Question
My organization is in the process of having disaster recovery on a private cloud with local cloud service provider. From cybersecurity point of view, what are the criteria that need to be considered for the disaster recovery implementation.
- How to assess the cloud service provider?
- How to ensure no data will leaked?
- How to secure the data replication to local cloud service provider site?
- How to ensure no data loss while replication?
Answer
Data leakage and Disaster recovery are 2 separate topics. Disaster recovery will not help in anyway against data leakage.
In order to prevent data leakage, you’ll need to implement rights management and encryption at all levels including in transfer and in execution.
Disaster recovery will help to ensure availability and integrity such as data destruction or unauthorized change and so on. Keep in mind that availability in terms of synchronization is completely different as backup and restore.
Faulty data, encrypted or ransomwared data will be synced… killing the system.
What needs to be considered including:
- Availability, SLAs of the operational data
- Backup and restore functionality
- Multi-level backups
- Operational data on multiple locations
- Online backup (for fast restore of operational data)
- Offline backup (disconnnected from live data, to repair in case live data and online backup is corrupt
You will need to check with the local cloud service provider regarding:
- Which certification has in place, ISO27001, ISO22301, …
- Number and location of data centers
- Replication technology
- Virtualization layers
- Technical redundancy of hardware (power, CPU, storage, network, …)
How to assess the cloud service provider:
- Audits
- Inspections
- Penetration testing
- DR testing
- Sync and unavailability testing evidence
- Backup and disaster recovery evidence
- Data center certification
Check for the data center tier certification. For example: https://uptimeinstitute.com/tiers