Securing Your SaaS Backup - The What, Where, How, and Who

INTRODUCTION

Why Does SaaS Need Backup?

The statistics are alarming. 80.3% of organizations experience more than 12 compromised account threats in the cloud per month¹. Yet, the misconception that data in the cloud is safe, beyond the need for a backup, is prevalent. At the very onset, let’s debunk that myth at all levels.

Myth #1: “My SaaS solution is extremely secure”

Enterprise-grade solutions such as Office 365, G Suite and Salesforce no doubt have best-in-class security. They have highly advanced disaster recovery capabilities to protect your data from infrastructure threats, such as hardware or software failure, power outages, or natural disasters. However, they cannot protect you from attacks on your end, including some of the most common causes of data loss such as:

• Human error: Mistaken deletions have been the leading cause of data loss on the cloud for 10 years and counting². If you combine that with the fact that 90% of breaches are caused due to employees inadvertently falling victim to a phishing scam³, one would have to conclude that the weakest link is unfortunately within the organization.
• Illegitimate deletion requests: SaaS providers will honor your deletion request without question. They have no way of knowing if it’s a hasty (or malicious) request and they are not responsible for any unexpected results.
• Programmatic or sync errors: Third-party tools designed to streamline business processes can ruin valuable data in a flash — with no possibility of undoing them.
• Malicious insiders: Employee action was found to be involved in one-third of attacks and the cost of a breach triggered by malicious insiders was $1.6 million per organization, on average⁴.
• Malware, Hackers, Viruses, Ransomware et al: For example, ransomware can lead to industrial-scale extortion, fileless malware can bypass antivirus software, and spear phishing will use social engineering to infiltrate the most secure organizations.

Myth #2: “My SaaS provider is responsible for my data”

Data protection laws worldwide are increasingly insisting that customer data protection is a “shared responsibility”. Regulation such as the GDPR and HIPAA, puts the onus of accountability for data protection as shared between the controller (your organization) and processor (third-party service providers like SaaS companies)⁵. Apart from the risk and cost of non-compliance, an accurate backup of your data with the ability to quickly restore it ensures rapid disaster recovery and seamless business continuity. This can be vital to reducing and containing the damage of a breach or data loss.

“Moreover, even the SLA of SaaS solutions factors in a 0.1% downtime.”

Myth #3: “My SaaS provider has built-in backup”

SaaS providers have built-in solutions such as Recycle Bins and Vaults to store deleted data. However, deleted data is only held for a limited period of a few weeks, the backup is not comprehensive or up-to-date, and restoring the data can be cumbersome. This is because these solutions were not built for backup and recovery but as temporary archival solutions. To underscore that, most SaaS providers themselves recommend usage of a third-party backup solution⁶.

“Well, then if I use SaaS backup, is my data safe and secure with it?”

Good question! A third-party backup and recovery solution is an integral part of data protection, but choosing the wrong solution can result in the creation of new security vulnerabilities and put you at a greater risk of data loss. This white paper analyzes the four main questions you need to ask to ensure your backup and recovery solution is safe and secure:

• What format is your data transferred and stored in?
• Where is your data stored?
• How does your backup provider connect to your SaaS solution?
• Who has been in your backup system and what have they done there?

WHAT FORMAT IS YOUR DATA TRANSFERRED AND STORED IN?

Data is vulnerable to attack even while it is transferred or stored by your backup service provider. Hence it is essential to understand how securely the data is maintained both in-transit and while at rest.

Data being transferred

The in-transit requirements for data protection may differ based on your industry. For example, healthcare has extremely stringent conditions, so check on your specific organizational, legal, and compliance requirements. However, the best practice would be to ensure that your SaaS solution encrypts and authenticates all traffic. The points of communication are another weak link. Your provider should use protocols, such as Transport Layer Security (TLS) to verify network communications to reduce the risk of data being tampered with.

Data at rest

Encryption at rest is a must-have protection against a data breach. Data at rest should ideally be protected with 256-bit AES encryption at the object level. This foolproof technique assigns unique, randomly generated encryption keys for every single object and a rotating master key protecting the unique keys. Some top-tier solutions also give customers the option to manage their own keys as recommended by the Cloud Security Alliance (CSA)⁷ and the Criminal Justice Information Services (CJIS) Security Policy⁸.

“256-bit AES object-level encryption is one of the strongest block ciphers available. Spanning not only secures your data with it, but also allows you to generate and supply your own encryption keys. Additionally, Spanning protects all data in transit with Transport Layer Security (TLS) encryption.” Matthew McDermott — Director, Product Management, Spanning Backup

WHERE IS YOUR DATA STORED BY YOUR SAAS BACKUP PROVIDER?

GDPR, in particular, has raised the importance of the location of data centers as a compliance requirement. Transfers and storage of data to third-party tools and countries can be done only if “adequate levels of protection” and “appropriate legal safeguards” are ensured, as deemed by GDPR⁹.

Consequently, data centers of your backup solution are required to meet the regulatory standards for data transfer and storage as set by GDPR, HIPAA, Sarbanes-Oxley, and others. The backup provider should have the appropriate access controls and data lifecycle management capabilities to support the various regulatory requirements. Certifications such as the ones below will guarantee that your backup provider meets the highest compliance standards for data storage:

SOC 2 Compliance: Developed by the American Institute of CPAs (AICPA), SOC 2 defines five ‘trust services criteria’ for processing and storing customer data - security, availability, processing integrity, confidentiality and privacy. SOC 2 was designed to be the leading auditing standard to address the protection and privacy of data particularly in the cloud.

To be SOC 2 compliant, an organization has to undergo rigorous SOC 2 audits. SOC 2 audit reports are of two types:

• Type I audit: Attests to the suitability of the service organization’s system and design of controls to meet the five trust services criteria.
• Type II audit: Attests to the Type II criteria with the additional validation of the operating effectiveness of the controls over a period of time, typically six months.

SOC 2 - Type II is the gold standard for tech companies that process or store their customer’s data in the cloud and establishes their commitment to the security and protection of your data. Check that your backup solution complies with it.

Third-Party Certifications: Backup solution providers typically use a managed cloud computing platform to store your data. Verify that the platform they use features the latest security certifications in place such as ISO 27001, SAS-70 Type II compliance and SOC 2 compliance.

“Spanning understands that top-tier organizations require that all their SaaS products meet the most rigorous compliance standards. Spanning Backup is both SOC I and SOC II - Type II compliant, and is certified under the US-EU, BBB EU and Swiss-US Privacy Shield. Moreover, it operates within the Amazon Web Services cloud, which holds the latest and most rigorous certifications.” Shyam Oza — Director, Product Management, Spanning Backup

HOW DOES YOUR BACKUP PROVIDER CONNECT TO YOUR SAAS SOLUTION?

A vital contact point is between your backup provider and your email and collaboration system solution - Office 365, G Suite, Salesforce, etc. There are two main ways to interface - application-level OAuth 2.0 and via Service Accounts.

OAuth 2.0 is an open-standard protocol for authorizing applications. What makes it exceptionally secure is that it designates access to applications without sharing credentials. This is because OAuth doesn’t share password data but instead uses authorization tokens to validate access. When combined with Multi-Factor Authentication (MFA) it makes for a formidable gatekeeper. MFA does not rest the security of your entire application on one password, which can invariably be hacked. It combines what the user knows (password), with what the user has (security token) and what the user is (biometric verification).

Service accounts are “dummy” user accounts that an application or service uses for authentication with your system. The level of access that the service account holds can vary based on the app requirement. However, in the case of service accounts by backup providers, they have full access, sweeping powers over your SaaS platform and data.

We can thus conclude that the security of most or all business assets in the modern organization depends on the integrity of the privileged accounts that administer and manage IT systems. For cloud services, prevention and response are the shared responsibilities of the cloud service provider and the customer. With the prevalence of privileged credentials as a top attack vector for malware attacks, securing them should be a top security priority for cloud solution providers and their customers alike.

Why is the authorization protocol so important for a backup solution?

Misuse of privileged credentials is possible (and prevalent). Backup solutions have to maintain a complete and accurate snapshot of the accounts, email, documents, sites, etc. of your SaaS platform. Hence, they need to have superuser access to the SaaS and require high-level administrative credentials. If shared accounts are the way your backup solution interfaces with your SaaS platform, then by necessity, they have privileged access.

What is worrisome about such privileged access is that credentials are top data breach targets. More so for administrator credentials, as their wide-spread access makes the attack more lucrative for the hacker and more damaging for the organization. Technology analyst firm, Forreste¹⁰10, estimates that 80% of corporate security breaches result from privileged identity compromises. This number concurs with another survey by Centrify¹¹ that also found that 65% of IT professionals are sharing root or privileged access to systems and data.

OAuth 2 and MFA are the answers, but very few solutions support it

So how does one prevent privileged credential abuse? By using OAuth 2 and MFA. Register your backup application, and take advantage of OAuth to grant consent so that the app can go about its business as usual, but without using a password to sign-in. Employ MFA to further eliminate the dependence on a password and the risk of it being broken into, which happens even to the “strongest” of passwords. Enable MFA at the very minimum for privileged and administrator accounts.

But there remains a problem - very few SaaS applications support app registration, OAuth consent or MFA authentication. Instead they connect to Office 365 services directly with service accounts that are extremely vulnerable to being hacked into. If your backup solution’s service account is compromised, or if your backup solution’s organization is breached, the attack would percolate into your organization. This is especially true for backup accounts which often have full access to read all data in a tenant and have global administrator rights.

SaaS companies now mandate the use of MFA

All the major SaaS platforms - Office 365, G Suite, and Salesforce amongst others - now insist on MFA. Microsoft announced last year that MFA is a must for Privileged Accounts or Office 365 global administrator accounts. It then extended that requirement to Cloud Solution Provider (CSP) program partners. Studies indicate that MFA blocks 99.9% of malicious attacks – and this applies not just to Microsoft accounts but to any user profile on a digital application. As Alex Weinert, Microsoft’s Group Program Manager for Identity Security and Protection says, “Your password (rules) don’t matter, but MFA does. Go turn on MFA if you haven’t.”

The US Department of Homeland Security’s CISA also alerted organizations to enable MFA or risk being breached - “MFA is the best mitigation technique to use to protect against credential theft for O365 users.”

SaaS platforms lay foundational emphasis on trust and security and offer a wealth of security controls and capabilities to help you protect your data and applications. However, they can be best applied if organizations own their data and security controls.

The emphasis on MFA by platforms like Office 365 and G Suite is not a bloated requirement, but an essential one that will protect your organization’s security from being breached. Today’s IT setup, where companies are consumers of multiple CSPs, is even more vulnerable to a “proxy-breach”. Service partners have full access to your organization’s email, files, accounts and sites stored in the cloud. If one of your partners or partner’s solutions are compromised, it would, in turn, mean that you are compromised. For example, PCM, the world’s sixth largest CSP, caused a breach at one of their client’s firms when “the attackers stole administrative credentials that PCM uses to manage client accounts within Office 365”>¹².

“Spanning Backup was one of the first backup solutions that implemented OAuth 2.0, which can function independently of any administrator credentials. What’s more, we worked closely with Microsoft to ensure that having an app-only security model using OAuth 2.0 was supported.” Dave Wallen — Director of Product Marketing, Spanning Backup

Who Has Been in Your Backup System?

Our final question has to do with access management to your backup instance by your backup provider. As your backup holds a faithful instance of the most critical data; malicious or erroneous intrusion can ruin the best security constructs. How can you keep a check on who exactly is in your backup system?

Intrusion detection

Monitor your network with an intrusion detection system (IDS). This refers to an application that scans a network or systems for malicious activity or policy violations. Any malicious activity or violation is typically reported either to an administrator or collected centrally. Optimally, your backup solution itself should guard against intrusion with log analysis, file integrity checking, policy monitoring, rootkit detection, real-time alerting, and active responses.

Compartmentalized Access

Compartmentalization means limiting of access to information and infrastructure to persons on a need-to-know basis to perform certain tasks. Access to the backup provider’s production servers should be strictly restricted to only those employees who have specific operational requirements and who have been adequately trained in security best practices. Changes to the production environment access control list should be tracked and auditable.

Audit and activity logs

Apart from audit and activity logs being necessary compliance requirements, they are invaluable in tracing the cause of a breach, diagnostic performance assessment and error correction. Your backup admins should have clear and comprehensive insight into the state of all backup and restore activities, directly from within the application. Besides that, opt-in email notifications of the status of backups should be provided.

Dark web monitoring of compromised credentials

Data breaches are increasingly targeting customer records - 4.1 billion personal records were leaked due to data breaches in the first six months of 2019 alone¹³. A big reason for that is the profitable and viable marketplace that personal records find on the dark web. For an organization reeling under the massive cost of a breach, the damage of having their data sold on the dark web could be devastating in terms of brand reputation, customer loss, and further financial/legal costs. A backup solution with dark web monitoring can limit and contain the damage in the unfortunate occurrence of a breach.

“Trust and transparency are non-negotiable with respect to cloud application backup. We’re committed to exceeding security related requirements with intrusion detection, compartmentalized access, virtual private cloud, immutable and accessible audit logs and dark web monitoring. Everything we do - from product design to customer support - is focused on earning customer trust and instilling confidence and peace of mind.” Joseph Noonan — Vice President of Product Management, Unitrends and Spanning Backup

Conclusion

A quality backup and recovery solution, like Spanning, will drive better business continuity and improved productivity but the primary reason why businesses choose to invest in backup is to mitigate the potential impacts of a major data loss incident. A comprehensive copy of your SaaS data that meets RPO and RTO requirements is an integral component of a comprehensive data security strategy, but many solutions fail to properly address their own data security flaws. Because of the strategic importance of backup and recovery, it is vital that organizations considering solutions incorporate the questions outlined in this white paper into their evaluation process.

Sources:

1. McAfee Cloud Adoption & Risk Report
2. Information Age: Cloud risk, cloud outages and cloud security — human error is the cause
3. Kaspersky: Understanding Security of the Cloud
4. Accenture: Cost of Cybercrime 2019
5. What is the GDPR Impact on SaaS Providers?
6. Forrester: Back Up Your SaaS Data — Because Most SaaS Providers Don’t
7. CSA: Security Guidance for Critical Areas of Focus In Cloud Computing V3.0
8. CJIS: Security Policy
9. GDPR: Article 45
10. Forrester: Privileged Identity Management
11. Forbes: Privileged Credential Abuse
12. PCM: A CSP’s cascading breach
13. Forbes: Data Breaches Expose 4.1 Billion Records