2.1.4 The Backups Should be Properly Secured

Information

The backup files will contain all data in the databases. Filesystem permissions and/or encryption should be used to prevent unauthorized users from gaining access to the backups.

Rationale:

Backups should be considered sensitive information. If an unauthorized user can access backups, then they have access to all data in the database. This is true for unencrypted backups and for encrypted backups if the encryption key is stored along with the backup.

NOTE: Nessus has not performed this check. Please review the benchmark to ensure target compliance.

Solution

Implement encryption, properly restrict filesystem permissions, protect and backup encryption keys.

For example, if you run MySQL Enterprise Backup include --encrypt-password

$ mysqlbackup --defaults-file=/home/dbadmin/my.cnf --backup-image=/home/admin/backups/my.mbi \
--backup-dir=/home/admin/backup-tmp --encrypt-password backup-to-image

Mysqlbackup includes not just the database data, but also provides for secure backup of keys, and support for secured archival storage.

See Also

https://workbench.cisecurity.org/files/3848

Item Details

Category: CONTINGENCY PLANNING, SYSTEM AND COMMUNICATIONS PROTECTION

References: 800-53|CP-9, 800-53|SC-28, CSCv7|10.4

Plugin: Windows

Control ID: ffbd50871232be6ed09b5bd0169cc2dbe6da752e5b648fdcde1dec3cd5d226c6