The following threats have been taken into account during the system design and development. As other threats are identified they will be added here along with an analysis of them. `
The required operational mitigation is generally the an action that should be taken by one or more of the people involved in operating the backup system. Normally that action is included in a document with instructions to that person. In any case the administrator of the system should read through these mitigations and ensure that they are taking place.
- instructions_for_key_holders.md
- manual_restoration_processes.md
- administrator-guide.md
+--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+ |threat |system mitigation |required operational mitigation | +--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+ |an authorised user may use the backup data to steal confidential information |* backup data access is split from decryption rights |* key holders should not have access to backup disks | | | |* operations users should not have access to private keys | | | |* backup disks and private keys should be stored securely and separately. | +--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+ |system could be used by operators to access historical information that should have been destroyed |* only session keys are provided to operators for decryption |* key holders must register and follow up on decryption requests | +--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+ |an outside attacker could come and steal the backups stopping restoration |* provide possibility to have multiple backups so that if one is stolen others can be used |* keep backups in more than one location secret to outsiders | | | |* more than one person should be separately responsible for backup storage | +--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+ |an outside attacker could come and steal the backups using them to access PII |* backups are encrypted |* backups should be stored securely | | |* encryption key is designed to be kept away from those that have access to backups |* different people have access to backups from those that have keys | +--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+ |a software vulnerability in one of the underlying platforms could allow access to key areas of the system and negate other protections|* automated builds are used to allow rapid integration of software updates |* verification of rapid application of software patches | | |* AWS protections such as security groups are used to isolate components from outside access |* general monitoring and specific intrusion detection monitoring should be applied to all system elements| | |* data is stored public key encrypted and private key material is designed to be well separated from data| | | |* largely serverless design avoids active patch management - beware of EC2 based subsystems. | | +--------------------------------------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+---------------------------------------------------------------------------------------------------------+
The following threats were ignored in the design of this system but are explicitly registered to help future analysis and in order to explain why we believe we don't have to take them into account at present. If these threats matter in your system then backup-cloud as currently designed may not be for you. Alternatively you may want to add improvements to backup-cloud to protect against them, either in your install or by contributing to the project.
| threat | reasons to disregard |
|---|---|
| operators may use backup system to access current data | operators can already access live data and must be able to in order to verify system operation |
| attackers may have capabilities to decrypt public key encryption used | such capability would, through attacks on TLS etc. give the attackers the capability to access the live system in any case |
| attackers may attack underlying cloud platforms and use control of them to access data | (obviously attacks to the specific cloud systems used should be taken into account) - since the original data is already stored in the cloud, a person with access to the cloud system could access that |