Security Control v3: Backup and recovery
Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.
BR-1: Ensure regular automated backups
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
11.2 | CP-2, CP-4, CP-9 | N/A |
Security Principle: Ensure backup of business-critical resources, either during resource creation or enforced through policy for existing resources.
Azure Guidance: For Azure Backup supported resources, enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server, HANA databases, or File Shares) on the desired frequency and retention period. For Azure VM, you can use Azure Policy to have backup automatically enabled using Azure Policy.
For resources not supported by Azure Backup, enable the backup as part of its resource creation. Where applicable, use built-in policies (Azure Policy) to ensure that your Azure resources are configured for backup.
Implementation and additional context:
Customer Security Stakeholders (Learn more):
- Policy and standards
- Security architecture
- Infrastructure and endpoint security
- Incident preparation
BR-2: Protect backup and recovery data
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
11.3 | CP-6, CP-9 | 3.4 |
Security Principle: Ensure backup data and operations are protected from data exfiltration, data compromise, ransomware/malware and malicious insiders. The security controls that should be applied include user and network access control, data encryption at-rest and in-transit.
Azure Guidance: Use Azure RBAC and multi-factor-authentication to secure the critical Azure Backup operations (such as delete, change retention, updates to backup config). For Azure Backup supported resources, use Azure RBAC to segregate duties and enable fine grained access, and create private endpoints within your Azure Virtual Network to securely backup and restore data from your Recovery Services vaults.
For Azure Backup supported resources, backup data is automatically encrypted using Azure platform-managed keys with 256-bit AES encryption. You can also choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the Azure Key Vault is also in the backup scope. If you use customer-managed key options, use soft delete and purge protection in Azure Key Vault to protect keys from accidental or malicious deletion. For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide.
Safeguard backup data from accidental or malicious deletion (such as ransomware attacks/attempts to encrypt or tamper backup data. For Azure Backup supported resources, enable soft delete to ensure recovery of items with no data loss for up to 14 days after an unauthorized deletion, and enable multifactor authentication using a PIN generated in the Azure portal. Also enable cross-region restore to ensure backup data is restorable when there is a disaster in primary region.
Note: If you use resource's native backup feature or backup services other than Azure Backup, refer to the Azure Security Benchmark (and service baselines) to implement the above controls.
Implementation and additional context:
- Overview of security features in Azure Backup
- Encryption of backup data using customer-managed keys
- Security features to help protect hybrid backups from attacks
- Azure Backup - set cross region restore
Customer Security Stakeholders (Learn more):
BR-3: Monitor backups
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
11.3 | CP-9 | N/A |
Security Principle: Ensure all business-critical protectable resources are compliant with the defined backup policy and standard.
Azure Guidance: Monitor your Azure environment to ensure that all your critical resources are compliant from a backup perspective. Use Azure Policies for backup to audit and enforce such control. For Azure Backup supported resources: Backup Center helps you centrally govern your backup estate.
Ensure critical Backup operations (delete, change retention, updates to backup config) are monitored, audited and have alerts in place. For Azure Backup supported resources, monitor overall backup health, get alerted to critical backup incidents, audit user triggered actions on vaults.
Implementation and additional context:
- Govern your backup estate using Backup Center
- Monitor and operate backups using Backup center
- Monitoring and reporting solutions for Azure Backup
Customer Security Stakeholders (Learn more):
BR-4: Regularly test backup
CIS Controls v8 ID(s) | NIST SP 800-53 r4 ID(s) | PCI-DSS ID(s) v3.2.1 |
---|---|---|
11.5 | CP-4, CP-9 | N/A |
Security Principle: Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO (Recovery Time Objective) and RPO (Recovery Point Objective).
Azure Guidance: Periodically perform data recovery tests of your backup to verify that the backup configurations and availability of the backup data meets the recovery needs as per defined in the RTO and RPO.
You may need to define your backup recovery test strategy, including the test scope, frequency and method as performing the full recovery test each time can be difficult.
Implementation and additional context:
Customer Security Stakeholders (Learn more):