Data is a precious, unique asset, yes? And while we might understand that backing up our data is a non-negotiable requirement, how we operationalize cloud backup processes for platforms such as on Amazon Web Services (AWS) can get a bit tricky. This AWS backup guide offers guidance on how to how to avoid problems protecting your critical AWS workloads.
AWS is the leader in cloud computing, with 32% market share. So you likely rely on AWS for infrastructure, storage, and data management in your business. But AWS, like all cloud providers, works on a shared responsibility model for security. That means AWS is responsible for securing its cloud infrastructure, including their hardware and networks. But you, the AWS customer, are responsible for whatever you put on the AWS cloud.
This includes data security and backup. How do you make sure you have it all covered?
IT professionals have developed an evolving set of best practices for backing up AWS data. Many of them have to do with security. After all, backup is a countermeasure to mitigate cyberthreats such as ransomware. The backed-up data itself, however, is also a target for malicious actors.
First, let’s answer a common question: “Doesn’t AWS have AWS Backup?” Yes, it does. However, it’s useful to grasp the nature of AWS Backup and understand its limitations.
On the plus side, AWS Backup offers a breadth of workload coverage. You can backup a wide range of AWS resources. And it’s considered relatively easy to get started if you’re already on AWS. You get the further advantage of a single vendor relationship for backup and restore.
But it’s still worth considering a third-party backup solution for AWS. Third-party alternatives have additional features you want from a backup and recovery solution, including:
Advanced security features like sensitive data discovery and ransomware detection
Backup and restore processes for multi-cloud and hybrid cloud architectures, which AWS Backup does not do on its own
Lower cost backup storage tiers
Better visibility and more granular governance, along with simplified backup administration of multiple AWS accounts and regions
Functional advantages for dealing with data backup and restore across the full range of AWS workloads, such as EC2, S3, Amazon Elastic Block Store (Amazon EBS), and Amazon Relational Database Service (RDS).
These thrid-party backup advantages contribute to lower total cost of ownership (TCO) for AWS backup.
Given the realities of the shared security responsibility model, it is a best practice to pay close attention to the security aspects of backup and restore on AWS. In terms of cloud data protection, backed-up files present an inviting target for hackers. It’s on you to protect it. It’s wise to apply the same level of security rigor that you bring to other critical IT systems.
Ransomware is arguably the most potent threat to backed-up data. To determine the best countermeasures, it helps to review Amazon’s own research into ransomware risk exposure on their platform. AWS’s Customer Incident Response Team (CIRT) reviewed ransomware attacks and determined that the most common event leading up to a ransomware attack is the “unintended disclosure of Identity and Access Management (IAM) access keys.” Hackers with stolen credentials can easily get inside AWS backup instances. This is one of many types of vulnerabilities that can affect data on AWS.
Other security best practices include:
Credentials management: Integrating backup functions with an IAM solution that manages and protects user credentials across multiple clouds and on-premises environments.
Multi-Factor Authentication (MFA): Enforcing MFA to prevent malicious users from exploiting stolen credentials to gain access to backed-up data on unauthorized devices.
Role-Based Access Controls (RBAC): Simplifying and organizing access privileges by role, wherever possible, to reduce the likelihood of over-provisioning access or neglecting to deprovision access from former employees.
Data encryption: Encrypting data at rest while it’s stored on AWS to reduce the impact of data breaches.
AWS Key Management Service (KMS) for encryption: Using KMS to reduce the risk of misuse of keys by malicious actors and their gaining unauthorized access to data.
Zero Trust design: Denying access to the backup systems by default, and only permitting access after careful validation of user identities and deviceszz.
Logically air-gapped backup: Making it impossible for attackers to access backed-up data using logical methods that create an “air gap” that isolates the backup.
An effective AWS backup vendor is one that supports your backup and business continuity goals. This might mean having low-cost cloud storage options or the ability to work with platforms beyond AWS. The solution should be simple to manage, ideally with a high degree of automation available.
You will likely want an AWS backup solution that manages and secures your data across multiple clouds and on-premises storage environments—with near-zero RTOs and RPOs.
AWS backup does not permit customers to store backup data in lower cost storage. As a result, you may find yourself spending a lot just to hold onto your backups. IT departments are increasingly looking for solutions to this cost problem in 2024. The solution is right in front of us: AWS has storage tiers at different prices, with some acceptable tradeoffs in performance. A good third-party backup vendor will allow you to store your backups in these lower cost tiers, as well as on other cloud storage services.
An AWS backup vendor should ideally provide simple, streamlined management of backup and restore functions for all workloads. This includes having the ability to discover all workloads automatically and then establishing a baseline backup with unified data protection policies.
Policies should drive automated processes. For example, if your policy is to have a certain retention period based on the data type, then the AWS backup vendor’s solution should be able to enforce that policy automatically for all your AWS data.
Rapid recovery is an essential capability for an AWS backup vendor. One proven approach is the “surgical” recovery of the most-needed apps, files, and objects, but at scale. Putting a priority on critical data helps speed up operational recovery.
The goal should be to have as fast a Recovery Time Objective (RTO) as possible, along with the smallest possible Recovery Point Objective (RPO). RTO refers to the amount of time that elapses between the start of an outage and the recovery of the affected system. RPO is the point in time at which data becomes lost due to an action, e.g., the most recent transaction that can be recovered after an outage. The surgical data restore process helps realize near-zero time RTOs and RPOs.
Defending backed-up data requires constant vigilance. An AWS backup vendor should support this process through countermeasures like integration with IAM and Data Loss Prevention (DLP) solutions, along with security tools like Security Orchestration Automation and Response (SOAR). It should also enable data threat analytics, constantly monitoring data posture and identifying sensitive data exposure.
For example, an employee might accidentally store a file on AWS that contains malware. That file then gets backed up to an S3 bucket, where it sits waiting to activate. The first step in mitigating the impact of this malware is to know it’s there. That means scanning backed-up data and searching for threat signatures—and then alerting the right people who can remediate the risk.
Backups factor into compliance, especially if the datasets contain personal identifiable information (PII), healthcare data, or any other type of data that is covered under privacy regulations. Compliance audits will want to look at cloud storage and backups. For these reasons, an AWS backup vendor should support the compliance process, including auditability.