Security Control V2: Backup and Recovery

Backup and Recovery covers controls to ensure that data and configuration backups at the different service tiers are performed, validated, and protected.

To see the applicable built-in Azure Policy, see Details of the Azure Security Benchmark Regulatory Compliance built-in initiative: Backup and Recovery

BR-1: Ensure regular automated backups

Ensure you are backing up systems and data to maintain business continuity after an unexpected event. This should be defined by any objectives for Recovery Point Objective (RPO) and Recovery Time Objective (RTO).

Enable Azure Backup and configure the backup source (such as Azure VMs, SQL Server, HANA databases, or File Shares), as well as the desired frequency and retention period.

For a higher level of protection, you can enable the geo-redundant storage option to replicate backup data to a secondary region and recover using cross region restore.

• Enterprise-scale business continuity and disaster recovery

• How to enable Azure Backup

• How to enable cross region restore

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Policy and standards

• Security architecture

• Infrastructure and endpoint security

• Incident preparation

BR-2: Encrypt backup data

Ensure that your backups are protected against attacks. This should include encryption of the backups to protect against loss of confidentiality.

For on-premises backups using Azure Backup, encryption-at-rest is provided using the passphrase you provide. For regular Azure service backups, backup data is automatically encrypted using Azure platform-managed keys. You can choose to encrypt the backups using customer managed key. In this case, ensure this customer-managed key in the key vault is also in the backup scope.

Use Azure role-based access control in Azure Backup, Azure Key Vault, or other resources to protect backups and customer managed keys. Additionally, you can enable advanced security features to require MFA before backups can be altered or deleted.

• Overview of security features in Azure Backup

• Encryption of backup data using customer-managed keys

• How to backup Key Vault keys in Azure

• Security features to help protect hybrid backups from attacks

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Security architecture

• Infrastructure and endpoint security

• Incident preparation

BR-3: Validate all backups including customer-managed keys

Periodically perform data restoration of your backup. Ensure that you can restore backed-up customer-managed keys.

• How to recover files from Azure Virtual Machine backup

• How to restore Key Vault keys in Azure

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Incident preparation

• Security Compliance Management

BR-4: Mitigate risk of lost keys

Ensure that you have measures in place to prevent and recover from loss of keys. Enable soft delete and purge protection in Azure Key Vault to protect keys against accidental or malicious deletion.

• How to enable soft delete and purge protection in Key Vault

Responsibility: Customer

Customer Security Stakeholders (Learn more):

• Security architecture

• Incident preparation

• Data Security