyber Security Centre (NCSC) provides advice and support to the public and private sectors on how to address cybersecurity threats.
At the moment, NCSC provides information and practical guidance in various articles on its website rather than formal requirements or regulations. That said, NCSC security audits are currently underway, to assess existing solutions and their level of alignment with NCSC guidelines. We have observed that NCSC’s guidance and audits are driving interest and activity from organisations, especially those in the UK, seeking to improve their cybersecurity posture.
In this blog, we hope to unpack some of the most relevant elements of NCSC’s guidance and how Rubrik Zero Trust Data Security can improve your cyber resilience. NCSC guidance is denoted below in bold, italicized text.
[A]ccess to data backups should be restricted so that they:
are not accessible by staff
are not permanently connected (either physically or over a local network) to the device holding the original copy
Rubrik Zero Trust architecture separates management and data planes; this ensures that data backups are not broadly accessible to staff. Furthermore, Rubrik’s logical air gap keeps backups separated from the original data.
Using cloud storage (where a service provider stores your data on their infrastructure) means your data is physically separate from your location. You'll also benefit from a high level of availability.
Rubrik Cloud Vault, announced in December 2021, was built for this use case. It is a fully managed service that enables you to have account-isolated, immutable copies of your data, archived off-site, to support quick recovery from natural disasters and cyber-attacks, like ransomware. Management simplicity and reduced cloud administrative complexities allow you to confidently store copies of your data in a separate cloud environment that is logically air-gapped from your core data center and cloud workloads, thus dramatically reducing the risk of a backup data breach, encryption, or theft. This SaaS offering is built on Microsoft Azure.
Rubrik also offers CloudOut, a customer-managed cloud archival solution that is compatible with all major public cloud providers.
Protecting Bulk Personal Data
NCSC’s number 1 measure for the protection of bulk data is: know your data
You have a well-defined catalogue of the data your service holds. You know why the data is held. You understand the impact of theft or loss of integrity.
Rubrik Sensitive Data Discovery is a SaaS application that discovers, classifies, and reports on sensitive data (e.g., PII, PHI, financial information), where it resides, and who has access. In ransomware preparation, it can be used to minimize sensitive data exposure and restrict open access to this data. In response to a ransomware event, it can provide visibility into what sensitive data was impacted, facilitate regulatory compliance, and help avoid penalties.
Offline Backups in an Online World
The offline rule: At any given time, are one or more backups offline?
The purpose of an 'offline backup' (sometimes called a 'cold backup') is to remain unaffected should any incident impact your live environment. You can do this by:
• Only connecting the backup to live systems when absolutely necessary
• Never having all backups connected (or 'hot') at the same time
With at least one backup offline at any given time, an incident cannot affect all of your backups simultaneously.
At the core of Rubrik Zero Trust is our purpose-built file system that does not expose backup data via open network protocols. Because Rubrik backup storage is not online nor is it accessible over the network, there’s a logical air gap that blocks data from being discoverable or accessible.
Rubrik’s logical air gap separates and protects a network-connected digital asset on a logical, versus physical basis. A logical air gap achieves separation through a Zero Trust architecture including encryption, which makes data useless to an attacker, and immutability, which prevents data from being changed. When coupled with role-based access controls and multi-factor authentication, the logical air gap can deliver the same or better risk mitigation as a physical air gap.
Using cloud storage to hold an offline backup is a good idea because it guarantees physical separation from your live environment. Crucially, when your offline backup isn't in use it also needs to be digitally disconnected. Unlike conventional backup storage, you cannot take your cloud storage offline by simply unplugging it.
Again, NCSC explicitly calls air gap and cloud archival capabilities, such as those offered by Rubrik, a valid strategy.
The first step to protect cloud storage is secure account identity. For cloud services this almost always appears as username and password credentials. All users able to access cloud backups should be properly protected in line with NCSC guidance. Without a trusted identity, ransomware should not be able to request access to your cloud storage and encrypt it.
Rubrik Zero Trust architecture with multi-factor authentication (MFA) helps to protect cloud storage. With MFA, multiple forms of identification are required to successfully authenticate. Rubrik offers MFA natively, and it can be set up quickly.
Cloud backup clients should not have valid credentials while your cloud storage is not in use. The number of backup clients should also be kept to a minimum with standard user devices unable to modify cloud backups directly. Following this practice, a ransomware infection can only compromise your cloud backup if it occurs on an authorised client and while your cloud backup is being used.
Rubrik goes beyond this requirement with our immutable storage and Zero Trust architecture. In addition, Rubrik has mutual certificate-based authentication between clients and servers.
Some cloud storage services offer more advanced access controls for identity and connectivity. If these controls are available, they should be configured to only allow authorised clients to create new backups (or append to existing ones), and deny connection requests while the storage is not in use ('cold'). If a ransomware infection occurs while your cloud backup is offline (denying connection requests), it will not be able to reach the cloud storage, giving you the same level of confidence as unplugging an on-premises storage drive. In the event of a ransomware incident occurring whilst your cloud backup is connected, ransomware acting with privilege to only create new data cannot overwrite your existing backups. This is comparable to traditional write-once storage (but is cheaper and more scalable).
Rubrik’s multi-tenancy and role-based access control (RBAC) model delivers this and more. RBAC is a common authorization mechanism that makes it easier to manage permissions using predefined or custom roles. Those roles are then applied to users and services instead of having to manually set permissions for each individual. Rubrik provides a set of prebuilt roles to make it easier and organizations should ensure that all other infrastructure systems and applications use RBAC to make authorization manageable. Furthermore, Rubrik’s immutable storage prevents backups from being modified.
The 3-2-1 Rule: Is critical data saved in multiple backup locations?
It is vital to keep multiple backups and to logically separate them. Maintaining resilient backups means that if one is compromised, at least one other remains. The most common method for creating resilient data backups is to follow the ‘3-2-1’ rule; at least 3 copies, on 2 devices, and 1 offsite. This strategy is popular because it scales effectively (including the use of the cloud for an offsite backup) and can give you confidence that your critical data is safe from a localised incident. However, it does not require any backup location to be offline – hence the need for our first offline rule.
Rubrik provides a single platform to protect data on-premises, in the cloud, and in Microsoft 365. You can define policy-based SLAs to automate backup, replication, and archival to easily comply with the 3-2-1 rule.
The regular rule: Is critical data backed up regularly?
Finally, backups should be created on a regular basis. The more frequently backups are created, the less data is if you're forced to recover. Not only should your backups be created frequently, they should also be regularly tested to check they work as expected.
Rubrik offers automatic testing and Continuous Data Protection, allowing you to restore systems to virtually any point in time. In addition, automatic testing enables you to verify that backups work as expected.
To summarize: Rubrik Zero Trust Data Security was built with capabilities – such as logical air gapping, immutability, cloud archival, and more – to address guidance from governing bodies including the UK’s NCSC.
More on NCSC
This isn’t an exhaustive breakdown of NCSC’s guidelines. We’ll continue our analysis of NCSC guidelines with further content down the line. Stay tuned for part two, where we will discuss mitigating malware and ransomware attacks.