Enhanced Data Security within Backup Systems
Publication Date: 2017-Jul-13
The IP.com Prior Art Database
Title Enhanced Data Security within Backup Systems
Abstract Disclosed is a system for enhanced data security within backup systems. The core idea is to insert a device providing a backup protect layer between the backup interface for accessing the backup and the actual backup.
Description Data stored in the cloud and data stored on mobile devices are closely coupled by data replication. This form of replication must not be confused with a backup. Moreover, an accidental or malicious deletion of data in the cloud may also wipe out the primary copy on the end user’s device. In addition, cloud backup solutions do not solve this problem because under traditional cloud offerings, any cloud backup that can be created by a user can also be deleted by a malicious attacker.
Traditional tape backups have many drawbacks. Tape backups have low performance (compared to disk), are labor-intensive, and are prone to mechanical failure. Further, the tapes require physical transport to an offsite location. Disk-based backup and offsite replication is a popular alternative to tape backup; however, the perceived inconvenience of tape backups also provides a valuable layer of data isolation and protection.
As a remedy, the data isolation factor observed in offsite tape vaulting can be applied to cloud backups. A device is inserted between the backup access point and the backup media. This device can be implemented as an appliance or running on a computer that is properly isolated from access in a secure way. In any case, administrator access from the network must be disabled to ensure that it is impossible to alter the backup time delay settings in any different manner. Administrator access will be given only by a console login. Normally, the user can directly access backups. (Figure 1)
Figure 1: Backup access by the user
By deleting backups, setting the backup retention to an arbitrarily short time interval, or setting the number of versions kept to one, an attacking entity (human hacker or machine) could delete backup data after having deleted also the primary data. In this scenario, the data is irrecoverably deleted.
Figure 2 illustrates the novel contribution of a system for enhanced data security within backup systems. The core novel idea is to insert a device providing a backup protect layer between the backup interface 120 for accessing the backup and the actual backup 130.
Figure 2: Components of the cloud backup including a time delayed backup deletion
The system 100 encompasses various user devices 101-103, which are used to access the primary storage 110 of the cloud service provider. Data is replicated between the user devices 101-103 and the primary storage 110.
With the backup interface 120, the backup of the primary data sets 111-113 can be configured. The time delay settings 201-203 for each backup set can also be configured, but only in a restricted way as explained below (see use case 2).
Each backup set 131-133 is locked down by a time lock wit...