Make sure your backups are encrypted and can’t be changed after they’re saved, especially when they’re being moved or copied.
When you adopt this approach, if you ever need to recover data, you can trust that the backup wasn’t tampered with, either by accident or on purpose.
Contoso’s challenge
- Contoso generates the Environment Protection Agency emissions report every month, but they only need to submit it three times a year.
- They store the report in an Azure Storage account as a backup, just in case something goes wrong with the main system.
- The backup report isn’t encrypted and is sent over HTTPS to the storage account.
Applying the approach and outcomes
- After doing a security gap analysis, the team realizes that the unencrypted backup is a risk.
- They now encrypt the report and store it in Azure Blob Storage by using the write-once, read-many (WORM) setting, which keeps the file from being changed.
- They also add a check. The system now compares a Secure Hash Algorithm (SHA) hash of the report with the backup to make sure nothing is altered.
Leave a Reply