The UK National Cyber Security Centre and the UK Department for Education (DFE) both require compliance with certain standards, including the 3-2-1 rule for backups. This rule entails keeping a minimum of three copies of all data (including the primary copy), on at least two separate devices, with at least one of those being offsite. This article outlines how Redstor assists you in meeting this requirement.
Three copies
The DFE requires keeping at least three copies of all data, with the original (primary) data qualifying as the first copy. Redstor then keeps two independent copies of the data in two geographically separated locations in the UK, with both copies being immutable. This is not optional and happens automatically when customers run any kind of backup with our solution (Microsoft 365, Google Workspace, servers, VMs, Azure etc.).
Two devices
The DFE emphasises the importance of having backup data on two separate devices. Redstor keeps two copies of the data in two geographically separated locations in the UK, which adheres to this guidance.
Our software can be enabled to store an optional third copy of the data on either local or network-attached storage.
Regardless of whether or not the local copy option is used, we store two copies of the data in separate locations in our cloud, which meets the two-device requirement.
One offsite backup
The DFE requires keeping at least one backup copy offsite. For compliance purposes, Redstor's cloud storage qualifies as an offsite location to meet this criterion.
Other security considerations
What access controls are in place for Redstor backups?
Our web-based application, the RedApp, is the central point of control for our software. This interface is used by service providers and administrators to manage our service, which includes checking the success and failure of backups, but also management tasks such as onboarding new sites and setting retention policies.
Access to the RedApp is always controlled with multi-factor authentication (MFA), with most customers using Microsoft or Google as an identity provider. In addition, re-authentication is required by our app whenever a logged-in user executes a destructive action, such as deletions or retention changes. This ensures that, even if an identity was compromised, only authorised users have the ability to perform such actions.
The RedApp also provides role-based access so that users only see the areas of the app that are relevant to them. For example, an MSP may see multiple schools' estates, but an individual school administrator can only see their own estate. Granular permissions can be set within the app to restrict access as required.
How do you ensure backups are not compromised in the event of data loss or a cybersecurity incident?
Our cloud platform is completely isolated from our line-of-business systems, and individual sites in our cloud are isolated from each other, with independent access control and management as well as network separation, so that a cybersecurity incident on one part of the network cannot propagate to other parts and cause service interruptions. We also have the ability to failover an entire site to an alternative location in the event of a catastrophic incident at the site.
We regularly review our security posture against frameworks like NIST to highlight and prioritise areas for improvement. We have various security tools and policies in place, including extensive training for our employees to support this. We also do external validation of our security posture, with regular penetration testing and vulnerability scanning. We go through the following certifications annually to ensure we are maintaining our security and operational standards:
- ISO 27001 (information security management)
- ISO 9001 (quality management)
- ISO 22301 (business continuity)
- SOC 2 Type 2 (system and organisation controls)
Comments
0 comments
Article is closed for comments.