CON.3 Data Backup Concept
Institutions store ever increasing amounts of data and are simultaneously ever more dependent on it. If data is lost, e.g. due to defective hardware...
Description
Introduction
Institutions store ever increasing amounts of data and are simultaneously ever more dependent on it. If data is lost — for example due to defective hardware, malware or accidental deletion — serious damage can result. This can affect classic IT systems such as servers or clients, but also routers, switches or IoT devices that store sensitive information such as configurations. For this reason, the term IT system in this building block encompasses all forms of IT components that store sensitive information.
Regular data backups can minimise the impact of data loss. A data backup is intended to ensure that, through a redundant data store, IT operations can be resumed at short notice if parts of the actively used data inventory are lost. The data backup concept therefore also plays a central role in contingency planning. The key requirements of contingency planning, such as the maximum permissible data loss (Recovery Point Objective, RPO), should be taken into account in the data backup concept.
A complete data backup concept covers not only how data backups are created preventively (backup) but also how backups that have been made are restored to the original system (restore). A wide variety of solutions can be used for data backup, such as:
- storage systems,
- tape drives,
- mobile removable media (USB sticks or external hard disks),
- optical media, and
- online solutions.
These solutions are collectively referred to below as storage media for data backup. In contrast, data mirroring via RAID systems is not considered data backup, since the mirrored data is modified simultaneously. This means that data mirroring via a RAID system can protect against failures caused by hardware defects in individual storage media, but it cannot protect against unintentional overwriting or infection with malware.
Objective
The objective of this building block is to show how institutions can create a data backup concept and use it to protect their data appropriately against data loss.
Scope and Modeling
The building block CON.3 Data Backup Concept is to be applied once to the entire information network.
The building block describes fundamental requirements that contribute to an appropriate data backup concept. Requirements for the retention and preservation of electronic documents for long-term storage are not covered. These are found in the building block OPS.1.2.2 Archiving.
This building block also does not address system-specific and application-specific characteristics of data backups. System-specific and application-specific requirements for the data backup concept are supplemented in the corresponding building blocks of the layers NET Networks and Communications, SYS IT Systems and APP Applications.
For the deletion and destruction of data backups, the building block CON.6 Deletion and Destruction must be taken into account.
Threat Landscape
Since IT-Grundschutz building blocks cannot address individual information networks, typical scenarios are used to illustrate the threat landscape. The following specific threats and vulnerabilities are of particular relevance for the building block CON.3 Data Backup Concept.
Absent Data Backup
If data is lost and has not been previously backed up, this can have existentially threatening consequences for an institution. Data can be lost through malware, technical malfunctions or fire, but also when employees delete data deliberately or unintentionally.
Absent Restoration Tests
Regular data backups do not automatically guarantee that the data can be restored without problems. If it is not regularly tested whether data can be restored, it may turn out that the backed-up data cannot be restored.
Inappropriate Storage of Backup Storage Media
The storage media for data backups contain a large amount of the institution’s sensitive information, regardless of whether they are classic tapes or modern storage systems. If backup storage media are stored in an insecure location, an attack could allow access to them and sensitive information could be stolen or manipulated. Backup storage media can also become unusable due to unfavourable storage conditions or climatic room conditions, meaning that the information stored on them is no longer available.
Absent or Inadequate Documentation
If data backup measures, and in particular restoration measures, are not or only poorly documented, this can significantly delay restoration. This in turn can delay important processes, for example in production. It is also possible that a data backup can no longer be restored at all, meaning the data is permanently lost.
If the restoration information is only available digitally, there is a risk that it too will be lost in the event of major damage (such as ransomware), thereby jeopardising restoration.
Disregard of Statutory Requirements
If statutory requirements such as data protection laws are not observed in data backup, fines may be imposed on the institution or claims for damages may be asserted.
Insecure Providers for Online Data Backups
If institutions outsource their data backup online to an external institution, attacks on that institution can also affect the institution’s own data. This can result in sensitive data being exfiltrated.
Furthermore, there is a risk that unfavourable contractual terms result in data backups not being available at short notice, meaning they cannot be restored within a defined time frame in an emergency.
Insufficient Storage Capacity
If backup storage media do not have sufficient free capacity, more recent data may no longer be backed up. The backup software used may also automatically overwrite old backups that may still be needed. If those responsible are not notified — for example because monitoring is inadequate — data may be permanently lost. It would also be possible that in an emergency only outdated versions are available.
Inadequate Data Backup Concept
If no appropriate concept is created for data backup measures, the professional requirements of the affected business processes may be left unconsidered. If, for example, restoration times or backup intervals are not taken into account, this could mean that the backups are not suitable for restoring lost data in an adequate manner in the event of data loss.
In addition, a backup storage medium can itself become a preferred attack target when valuable data from all of an institution’s business processes is concentrated on it.
Furthermore, organisational deficiencies can render a data backup unusable. If, for example, it is encrypted and the key needed to decrypt the backup is also affected in the event of data loss, the data cannot be restored. This could happen if it was forgotten to store the key separately.
Insufficient Data Backup Speed
In addition to the storage space required for data backup, the time needed to perform a backup also increases. In the worst case, this can mean that a backup has not yet finished when a new backup begins. This in turn can lead to various problems. Under some circumstances, the backup not yet completed may be terminated, meaning that complete backups are no longer created going forward. Alternatively, the backup solution could attempt to perform the new backup in parallel with the old one. This could ultimately result in the backup system failing under the increasing load.
Ransomware
A special form of malware is ransomware, in which data on infected IT systems is encrypted. After encryption, a ransom is demanded so that the victim can decrypt the data again. Without data backups, the encrypted data is in many cases permanently lost or can only be recovered by paying the demanded ransom. However, even after paying a ransom, there is no guarantee that the data can be restored.
Many forms of ransomware search for network drives with write access, on which all data is likewise encrypted. This means that all encrypted information since the last data backup may be lost, even if a ransom is paid. Not only the originally infected IT system would be affected, but also centrally stored information accessible to many IT systems.
If the storage media for data backup are not sufficiently secured, there is the additional risk that they themselves are affected by a ransomware attack and the information (data backups) stored on them is encrypted.
Requirements
The following are the specific requirements of the building block CON.3 Data Backup Concept. The Information Security Officer (ISO) is responsible for ensuring that all requirements are met and reviewed in accordance with the established security concept. The ISO must always be involved in strategic decisions.
Additional roles are defined in the IT-Grundschutz Compendium. These should be filled to the extent that it is sensible and appropriate.
| Responsibilities | Roles |
|---|---|
| Primary responsibility | Information Security Officer (ISO) |
| Additional responsibilities | Subject Matter Experts, IT Operations, Employees |
Exactly one role should bear Primary responsibility. There may also be Additional responsibilities. If one of these additional roles has primary responsibility for fulfilling a specific requirement, that role is listed in square brackets after the heading of the requirement. The use of singular or plural says nothing about how many persons should fill these roles.
Basic Requirements
The following requirements MUST be met as a priority for this building block.
CON.3.A1 Survey of Influencing Factors for Data Backups (B) [Subject Matter Experts, IT Operations]
IT Operations MUST identify the framework conditions for data backup for each IT system and the applications running on it. To this end, Subject Matter Experts for applications MUST define their requirements for data backup. IT Operations MUST agree on at least the following framework conditions with Subject Matter Experts:
- data to be backed up,
- storage volume,
- volume of changes,
- times of change,
- availability requirements,
- confidentiality requirements,
- integrity requirements,
- legal requirements,
- requirements for the deletion and destruction of data, and
- responsibilities for data backup.
The influencing factors MUST be recorded in a comprehensible and appropriate manner. New requirements MUST be taken into account promptly.
CON.3.A2 Defining Procedures for Data Backup (B) [Subject Matter Experts, IT Operations]
IT Operations MUST define procedures for how data is backed up.
For data backup procedures, the type, frequency and timing of data backups MUST be determined. This MUST in turn be done on the basis of the identified influencing factors and in agreement with the respective Subject Matter Experts. It MUST also be defined which storage media are used and how transport and storage arrangements must be structured. Data backups MUST always be saved on separate storage media for data backup. Particularly sensitive storage media for data backup SHOULD only be connected to the institution’s network or the original system during backup and data restoration.
In virtual environments and for storage systems, it SHOULD be examined whether the IT system can additionally be backed up using snapshot mechanisms, in order to create several quickly restorable intermediate versions between complete data backups.
CON.3.A3 DISCONTINUED (B)
This requirement has been discontinued.
CON.3.A4 Creation of Data Backup Plans (B) [IT Operations]
IT Operations MUST create data backup plans for each IT system or group of IT systems based on the defined data backup procedure. These MUST specify which requirements for data backup must at minimum be met. The data backup plans MUST contain at least a brief description of:
- which IT systems and which data on them are backed up by which backup,
- the order in which IT systems and applications are to be restored,
- how data backups can be created and restored,
- how long data backups are retained,
- how data backups are protected against unauthorised access and overwriting,
- which parameters are to be selected, and
- which hardware and software is used.
CON.3.A5 Regular Data Backup (B) [IT Operations, Employees]
Regular data backups MUST be created in accordance with the data backup plans. All employees MUST be informed of the data backup rules. They MUST also be informed of which tasks they have in the creation of data backups.
CON.3.A12 Secure Storage of Backup Storage Media (B) [IT Operations]
Storage media for data backup MUST be stored physically separate from the backed-up IT systems. They SHOULD be stored in a different fire compartment. The storage location SHOULD be climate-controlled in such a way that the storage media can be stored for the time periods specified in the data backup concept.
CON.3.A14 Protection of Data Backups (B) [IT Operations]
Data backups that have been created MUST be protected against unauthorised access in an appropriate manner. In particular, it MUST be ensured that data backups cannot be overwritten, whether intentionally or unintentionally. IT systems used for data backup SHOULD only permit write access to backup storage media for authorised backups or authorised administrative activities. Alternatively, backup storage media SHOULD only be connected to the corresponding IT systems for authorised backups or authorised administrative activities.
CON.3.A15 Regular Testing of Data Backups (B) [IT Operations]
It MUST be regularly tested whether data backups function as intended, in particular whether backed-up data can be correctly restored within a reasonable time.
Standard Requirements
Together with the basic requirements, the following requirements represent the state of the art for this building block. They SHOULD generally be met.
CON.3.A6 Development of a Data Backup Concept (S) [Subject Matter Experts, IT Operations]
The institution SHOULD create a data backup concept that covers at minimum the following points:
- definitions of key aspects of data backup (e.g. different backup procedures),
- threat landscape,
- influencing factors per IT system or group of IT systems,
- data backup plans per IT system or group of IT systems, and
- relevant results of emergency management/BCM, in particular the Recovery Point Objective (RPO) per IT system or group of IT systems.
IT Operations SHOULD coordinate the data backup concept with the respective Subject Matter Experts for the applications concerned. If a central backup system is used for backing up data, it SHOULD be noted that a higher protection need may arise due to the concentration of data. Data backups SHOULD be regularly carried out in accordance with the data backup concept.
The data backup concept itself SHOULD also be included in a data backup. The technical information contained in the data backup concept for restoring systems and data backups (data backup plans) SHOULD be backed up in such a way that it is also available if the backup systems themselves fail.
Employees SHOULD be informed about the parts of the data backup concept that affect them. It SHOULD be regularly checked whether the data backup concept is being correctly implemented.
CON.3.A7 Procurement of an Appropriate Data Backup System (S) [IT Operations]
Before a data backup system is procured, IT Operations SHOULD create a list of requirements against which commercially available products are evaluated. The data backup systems procured SHOULD meet the requirements of the institution’s data backup concept.
CON.3.A8 DISCONTINUED (S)
This requirement has been discontinued.
CON.3.A9 Requirements for Online Data Backup (S) [IT Operations]
If an online storage service is to be used for data backup, at least the following points SHOULD be contractually agreed:
- structure of the contract,
- location of data storage,
- service level agreements (SLA), in particular with regard to availability,
- appropriate authentication methods for access,
- encryption of data on the online storage, and
- encryption of data in transit.
Furthermore, the backup system and network connection SHOULD be designed such that permissible backup and restoration times are not exceeded.
CON.3.A10 DISCONTINUED (S)
This requirement has been discontinued.
CON.3.A11 DISCONTINUED (S)
This requirement has been discontinued.
Requirements for High Protection Needs
The following are examples of proposed requirements for this building block that go beyond the level of protection corresponding to the state of the art. These proposals SHOULD be considered for high protection needs. The specific determination is made within the framework of an individual risk analysis.
CON.3.A13 Use of Cryptographic Methods for Data Backup (H) [IT Operations]
In order to ensure the confidentiality of the backed-up data, IT Operations SHOULD encrypt all data backups. It SHOULD be ensured that the encrypted data can still be restored after extended periods of time. Cryptographic keys used SHOULD be protected with a separate data backup.
Additional Information
Good to Know
The International Organization for Standardization (ISO) lists requirements for a data backup concept in the standard ISO/IEC 27002:2013 under “12.3 Backup”.
The Federal Association for Information Technology, Telecommunications and New Media (Bitkom) has created a guide to performing data backups in its publication “Guidelines for Backup / Recovery / Disaster Recovery”.
The Information Security Forum (ISF) provides specifications for data backups in its standard “The Standard of Good Practice for Information Security” in chapter “SY2.3 Backup”.
The National Institute of Standards and Technology provides requirements for backups in “CP-9 Information System Backup” of the publication “NIST Special Publication 800-53”.