Imagine the horror of trying to open your retirement savings account, only to find that it was deleted. For you, and all of your colleagues.
This nightmare scenario was real in May 2024 when UniSuper, an Australian retirement fund manager, suffered an incident which created an outage for its 647,000 customers and their over AUD $135 billion (approx USD $83 billion) in funds.
According to a joint statement from UniSuper and Google Cloud, a “misconfiguration during provisioning of UniSuper’s Private Cloud services resulted in the deletion of UniSuper’s Private Cloud subscription.”
It wasn’t just one of UniSuper’s instances, it was their entire account and all of the data on it. Which is especially important for backup-related reasons we’ll come back to shortly.
Fortunately they had a backup with another cloud provider. But it wasn’t up-to-date, so the data that was restored was incomplete. While their data restoration wasn’t complete, UniSuper avoided complete disaster by following the Backup Rule of Three.
Rule of Three
The Three Little Pigs, Goldilocks and her Three Bears, and the Three Musketeers. Always follow the Rule of Three. What’s true in storytelling is also true in backups. The Backup Rule of Three is this: Always have three copies of your important data. One in the place you’re using it, the second somewhere else, and three, somewhere physically separate from the first two.
In-practice, a simple example for an individual with a laptop might be this:
Data in-place on the laptop.
The laptop’s internal drive is backed up locally to a physical external drive.
The data is also backed up externally to the cloud.
This provides sufficient protection from data loss for almost all scenarios.
If the laptop is damaged or stolen, the external drive is on-hand. If a physical threat, like a fire, destroys both the laptop and external drive, the data is safely stored in the cloud. Business environments are more complex, but the Rule of Three Backups can be simply applied to them too. Say you have a SaaS application that runs in the cloud, you should backup your company’s data in three places:
The place it’s running in production.
A backup in your primary cloud system, such as AWS or Azure, but on a separate regional server. (If production is us-east, your backup should be us-west).
The data is also backed up in a separate cloud provider to make sure the data is secure in the event of a catastrophic failure with your primary vendor.
UniSuper did have a backup within Google Cloud, but the incident wiped out their whole Google Cloud account! They only avoided complete catastrophe by following point three of the Backup Rule of Three.
Three crucial features for a good Cloud Backup Service
Self-Managed Keys
Self managed keys are an important security tool for cloud backup services. Self-managed keys give your organization the power and knowledge about how the keys are being generated and used. Your organization has the ability to distribute keys to employees as needed. Plus, self-managed keys prevent the vendor themself from seeing your data. Neither can malicious actors nor foreign governments access your data, even with a subpoena. This setup reduces the chance your backup data could be compromised, even if your vendor is the victim of a cyberattack. Self-managed keys provide powerful protection against supply chain attacks. However, self-managed keys are a double-edged sword! If your organization loses all of your keys, nobody will be able to access the backup data, not even you.
They require careful tracking to keep safe, but are definitely worth the extra effort.
Data Access Authentication
The cloud backup vendor has to both supply various authentication mechanisms and routinely enforce them to keep them mandatory. Some organizations may have a preferred or a strict policy when it comes to accessing their sensitive data or proprietary information. A strong and diverse set of tools, including one time password, single-sign on (SSO) or multi-factor authentication (MFA), is desirable.
It is not unusual for organizations to use multiple different services on multiple different platforms. For example, an organization may use Google Workspace as their primary email provider while using AWS for storing client data.
Multi-platform support is critical in your cloud backup selection process. This is your third data storage place, you don’t want to have to pay for a fourth just because one of your vendors is not supported! Also, it is far easier for an organization to use a centralized backup management system than to use a different backup vendor for each cloud service.
If you use a backup service, you should know where your data is persisted. If you use Google Cloud, you do not want your backup vendor persisting your data in Google Cloud.
That is NOT following the Backups Rule of Three!
How Frequently Do You Back Up?
While UniSuper did have an off-site backup, it was out of date. Some data was lost forever.
To absolutely minimize data loss, you would have to backup to both locations on a daily basis. Daily backups range from cumbersome to impossible on the convenience scale, depending on how much data you have.
As with all things in cybersecurity, the answer is it depends.
In particular, it depends on…
How Frequently Do You Have Major Data Changes?
Ask yourself: how much important data would be lost if you didn’t have backups from the last hour? The last day? Week?
You likely have a good idea of how much important data changes regularly, and can use that to guide backup frequency timing.
What are the automation capabilities and cost of your selected vendor ?
Most vendors will offer daily backups. Some offer up to hourly automated backups.
This is great for minimizing data loss, but it also tends to increase the costs. If you don’t need hourly backups, you probably shouldn’t commit to them.
Sample Backup Rule of Three Approaches
You may choose to backup to one location more regularly than the other. For example, you might automate daily cloud backups within your primary cloud environment, but only backup outside of it on a once-weekly basis.
A couple of real Fractional CISO examples:
We do most of our work in Google Workspace. Google does its own persistence of Workspace files, covering point two. Then, we backup our Workspace instance once weekly to a private AWS S3 bucket with an encrypted bucket, covering point three.
Our website is hosted on a Virtual Private Server (VPS). Our host provides automatic daily backups, but it’s hosted by our same provider! We create a manual backup once per week and store it with a different cloud provider.
Conclusion
Google Cloud emphasized that the type of outage that affected UniSuper was one-of-a-kind and very rare. I’m inclined to believe them. There hasn’t been any news about a similar outage since, and all the major cloud service providers take information security very seriously.
Similarly, a fire that destroys your laptop and your external backup drive is thankfully very unlikely.
It’s tempting to think “if these incidents are so rare, why worry about it happening?”
Simple, because the damage that would be caused by them is so severe, the risk cannot be ignored.
So follow the Backup Rule of Three!
So follow the Backup Rule of Three!
So follow the Backup Rule of Three!
Want to get great cybersecurity content delivered to your inbox? Click here to sign up for our monthly newsletter, Tales from the Click.