Least privilege—the idea that each person in your organization should have the least number of privileges they need in order to accomplish a given task—is an important security concept that needs to be implemented in your backup system.
The challenge here is that network, system, and backup admins all wield an incredible amount of power. If one of them makes a mistake, or worse, intentionally tries to do the company harm, limiting the amount of power they have reduces the amount of damage they can inflict.
For example, you might give one network administrator the ability to monitor networks, and another one the ability to create and/or reconfigure networks. Security admins might be responsible for creating and maintaining network-administration users without getting any of those privileges themselves.
System administrators do this by limiting who can login as root or administrator and requiring tools such as “run as administrator,” or sudo, both of which can give admins the privileges they need when they need them, while creating an audit log of what they did.
Like a lot of things in the security world, enacting least privilege is not easy. It may limit the number of products that you can use, as you can only use those that support the concept. It will also require much more configuration than simply giving everybody superpowers. But we have long since passed the time when you can have people with unrestricted superpowers in your environment.
Restrict backup privileges
The idea of least privilege is often ignored in the backup space, where a person with superpowers can actually do an incredible amount of damage with just a few keystrokes. If you do not purposefully enact least privilege in your backup system, your backup system admin essentially has all power. They can easily delete an incredible amount of data and delete all of the backups of that data.
然而,备份系统是众所周知的,在世界其他地区的安全实践背后令人讨厌。许多备份系统根本无法支持最不特权的概念,这意味着有可能遵循惯例的数千家公司。
这意味着备份管理员必须将超级用户密码与备份服务器。此超级用户是root root,管理员,或其他具有相同权限的用户,可以直接登录那个超级用户,并且没有他们在那里的记录。这通常仅限于物理控制台,但备份管理员生活在数据中心。雷竞技电脑网站这对他们来说真的不是限制。
Even if they are required to use something like sudo to become the superuser, once they are running the backup interface as the superuser, they can literally do anything they want. For example, they can create a script on the backup system that does whatever they want it to do, back it up, and restore it to a system they want to exploit. Then they can run that script as the superuser via the backup software, using its functionality to run prescripts and postscripts for a given backup. They can make the script do anything they want it to do, run it with no accountability, then have the it delete itself and any evidence that it ever ran.
The only protection against nefarious activities would be outside the backup system itself. For example, limiting who can login as root or administrator, and requiring sudo. But each of these systems can be circumvented.
This is not how system administration should work, and this is definitely not how backup systems should work. But if you are ignoring the security aspects of your backup system, this could be how your backup system works today.
Role-based administration
从安全角度来看,备份系统中最重要的事情不必以超级用户登录以便运行它。系统应要求备份管理员使用自己的用户名和密码作为自己登录。如果您的备份系统只有一个全功能控制备份系统中的所有内容,是时候获得新的备份系统了。我不知道任何仍然有效的主要备份产品,但您可能正在运行旧版本。
相反,您的备份系统应该支持基于角色的管理,在那里您将分配各种角色或权力。非常类似于上面讨论的网络和系统管理,一个人可能有能力运行和监视备份,而另一种能够配置新备份或删除旧备份配置。
Even more protected should be the ability to delete backups prior to their assigned retention period. The best-case scenario would be that any destructive activities would require two-person authentication. For example, if you wish to delete any backups prior to their assigned retention period, two people would need to login to allow that action. I would actually like to see the concept of two-person authentication integrated into a lot of places where deletion is a part of the activities.
如果这篇文章害怕死亡,那就是它的目的。既然你了解备份管理员有多少电量,也许是时候看看系统的安全配置了。
Now see:
如何备份存在ntial data but not the garbage
5 metrics you need to know about your backup and recovery system