Backup Encryption: What It Is and Why It’s Important for Data Security

It’s hard to ignore all the high-profile security incidents splashed all across the news, reinforcing how dangerous today’s business landscape has become. The harsh reality is anyone can fall victim to a cyberattack or data loss incident, meaning no business or individual is safe. To put this into perspective, a new study by Positive Technologies found that cybercriminals can penetrate 93% of company networks and gain access to resources.

Your data is extremely valuable to your business. Unfortunately, cybercriminals understand how valuable it is as well. Your company’s data is an attractive target for threat actors looking to make a quick buck through cybercrimes and other fraudulent practices. Having a backup is critical for quick recovery in the event of a cybersecurity incident. However, with cybercriminals now increasingly targeting backups — attempting to disable them from occurring, rendering them useless or deleting them completely — backups alone are inadequate. That is why encrypting your backups is crucial for the survival of your organization. Read on to learn more about what backup encryption means, its benefits and why it is more important than ever.

Backup encryption graphic.

What is backup encryption?

TechTarget defines encryption as “the method by which information is converted into secret code that hides the information’s true meaning.” Backup encryption conceals the original meaning of the data, thereby preventing it from being known to or used by unauthorized personnel. Backup encryption helps maintain confidentiality and integrity of data by converting unencrypted data, also known as plaintext, to encrypted data or ciphertext. Backup encryption is a two-way function: first, it converts plain text into ciphertext or a secret code and then uses a key to interpret the secret code into plaintext. Once a backup is encrypted, anyone without the decryption key will not be able to read it.

What is the difference between encrypted and unencrypted backup?

An encrypted backup is a backup that is protected by encryption algorithms to maintain the authenticity, confidentiality and integrity of information as well as prevent unauthorized access. An unencrypted backup simply means data or information stored is not encoded by any algorithm. Encrypted backups are secured by complex algorithms and are readable to only those users with a key. An unencrypted backup is vulnerable to online breaches and cyberattacks, and since it is in an unsecured form or plaintext, the information can be easily viewed or accessed.

Why is it important to encrypt backups?

Cybercrimes are growing both in frequency and sophistication. Despite organizations implementing several security controls, threat actors still manage to penetrate defense systems and wreak havoc. According to The Global Risks Report 2022 by the World Economic Forum, cybersecurity infrastructure and/or measures taken by businesses, governments and individuals are being outstripped or rendered obsolete by increasingly sophisticated and frequent cybercrimes.

Backups are quickly becoming a hot target for cybercriminals because they want to get rid of your ability to recover and gain full control of the attack. Therefore, backup encryption is important not only for business continuity and disaster recovery but also to improve your organization’s overall security posture. Backup encryption is a security best practice that helps protect your organization’s confidential information and prevents unauthorized access. Most organizations today use encryption technology for securing their sensitive data. Encrypting backups adds an additional layer of security by converting sensitive information into an unreadable format. Even if threat actors manage to intercept the data while in transit, they will not be able to access or read it without the decryption key. Due to its high reliability, encryption is used for both commercial and military purposes.

What are the benefits of backup encryption?

It is important to back up your data for quick recovery from a data loss or cybersecurity incident. However, you must also ensure that your backups are protected by encrypting them. Backup encryption has several benefits, including:

Privacy: Encryption encodes your information, rendering it inaccessible to malicious third parties or untrusted users. It also gives you and your customers peace of mind knowing that sensitive information will not end up in the wrong hands.

Security: Encryption protects against identity theft and blackmail since hackers cannot access the information without a key. Backup encryption also makes data more resistant to tampering and corruption.

Data integrity: Encryption prevents misuse of information even if your laptop, hard drive or smartphone is hacked, lost or stolen. This ensures the content of your backups is reliable, accurate, valid and has not been altered.

Authentication: Encryption ensures only intended parties have access to the data.

Regulations: Encryption helps your business comply with regulatory requirements and standards like the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA) and the Payment Card Industry Data Security Standard (PCI DSS) that require businesses to encrypt customer personal information when it is stored at rest and when transmitted across public networks.

How are backups encrypted?

Encryption converts data (messages or files) from plaintext or normal text into ciphertext using complex mathematical algorithms and encryption keys to improve data security. This ensures only intended parties can read or access the data. Once the encoded data is transmitted to the recipient, a decryption key is used to translate the data back to its readable state.

A simple example of transforming readable text into ciphertext is by swapping each letter with the one that is next to the ordinary text in the alphabet. It simply means “a” is replaced with “b,” “b” with “c” and so on. Here is how the encryption would appear: the word “confidential” would be converted to “dpogjefoujbm.” When data is encrypted, intruders can see that information is exchanged or transmitted; however, they cannot unlock the data without the correct key. This ensures data security both while in transit and at rest. Only authorized personnel with the secret key can decode and read the information.

The efficacy of encryption depends on the encryption algorithm used, the length or number of bits in the decryption key (longer keys are often much harder to crack) and the encryption method employed.

What is the difference between encryption at rest and encryption in transit?

There are several factors that need to be considered to effectively encrypt your data, including the state in which your data is in. This will ensure your valuable data is encrypted and protected at all times.

Encryption in transit: This means encrypting data while it is in motion between devices and networks or is being transferred to the cloud. Encryption in transit occurs between the backup source (a machine, server, Salesforce, Microsoft 365, Google Workspace, etc.) and the backup destination (Unitrends Cloud, Spanning-managed storage in S3, customer-managed storage, to name a few). It is like putting your data in an armored vehicle before being transported.

At Spanning, we use the respective app model and best practices for each SaaS provider in combination with OAuth2.0. This means all backups are transmitted securely, making it impossible for intruders to steal the data while its being backed up.

Encryption at rest: This means encryption of data once it resides on a storage “at rest” or the backup destination. In simple terms, encryption at rest is like keeping your valuable information in a vault and securing it with a PIN, password or key. In data encryption, a key is used to encrypt and decrypt data to prevent hackers from gaining access to data even if they have physical access to the device. This can be done with a Spanning-managed key hosted in Amazon Web Services (AWS) or a customer-provided key hosted in AWS. This also means that even if hackers manage to steal data from a backup solution provider, they still will not be able to do anything with it since they do not have the key.

What is key management service in encryption?

Key management services like AWS Key Management Service (AWS KMS), Azure Key Vault, Google Cloud Key Management and others, allow easy management of cryptographic keys. Key management ensures the security of your keys and also provides an easy way to control and access your data.

With AWS KMS, you can easily create cryptographic keys to encrypt your data stored in the cloud and control the use of the keys across a wide range of AWS services. AWS KMS uses hardware security modules (HSM), and the keys are validated under the FIPS 140-2 Cryptographic Module Validation Program, making the service highly secure and resilient. The centralized key management system allows you to import, rotate, delete, manage permissions and define policies on keys.

Azure Key Vault allows you to securely store and access secrets — API keys, passwords, certificates, cryptographic keys and so on. The cloud service enhances security and control over your cryptographic keys and other secrets using FIPS 140-2 Level 2 and Level 3-validated HSMs. Azure Key Vault allows you to easily create, import and define access policies to control access to your secrets.

A centralized key management system provides multiple benefits to businesses, including:

  • It makes accessing or reading your data extremely difficult for intruders.
  • At minimum, hackers must compromise the key stored AND the data destination.
  • Threat actors must compromise the solution provider (Spanning), cloud service provider (Amazon, Microsoft) AND the customer to steal information, which is much harder.
  • Keys can be rotated, which means attackers must hit all locations AND within a limited amount of time.
  • It helps you pass compliance audits by providing tamper-evident records.

What is the most popular encryption method?

The Advanced Encryption Standard (AES), also known as Rijndael, is the most widely adopted and trusted symmetric encryption algorithm. In fact, AES encryption is the U.S. Government standard for encryption. AES is a cryptographic algorithm used to protect digital assets. AES was developed to replace the Data Encryption Standard (DES) algorithm after the National Institute of Standards and Technology (NIST) recognized that the DES was growing vulnerable with advancements in cryptanalysis.

AES supports three keys with 128-bit, 192-bit and 256-bit key lengths. AES 256-bit encryption is considered to provide the highest level of security. Due to its speed, resistance to attacks and compatibility, the U.S. Government and countless non-governmental organizations worldwide use AES encryption to protect their confidential data.

What is Bring Your Own Key encryption?

Bring Your Own Key (BYOK) is an encryption model that allows customers to use their own encryption software and keys to encrypt and decrypt data stored in the cloud. This gives you more control over your data and management of your keys. BYOK adds an additional layer of security to your confidential data. You can use the encryption software to encrypt data before sending it to your cloud service provider and decrypt is using your key upon retrieval.

Encrypt your backups for enhanced security with Spanning

Did you know that as of 2022, more than 60% of all corporate data is stored in the cloud?

Cloud offers multiple benefits, such as increased agility, scalability, productivity, reduced costs and so on. However, there are some critical security issues that you must be aware of, like data privacy and control, lack of visibility, programmatic errors and unauthorized access, to name a few. Your cloud service provider actually controls your backups stored in the cloud. It’s no surprise data loss and leakage (69%) were the top cloud security concerns in 2021, followed by data privacy/confidentiality (64%). To address these issues, businesses like yours can leverage BYOK encryption, which allows you to encrypt data before transmitting it to the cloud, and the best part is, the key to your backups lies with you.

Spanning Backup for Google Workspace, Microsoft 365 and Salesforce offers Customer-Managed Encryption Keys or Bring Your Own Key, which gives you increased control over your company’s data. Additionally, it allows you to control cloud service providers’ level of access to your data and enables you to suspend or shut off access at any time, thereby mitigating risks related to data security. Our encryption key self-management also provides data access transparency into how keys are used, as well as greater control via best practices in limiting key access.

Spanning protects your SaaS data with 256-bit AES object-level encryption, with unique, randomly generated encryption keys for every single object and a rotating master key protecting the unique keys. Additionally, Transport Layer Security (TLS) encryption is used to protect all data in transit.

Discover how Spanning provides end-to-end protection for your SaaS data.

Request a Demo Today

Want to get started?
Start backing up Microsoft 365, Google Workspace and Saleforce.

Request a Demo