Storage & Data Security
Backup, Disaster Recovery & Data Lifecycle
4 min read
The January 2025 Codefinger ransomware attack demonstrated a critical lesson: without proper backups and recovery capabilities, encrypted cloud data means game over. Ransomware groups specifically target organizations with weak backup strategies.
Backup Strategies
The 3-2-1 Rule for Cloud
- 3 copies of data
- 2 different storage types/locations
- 1 copy offsite (different region/account)
Modern cloud adaptation: 3-2-1-1-0
- 3 copies
- 2 different media types
- 1 offsite
- 1 immutable/air-gapped
- 0 errors (verified backups)
AWS Backup
Centralized backup service across AWS:
# Create backup vault with encryption
aws backup create-backup-vault \
--backup-vault-name my-vault \
--encryption-key-arn arn:aws:kms:us-east-1:123456789012:key/12345678-1234-1234-1234-123456789012
# Create backup plan
aws backup create-backup-plan --backup-plan '{
"BackupPlanName": "DailyBackup",
"Rules": [{
"RuleName": "DailyRule",
"TargetBackupVaultName": "my-vault",
"ScheduleExpression": "cron(0 5 ? * * *)",
"StartWindowMinutes": 60,
"CompletionWindowMinutes": 180,
"Lifecycle": {
"MoveToColdStorageAfterDays": 30,
"DeleteAfterDays": 365
},
"CopyActions": [{
"DestinationBackupVaultArn": "arn:aws:backup:us-west-2:123456789012:backup-vault:dr-vault",
"Lifecycle": {
"DeleteAfterDays": 365
}
}]
}]
}'
S3 Object Versioning
Protection against accidental deletion and ransomware:
# Enable versioning
aws s3api put-bucket-versioning \
--bucket my-bucket \
--versioning-configuration Status=Enabled
# Enable MFA Delete for critical buckets
aws s3api put-bucket-versioning \
--bucket my-bucket \
--versioning-configuration Status=Enabled,MFADelete=Enabled \
--mfa "arn:aws:iam::123456789012:mfa/root-account 123456"
S3 Object Lock (Immutable Storage)
Ransomware-proof storage:
# Create bucket with Object Lock
aws s3api create-bucket \
--bucket immutable-backup \
--object-lock-enabled-for-bucket
# Set default retention
aws s3api put-object-lock-configuration \
--bucket immutable-backup \
--object-lock-configuration '{
"ObjectLockEnabled": "Enabled",
"Rule": {
"DefaultRetention": {
"Mode": "GOVERNANCE",
"Days": 365
}
}
}'
Retention modes:
- Governance: Can be overridden with special permissions
- Compliance: Cannot be overridden by anyone, including root
Azure Backup & Recovery
Azure Backup
# Create Recovery Services vault
az backup vault create \
--name myVault \
--resource-group myRG \
--location eastus
# Enable soft delete (default: 14 days retention)
az backup vault backup-properties set \
--name myVault \
--resource-group myRG \
--soft-delete-feature-state Enable
# Configure immutable backup
az backup vault backup-properties set \
--name myVault \
--resource-group myRG \
--soft-delete-feature-state AlwaysOn
Blob Soft Delete & Versioning
# Enable soft delete
az storage blob service-properties delete-policy update \
--account-name mystorageaccount \
--enable true \
--days-retained 30
# Enable versioning
az storage account blob-service-properties update \
--account-name mystorageaccount \
--resource-group myRG \
--enable-versioning true
Immutable Storage
# Set time-based retention policy
az storage container immutability-policy create \
--container-name mycontainer \
--account-name mystorageaccount \
--period 365
GCP Backup & Recovery
Cloud Storage Versioning
# Enable versioning
gcloud storage buckets update gs://my-bucket --versioning
# Set lifecycle rule to keep versions
gcloud storage buckets update gs://my-bucket --lifecycle-file=lifecycle.json
lifecycle.json:
{
"rule": [
{
"action": {"type": "Delete"},
"condition": {
"age": 365,
"isLive": false
}
}
]
}
Retention Policies
# Set bucket retention policy (immutable for retention period)
gcloud storage buckets update gs://my-bucket --retention-period=365d
# Lock retention policy (permanent - cannot be shortened)
gcloud storage buckets update gs://my-bucket --lock-retention-period
Data Lifecycle Management
AWS S3 Lifecycle Policies
{
"Rules": [
{
"ID": "MoveToIA",
"Status": "Enabled",
"Filter": {"Prefix": "logs/"},
"Transitions": [
{
"Days": 30,
"StorageClass": "STANDARD_IA"
},
{
"Days": 90,
"StorageClass": "GLACIER"
},
{
"Days": 365,
"StorageClass": "DEEP_ARCHIVE"
}
],
"NoncurrentVersionTransitions": [
{
"NoncurrentDays": 30,
"StorageClass": "GLACIER"
}
],
"NoncurrentVersionExpiration": {
"NoncurrentDays": 730
}
}
]
}
Cost vs Protection Trade-offs
| Tier | AWS | Azure | GCP | Use Case |
|---|---|---|---|---|
| Hot | S3 Standard | Hot | Standard | Frequent access |
| Warm | S3-IA | Cool | Nearline | Infrequent (30+ days) |
| Cold | Glacier | Cold | Coldline | Archival (90+ days) |
| Archive | Deep Archive | Archive | Archive | Long-term (365+ days) |
Disaster Recovery Testing
Recovery Point Objective (RPO) & Recovery Time Objective (RTO)
| DR Tier | RPO | RTO | Cost | Strategy |
|---|---|---|---|---|
| Backup/Restore | Hours-Days | Hours-Days | $ | Periodic backups |
| Pilot Light | Minutes-Hours | Hours | $$ | Core systems running |
| Warm Standby | Seconds-Minutes | Minutes | $$$ | Scaled-down replica |
| Hot Standby | Near-zero | Minutes | $$$$ | Full active-active |
DR Testing Checklist
- [ ] Backup restoration tested monthly
- [ ] Cross-region recovery validated quarterly
- [ ] Immutable backups verified (cannot be deleted)
- [ ] RTO/RPO metrics measured and documented
- [ ] Runbooks updated and accessible
- [ ] Team trained on recovery procedures
- [ ] Third-party backups (if used) tested
Next module: Network and infrastructure security—VPCs, security groups, and defense in depth. :::