New principles to help make cloud backups more resilient

Introducing a new set of NCSC principles to strengthen the resilience of organisations’ cloud backups from ransomware attackers.

Every month there are press reports of a global organisation experiencing a ransomware attack. In the NCSC we see the real world effects of ransomware when we support UK organisations going through an incident. While there is a lot that organisations can do to minimise the chance of becoming a victim in the first place, everyone agrees that a backup capability is absolutely key to resilience. Not having this in place hampers your ability to get back on your feet and worsens the consequences to you, your business and in many cases, your customers or service users.

Every organisation should have a solid response plan in place which should include making regular backups. And testing your backup regime is equally important to make sure you can restore your data as planned. We’re aware of cases where organisations believe they have a backup regime in place but aren’t sure what it looks like in practice.

That’s why we’ve come up with a new set of principles which lay out the best practice to make sure cloud backups are more resistant to ransomware. It’s important to say that while these principles provide a solid foundation to help prevent an actor deleting your cloud backups, they won’t protect your organisation from all the effects of ransomware, we’re thinking particularly here of the extortion threat, where an actor threatens to release your stolen data unless you pay a ransom.

Principle 1. Backups should be resilient to destructive actions

Suggested implementations:

Blocking any deletion or alteration requests for a backup once it is created.
Offering soft-delete by default.
Delaying implementation of any deletion or alteration requests.
Forbidding destructive requests from customer accounts.

Principle 2. A backup system should be configured so that it isn’t possible to deny all customer access

Suggested implementations:

Allowing customer access to the backup service, even if all existing corporate IT systems and assets are unavailable, by agreeing a separate out-of-band mechanism.
Forbidding any IAM policy that restricts access to a single account within an attacker’s control, as this forces an attacker to undermine multiple accounts to achieve full control of the backup system.

Principle 3. The service allows a customer to restore from a backup version, even if later versions become corrupted

Suggested implementations:

Providing mechanisms so that system owners can test whether they can restore from the current backup state.
Storing backup data according to a fixed time period
Creating and retaining a version history
Offering flexible storage policies so that a system owner can decide how many backups to keep for different periods of time

Principle 4. Robust key management for data-at-rest protection is in use

Suggested implementations:

Following the NCSC’s cloud key management guidance.
Offering an out-of-band key backup option, such as the option to commit a master key to paper in human-friendly text encoding or QR code form, so that it can be stored in a secure location, such as a safe.

Principle 5. Alerts are triggered if significant changes are made, or privileged actions are attempted

Suggested implementations:

The service offers a wide range of customisable alerts for activity that affects the backup system that a system owner can ingest and monitor.
Significant changes to how the backup system behaves or is accessed require extra authorisation and should automatically initiate extra protective monitoring.