12
January 2021
Protecting backups with PAM
Andy Harris
Backups need protection
Backups are a good thing. Obviously! But they're important for much more than restoring a file deleted accidentally.
When ransomware attacks, it sets out to cause as much disruption as possible. Often, the only escape (other than paying the ransom) is to restore all systems back to some clean state before the attack occurred.
That's never going to be a trivial task, but it depends on those backups being available and being safe. If an attacker gets access to your backup management system, the backups cannot be trusted. The backups could be exfiltrated or damaged, so they re-infect systems (or worse) when the backup is restored.
It's no wonder, then, that the National Centre for Cybersecurity (NCSC), has highlighted the risk and made specific recommendations on protecting backups and backup systems.
A key recommendation they make concerns management of the privileged access to the backup systems. As I said above, if you can't protect those systems, you can't trust the backups.
Ideally, backup accounts and solutions should be protected using Privileged Access Workstations (PAW) and hardware firewalls to enforce IP allow listing. Multi-factor Authentication (MFA) should be enabled, and the MFA method should not be installed on the same device that is used for the administration of backups. Privileged Access Management (PAM) solutions remove the need for administrators to directly access high-value backup systems.
Many organizations have invested in enterprise-class backup systems such as Commvault, Veeam, Veritas and others. That's obviously a good thing, but it doesn't matter how good the backup system is, they should all be accessed via a PAM system. Osirium PAM, the leading Privileged Access Management solution, already has integrations with these systems . You can see an example of it in action with Veeam in this demo (although it could have been any backup system) using both the management console and via a web browser.
Using PAM with a backup system
In the demo you can see the key aspects of PAM being used with the backup system::
- The admin can only access the devices or systems (in this case, Veeam) they're supposed to
- That admin never knows (or, really, cares) what user name is being used. More importantly, they don't know the password being used so the credentials can never be deliberately or accidentally leaked.
- Veeam (or any other backup system) can be accessed via the dedicated management console or through its web interface
- The whole session can be recorded - not just that someone accessed Veeam, but the actual keyboard and screen interactions which can be critical for investigations if a breach should occur
If you'd like to know more about Osirium PAM and how to protect your critical backups, please get in touch.