Separation of Duties and ransomware

Cybercrime is a legitimate threat, and for most businesses, the likelihood of experiencing a cyberattack is actually higher than the threat of bankruptcy, traditional burglary or fraud. The best defense is a backup that is kept completely separate from your production data.   

In a new report, the World Economic Forum calls cybercrime “the second most concerning risk” for global commerce over the next decade. (The Global Risk Report 2020). Some of the biggest and costliest ransomware attacks ever registered have hit Danish companies.  

According to the same report, cybercrime is on its way to becoming the world’s third-largest economy, and on top of that, these criminals are using more and more effective methods. This why in some sectors, like finance and health, taking a systematic approach to backup has become a compliance requirement.  

Strong IT safety, good processes and high vigilance are all crucial. However, it is in the backup that the most important protection against the high costs that result from a ransomware attack should be implemented: the separation of duties, especially at user/admin level. But first, let’s take a closer look ransomware.

Read more about Separation of Duties and Backup-as-a-Service below.

Get in touch

What You Need to Know About Ransomware  

Ransomware is currently the most widespread cybercrime business model. Basically, ransomware occurs when a criminal gains access to a company’s IT systems or servers and then encrypts the data to paralyze the company. The “data hijackers” then demand a ransom (hence the name ransomware) in exchange for removing the encryption and allowing the company to resume operations.  

The size of the ransom varies, and some companies simply choose to pay it. However, security experts do not recommend giving in to cybercriminals, because there is no guarantee that they will actually live up to their end of the agreement or that the data will be undamaged once the encryption is removed.  

How does ransomware work?  

There are many types of ransomware, and new forms are appearing all the time. However, certain fundamental strategies have been observed time and again:  

A) Ransomware that takes over writing permission and compromises data 
Most ransomware uses concrete/existing rights and credentials to install or activate itself. This is why writing permissions and access rights to folders and drives should generally be kept to a minimum for the individual users within the organization, including the admins. This is the best way to minimize the risk of spreading ransomware. 

B) Ransomware as Dormant intruder
A cybercriminal or ransomware breaks into the IT environment and hides in the operating system for weeks or months without detection. This approach can cause tremendous damage because it makes it possible to:  

  • Harvest rights and access files, databases and user data based on the backup  
  • Encrypt the backup without allowing mirroring or restore because an uninfected backup no longer exists  
  • Perform functions to hamper the recovery of data by encrypting the shadow copies used for system restore points, or possibly even deleting them entirely. 

Separation of Duties (SoD) 

Separation of Duties is a vital tool for managing risk.  

As protection from cybercrime and ransomware attacks, safeguarding backup integrity is crucial for the ability to reestablish operations. The backup is the backbone of data protection. However, a backup alone is not enough to ensure business continuity.  

B4Restore’s solution is therefore subject to strict processes regarding Separation of Duties, or SoD.  

Separation of Duties

The fundamental principle of SoD is that no single person or group can execute all actions in connection with a business-critical activity, such as data transactions.  

In practice, SoD prevents from deleting live data (primary data) and backup data simultaneously in B4Restore’s Backup-as-a-Service solution.  

This provides a crucial layer of protection against malicious ransomware/ CryptoLocker attacks while at the same time preventing human error and sabotage.   

Logical Separation of Duties   

Similar to the physical separation of data – where backup servers are at a different location accessibly only by B4Restore’s authorized backup staff – B4Restore uses logical separation of duties to prevent “double hatting” in the allocation of rights and permissions.   

Our Backup-as-a-Service solution is designed so that the same user and admin, either at your organization or at B4Restore, can never have access to both your production data and your backup data.  

This effectively dismantles the worst damage caused by ransomware attacks and may event prevent an attack entirely. 

We have seen a number of examples of how standard online backup solutions can be vulnerable to ransomware attacks. This is because they are unable to prevent the backup from being overwritten by the encrypted data, thus enabling the ransomware to encrypt the backup as well as the primary data. And this is possible because there is no logical separation of duties.  

Separation of Duties prevents the most common ransomware strategies and eliminates the serious IT risks your organization faces:

  • Takeover of user rights through phishing attacks, malware, hacking, fraud or similar IT-crime strategies   
  • Blackmail, sabotage or conflict of interest for the individual user  
  • Human error   

Get in touch

Backup-as-a-Service SKI 02.22 framework agreement

With a Backup-as-a-Service solution, you get full separation of duties. First, your data is stored in our data center, keeping it physically separate from your own production environment, with all that this entails. Second, the solution offers logical Separation of Duties:   

  • It’s impossible for the backup admin to access both the backup and the production environment – so there is no double hatting.  
  • Third, the backup job is initiated by the production server, so there is no virtual job located in the backup environment.  
  • And finally, your backup data is NOT stored in a Windows environment, and so far, there have been no examples of ransomware that can mutate and cross over from one operating system to another. This means that because ransomware is often Windows-based, there is a design advantage in storing the backup in a non-Windows-based system. 

B4Restore is an approved SKI 02.22 sub-supplier, and can therefore be selected as a supplier through our partner network. 

Get in Touch
Want to learn more about Separation of Duties and how it is a vital tool for managing risk? Fill out the form, and we'll get in touch within a short time. Or you can contact CCO Jesper Juul at


Contact us