Is Azure Backup as good as offline backup?

Back to Blog
02Nov2017

Is Azure Backup as good as offline backup?

I am posing this question, not just for Azure Backup, but any cloud-based backup. Here’s the question:

Is Azure Backup (or any cloud-based backup for that matter) as good as having an offline backup?

The Benefits of Azure / Cloud Backup

Certainly one of the biggest benefits of a cloud-based backup is that it is offsite. Usually encryption is available with the cloud providers (like Azure), so the backup is secured with a private key, before it ever leaves your network. Last, the solution is automated, meaning there is no human intervention required, and notification capability is usually built-in (again, as it is with Azure). These are all markers of a solid backup solution over all–I would even say they are mandatory.

But, what about offline? Isn’t offline backup a critical consideration these days, especially with the evolution of modern malware–worms and the like? The best solutions are actually comprised of more than one backup, and usually one of those backups is either offsite, offline, or both.

Offline means air-gapped, in other words, no wires connecting the media back to the fabric of your network (or any other). Most backups used to be this way by default (tapes that could be taken offsite and so forth). Most modern backups are now on done on disk (like a NAS for example), or written to the cloud.

Azure Backup, and other clouds like it, are online. They are always online, and accessible, by their very design and nature. So definitely not air-gapped. But the question is whether they are “as good.”  Why do we pose this question?

How Azure Backup credentials work

Before you configure Azure Backup, or many other cloud backups, you typically have to provision some kind of storage container up in the cloud, to which your backup data will be written. You probably have a set of admin credentials to sign into a cloud portal, such as the Azure Portal, and create a vault, such as Microsoft’s Azure Recovery Services vault.

However, when you go to configure your backup on the server(s) themselves, you will find that you need to download a separate set of “credentials” in the form of a small file. This file is your “key” to associate the server with that vault. And that “key” is not the same as your administrative credentials for signing into the Azure Portal.

In fact, the key does not grant your server the capability of deleting backups!! The easiest way to demonstrate this, is to see how one would go about turning off the Azure Backup functionality.

How to remove Azure Backup

Let’s say I was an advanced piece of malware on your network, or an actual human attacker. If I wanted to do damage or put you in a tight spot, and hold your data for ransom, I would probably start by attacking your backups.

If you were smart and setup notifications in the Azure Portal, then you will be notified when this happens:

Oh no! My backup was deleted. Reading further, I see that I have 14 days to re-enable protection, and keep the data:

Okay, so I have a chance to recover from this, assuming the attacker does not also intercept or remove this message from my mailbox (and he or she might).  But wait, how did we even get to this point in the first place?!

In order to delete data from the Azure Portal I cannot simply effect this change from my Azure backup-enabled on-premises systems. Let’s see what happens when I attempt this from an on-premise server that is under protection:

From the Azure Backup console, click Schedule Backup, and find the option to Stop using this backup schedule and delete all of the stored backups.

If I click Next and attempt to Finish the wizard, I am prompted for… you guessed it, a security PIN that can only be generated by an admin in the Azure Portal.

Remember, the software only has that vault credential for writing backup data in, and it does NOT have permission to delete or destroy data, without further human administrative intervention.

Considerations for optimal protection

Most security gurus will sneer at this: “So what?” They might say.  All the attacker needs is your admin credentials to Azure portal. Done. This was a stupid question, and you just posted it to get clicks.

All true enough. But pressing on, here is what I would do to hedge my bets, so to speak:

  1. I would have my Azure portal account be a cloud-only user (i.e. not synchronized from the local Active Directory) with a completely different password than any on-premises administrative account
  2. I would enable multifactor authentication for this account so the attacker would need: access to the server, access to my Azure password, and access to my mobile device, for example
  3. I would have notifications turned ON so that I am alerted when there are strange things happening with the backup

None of these on their own are perfect, but together, I would wager a guess that they severely increase your likelihood of surviving an attack.

Summary

So is Azure cloud-based backup as good as offline backup? Well, is anything?

But seriously, offline has it’s drawbacks, too. Usually offline means you are relying on a human being to remember to do something every day, or every week, or whatever your acceptable RPO is–they have to change out tapes, swap a NAS to bring offsite, rotate drives, or whatever the case may be. And there is still plenty of risk in that as well.

How is backup media stored/transported? Is it encrypted? How reliable is the media? How reliable is the human? And so on.

Don’t get me wrong: if I could have both offsite to the cloud, and offline, I would. But in the absence of both, I’d have to settle for just one. Which would you pick?

Opinion, Technical , , , 0 Comments
Share:

Leave a Reply

Back to Blog

Related Posts

15Jul

How to create an Anonymous relay connector in Exchange 2016

Hey, somebody moved my cheese again... If you configured an anonymous relay connector in Exchange 2013, for example to allow scan-to-email from an MFP device or other on-premise application, you probably remember that you needed to choose "Frontend Transport" and "Custom." If you left it on Hub Transport, it... read more
11Oct

Understanding the Anti-Spoofing technology in Exchange Online

In the Spring of 2018, Microsoft released some new anti-spoofing features into their Advanced Threat Protection product, which is also bundled into Microsoft & Office 365 E5 plans, as well as Microsoft 365 Business. Anti-spoofing leverages machine learning and other intelligent software to determine whether... read more
01Mar

Limiting privilege in Microsoft 365 Business

One of the most important things you can do for boosting your security posture on any technology platform (Microsoft or otherwise), is limiting administrative privilege. We have long known that any given user should really only have enough access to do their jobs, and nothing... read more
24Mar

What is Advanced Threat Analytics?

Advanced Threat Analytics (ATA) is a security product from Microsoft that is included with the Enterprise Mobility Suite (EMS) subscription.  Unlike most of the other EMS components that tend to be a bit more cloud-centric, ATA is an on-premises-based security solution that helps identify Advanced Persistent Threats (APT's) and insider... read more
02Mar

It’s all about your downtime tolerance

Before you go picking the cheapest possible IT solution that meets your business requirements, or on the other side of the equation, adding unnecessary complexity to your network, you first need to consider: What is your downtime tolerance? If you don't answer this critical question,... read more
Adopting the Traffic Light Protocol with Sensitivity Labels
07Sep

Adopting the Traffic Light Protocol (TLP) with Microsoft 365’s Sensitivity Labels

I have previously written about Sensitivity labels, along with a template of the core labels that I like to use when introducing Small Businesses to the concept of data classification. Recently, I decided to update this standard to align more closely with the Traffic Light... read more
29Dec

Resourcefulness, Initiative and Grit

When faced with some problem, most of us (let's be honest) are habituated toward shopping for and purchasing some product that "solves" our problem. But the marketplace is not lacking in products. What is lacking, I believe, is spirit. When I was just a young boy,... read more
11Feb

Boost your security with Hybrid Azure AD Join: From Zero to Conditional Access in one afternoon

"Alex, I work at a non-profit and I would love to take advantage of the better security in Microsoft 365 Business (we have Business Premium now), but it sounds like it is for "cloud-only" customers? Is that right?? We are using Office 365 for Exchange,... read more
09May

Three ways to disable basic authentication and legacy protocols in Exchange Online

One of the most common (and often successful) attacks we see in the wild is a simple brute force / password spray against weak accounts. Especially against shared mailboxes. From that foothold, the most common next step attackers will take is to send out spam/phishing... read more
21Oct

No more excuses: 5 Tips & tricks to make Office 365 MFA easier on people

As I'm sure you are aware by now, Multi-factor Authentication reduces your risk of identity compromise by 99.9%. Requiring so called "strong passwords," by contrast, doesn't make that much difference at the end of the day. And yet, we're still beneath 10% of even just... read more

Helping IT Consultants Succeed in the Microsoft Cloud

Have a Question? Contact me today.

Contact Me