1. The offline rule
At any given time, are one or more backups offline?
The purpose of an 'offline backup' (sometimes called a 'cold backup') is to remain unaffected should any incident impact your live environment. You can do this by:
- only connecting the backup to live systems when absolutely necessary
- never having all backups connected (or 'hot') at the same time
With at least one backup offline at any given time, an incident cannot affect all of your backups simultaneously.
Using cloud storage to hold an offline backup is a good idea because it guarantees physical separation from your live environment. Crucially, when your offline backup isn't in use it also needs to be digitally disconnected. Unlike conventional backup storage, you cannot take your cloud storage offline by simply unplugging it. However, there are a few steps that can be taken to apply the same level of protection.
The first step to protect cloud storage is secure account identity. For cloud services this almost always appears as username and password credentials. All users able to access cloud backups should be properly protected in line with NCSC guidance. Without a trusted identity, ransomware should not be able to request access to your cloud storage and encrypt it. For more information on secure identity management, please refer to the NCSC's password guidance and multi-factor authentication guidance.
A backup client is a device with credentials to access your cloud storage. Cloud backup clients should not have valid credentials while your cloud storage is not in use. The number of backup clients should also be kept to a minimum with standard user devices unable to modify cloud backups directly. Following this practice, a ransomware infection can only compromise your cloud backup if it occurs on an authorised client and while your cloud backup is being used.
Some cloud storage services offer more advanced access controls for identity and connectivity. If these controls are available, they should be configured to only allow authorised clients to create new backups (or append to existing ones), and deny connection requests while the storage is not in use ('cold'). If a ransomware infection occurs while your cloud backup is offline (denying connection requests), it will not be able to reach the cloud storage, giving you the same level of confidence as unplugging an on-premises storage drive. In the event of a ransomware incident occurring whilst your cloud backup is connected, ransomware acting with privilege to only create new data cannot overwrite your existing backups. This is comparable to traditional write-once storage (but is cheaper and more scalable).