December 2020

What is Separation of Duties (SoD)?

Separation of Duties is a vital tool for managing risk.

As protection from cybercrime and ransomware attacks, safeguarding backup integrity is crucial for the ability to reestablish operations. The backup is the backbone of data protection. However, a backup alone is not enough to ensure business continuity.

The fundamental principle of SoD is that no single person or group can execute all actions in connection with a business-critical activity, such as data transactions.

In practice, SoD prevents from deleting live data (primary data) and backup data simultaneously. This provides a crucial layer of protection against malicious ransomware/ CryptoLocker attacks while at the same time preventing human error and sabotage.

Logical Separation of Duties

Similar to the physical separation of data – where backup servers are at a different location accessibly only by B4Restore’s authorized backup staff – B4Restore uses logical separation of duties to prevent “double hatting” in the allocation of rights and permissions.

Our Backup-as-a-Service solution is designed so that the same user and admin, either at your organization or at B4Restore, can never have access to both your production data and your backup data.

This effectively dismantles the worst damage caused by ransomware attacks and may event prevent an attack entirely.

Prevents the Most Common Ransomware

We have seen a number of examples of how standard online backup solutions can be vulnerable to ransomware attacks. This is because they are unable to prevent the backup from being overwritten by the encrypted data, thus enabling the ransomware to encrypt the backup as well as the primary data. And this is possible because there is no logical separation of duties.

Separation of Duties prevents the most common ransomware strategies and eliminates the serious IT risks your organization faces:

Takeover of user rights through phishing attacks, malware, hacking, fraud or similar IT-crime strategies
Blackmail, sabotage or conflict of interest for the individual user
Human error

Backup-as-a-Service

With a Backup-as-a-Service solution, you get full separation of duties. First, your data is stored in our data center, keeping it physically separate from your own production environment, with all that this entails. Second, the solution offers logical Separation of Duties:

It’s impossible for the backup admin to access both the backup and the production environment – so there is no double hatting.

Third, the backup job is initiated by the production server, so there is no virtual job located in the backup environment.

And finally, your backup data is NOT stored in a Windows environment, and so far, there have been no examples of ransomware that can mutate and cross over from one operating system to another. This means that because ransomware is often Windows-based, there is a design advantage in storing the backup in a non-Windows-based system.