Console
    Start free

    Configure cyber resilience for Backup and DR

    A robust backup strategy is essential for cyber resilience. Google Cloud Backup and DR Service is a managed solution for protecting and restoring workloads. This document outlines architectural recommendations and configuration best practices to help you construct a defense against cyber threats like unauthorized data exfiltration and ransomware.

    This guide details the recommended best practices for designing a secure and resilient backup strategy using Google Cloud Backup and DR.

    Before you begin

    1. Enable the Google Cloud Backup and DR API.
    2. Ensure you have the necessary Identity and Access Management (IAM) permissions to create and manage Backup and DR resources.

    Implement a centralized backup architecture

    A well-architected backup environment is the first step to limit the extent of a security breach. Use a centralized model to isolate backups from production systems. This model limits the impact of cyber attacks and simplifies data protection management.

    1. Create a hub project: Create a dedicated, restricted Google Cloud project for your backup vaults. This project serves as the central management hub for your backups.
    2. Use spoke projects: Contain your production and development workloads in separate projects. This isolation ensures that a compromised spoke project does not grant inherent access to the hub project where recovery data is stored.

    For more information, see backup vault architecture .

    Configure IAM permissions

    Protect backup administrative credentials and restrict access to prevent unauthorized deletion of your backups. Apply the principle of least privilege to your backup projects.

    1. Separate roles: Ensure the user who triggers a backup is not the same user who can delete a backup or modify retention policies.
    2. Restrict admin roles: Limit the number of users with Backup and DR Admin permissions. Assign most users Viewer or Operator roles sufficient for their duties.
    3. Manage Service Agent permissions: Ensure the Backup and DR Service Agent has the minimum required permissions in spoke projects to capture and recover data.
    4. Audit permissions: Periodically audit the Service Agent's permissions to prevent privilege creep.

    For more details, see Control access with IAM .

    Configure backup vault security features

    Backup and DR provides built-in features to help ensure that your backup data cannot be deleted or altered.

    1. Enable immutability: Configure your backup vaults to specify and lock a minimum retention period. This setting prevents any user, including administrators, from deleting backup data before the retention period expires.
    2. Enforce immutability with Organization Policies: Use Google Cloud Organization Policies to enforce the use of immutable vaults across all projects.
    3. Enable CMEK: Use customer-managed encryption keys (CMEK) to protect backup data with a cryptographic key that you manage through Cloud Key Management Service. You can only configure CMEK when you create a backup vault.
    4. Use multi-region vaults: Store data across several geographic areas with multi-region vaults. This provides enhanced security and ensures backup availability during regional disruptions.
    5. Set access restrictions: Restrict vault access to and from its organization or project to minimize chances of unauthorized access. You can only configure this setting during vault creation.

    Integrate with Security Command Center

    Integrate the Backup and DR with Security Command Center and Google Security Operations. This integration provides visibility into high-risk activities through alerts.

    Integrating these services lets you perform the following actions:

    • Get immediate notifications for critical actions, such as when workload protection is disabled.
    • Conduct threat investigations and pinpoint specific backup resources that might be impacted.
    • Consolidate backup-related threats into cases to facilitate efficient and structured mitigation.

    To learn more, see View alerts in Security Command Center .

    Apply platform security guardrails

    Use Google Cloud security features to add layers of protection to your backup infrastructure.

    1. Use Project Liens: Place a Project Lien on your central backup hub project. A lien prevents the accidental or malicious deletion of the entire project. For more information, see Configure multi-party approval for project liens with Privileged Access Manager .
    2. Use VPC Service Controls: Define a service perimeter around your backup projects to prevent data exfiltration. See Configure VPC Service Controls .
    3. Restrict external IPs: Ensure that your backup/recovery appliances don't have public IP addresses.

    What's next
    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: