Security Control: Data Recovery
Note
The most up-to-date Azure Security Benchmark is available here.
Ensure that all system data, configurations, and secrets are automatically backed up on a regular basis.
9.1: Ensure regular automated back ups
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 9.1 | 10.1 | Customer |
Enable Azure Backup and configure the backup source (Azure VMs, SQL Server, or File Shares), as well as the desired frequency and retention period.
9.2: Perform complete system backups and backup any customer managed keys
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 9.2 | 10.2 | Customer |
Enable Azure Backup and target VM(s), as well as the desired frequency and retention periods. Backup customer managed keys within Azure Key Vault.
9.3: Validate all backups including customer managed keys
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 9.3 | 10.3 | Customer |
Ensure ability to periodically perform data restoration of content within Azure Backup. Test restoration of backed up customer managed keys.
9.4: Ensure protection of backups and customer managed keys
| Azure ID | CIS IDs | Responsibility |
|---|---|---|
| 9.4 | 10.4 | Customer |
For on-premises backup, encryption-at-rest is provided using the passphrase you provide when backing up to Azure. For Azure VMs, data is encrypted-at-rest using Storage Service Encryption (SSE). Use Azure role-based access control to protect backups and customer managed keys.
Enable Soft-Delete and purge protection in Key Vault to protect keys against accidental or malicious deletion. If Azure Storage is used to store backups, enable soft delete to save and recover your data when blobs or blob snapshots are deleted.
Next steps
- See the next Security Control: Incident Response
Feedback
Coming soon: Throughout 2024 we will be phasing out GitHub Issues as the feedback mechanism for content and replacing it with a new feedback system. For more information see: https://aka.ms/ContentUserFeedback.
Submit and view feedback for