Testing cloud-based backups

psp1234

Involved In Discussions
Hi,
Not sure if I should post here in "13485", but I'll start here.
My auditor, for ISO 13485, was concerned that we don't have a plan to test cloud-based applications' backup.
Our cloud-based apps are hosted by AWS.
What is you recommendation to approach towards testing the backup?
It appears that the expectation is to call our contractor (the app owner) and ask for a file recovery from AWS - in a certain frequency.
Does it make sense? is it an overkill? or enough to say that AWS is ISO 27001 certified and this testing activity is "covered by the certification"?

happy to hear advice,
thx
Sue
 

Tagin

Trusted Information Resource
AWS may provide a reliable hosting platform, but the app owner is responsible for configuration of teh software and accounts that sit on top of that platform, including configuring backups. There have been endless stories of how misconfigured S3 buckets have allowed access to confidential data, and the example of the case linked below where backups were performed, but the backups were on the same AWS account as the main servers, so once a hacker got in, he was able to delete both the production servers and all the backups, putting the company out of business.

My point is that it is not merely testing the app owner's backup plan that is a potential risk; it is also all the risks associated with configuration, which depends on how competent and diligent are the app owners at securely configuring the app and the AWS accounts.

Leaky AWS S3 buckets are so common, they're being found by the thousands now – with lots of buried secrets
Hacker Puts Hosting Service Code Spaces Out of Business
 

psp1234

Involved In Discussions
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(
 

Ninja

Looking for Reality
Trusted Information Resource
If it were me (and it was) I would pretend that my site went offline totally.

You aren't testing AWS...you are testing the purpose for having backups at all...catastrophic accident requiring the backup.

AWS is part of your BCP...test the BCP as a whole.
Where will you access the backup from? Go there.
What terminal/computer will you use? Use that one.
How will you operate? Operate that way.

That's how you test the 'real world scenario' of "I need a backup".
Because of the cost, we tested it once... then tested the particular items of highest concern yearly.

Items of highest concern:
Computer data: develop a list of what you want most, download those items, check them.
Calling the remote rental site to review contract.

HTH
 

Tagin

Trusted Information Resource
Thank you,
:unsure: Any advice for how to check the app owner? If I asked them for an evidence of testing the backup and/or testing config, how do I really know? I am not an IT expert :-(

Unless they give you transparency to their procedures and security settings, you can't really tell. You can perhaps see if they can provide you some certifications for IT management and IT cybersecurity, or some kind of report they can provide you to which shows the controls and risk mgmt they are performing (and then, do you trust the report to be truthful?) Otherwise, aside from auditing them, your kind of stuck with a reputation-based assessment.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
You will need to do what others have said and probably more for GDPR & the new California regs if you are larger company.
 

Ed Panek

QA RA Small Med Dev Company
Leader
Super Moderator
Is there a forum for GDPR? I have a few templates I can link there since we self-certified this year.
 

samalexander200002

Starting to get Involved
I recommend following a testing process similar to what you would use to test the backup of any other system. This process should include the following steps:
  1. Identify the critical data and systems that need to be backed up.
  2. Develop a backup strategy that includes how often the backups should be performed, where the backups will be stored, and how the backups will be validated.
  3. Implement the backup strategy.
  4. Regularly test the backup process to ensure it is working as expected. This can be done by restoring a small amount of data from the backup and verifying that it is complete and uncorrupted.
  5. Document the backup and testing process.
For cloud-based applications hosted by AWS, you may also want to consider using AWS's backup and disaster recovery services, such as AWS Backup and AWS Disaster Recovery. These services can help automate the backup and recovery process and provide additional safeguards for your data.
 
Top Bottom