| BR-1 |
nan |
Ensure regular automated backups |
Parent |
Backup automation and coverage |
Azure Backup should be enabled for Virtual Machines |
Implement automated backup for all business-critical resources ensuring consistent protection without manual intervention. Configure appropriate backup frequency and retention periods aligned with Recovery Point Objectives (RPO) and data retention requirements. Enforce backup policies through governance frameworks ensuring comprehensive coverage across resources. |
Organizations operating without systematic automated backup face significant data loss risks from various threat scenarios and operational failures. |
Impact (TA0040): data destruction (T1485) permanently deleting business-critical data, and data encrypted for impact (T1486) deploying ransomware without recovery options. |
A financial services organization faced regulatory requirements for data retention and business continuity while managing rapid cloud expansion with thousands of new resources deployed monthly. |
Must have |
CP-9, CP-9(1), CP-9(3), CP-9(5), CP-10(2) |
12.10.1, 12.10.4 |
11.1, 11.2, 11.3 |
PR.IP-4, RC.RP-1 |
A.8.13 |
CC5.1, A1.2 |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
Without regular automated backups: Ransomware data loss:Ransomware attacks encrypt production data with no recovery path when backup copies are absent, corrupted, or also encrypted.Accidental deletion impact:Human errors including accidental resource deletion, configuration changes, or data purges cause permanent data loss without backup protection.Infrastructure failure data loss:Hardware failures, storage corruption, or regional outages result in complete data loss when backup copies do not exist.Malicious insider threats:Intentional data deletion or corruption by malicious insiders creates irreversible damage without independent backup copies.Application error data corruption:Software bugs, failed updates, or database corruption propagate across production systems without point-in-time recovery capability.Compliance requirement failures:Regulatory frameworks mandate data retention and recovery capabilities with audit failures when backups are missing or incomplete. |
Defense Evasion (TA0005): impair defenses (T1562) disabling backup services and deleting backup copies to prevent recovery. |
Manual backup processes created coverage gaps and compliance risks. |
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Manual backup processes create coverage gaps, inconsistent protectio |
Persistence (TA0003): maintaining undetected access to systematically delete backups over time before executing destructive attacks. |
Challenge:Trading systems required aggressive 12-hour RPO, regulatory data needed 7-year retention, and rapid resource provisioning outpaced manual backup configuration leaving new VMs unprotected. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Automated protection for supported services:DeployedAzure Backupfor 2,000+ VMs with twice-daily backups meeting 12-hour RPO. ConfiguredAzure SQL Databasewith 35-day retention andAzure Cosmos DBcontinuous backup providing 5-minute granularity for trading data.Native protection for storage:Enabled blob versioning and soft delete forAzure Storageaccounts, leveraging native capabilities instead of separate backup infrastructure.Policy-based enforcement:ImplementedAzure Policywith automatic remediation ensuring production resources receive protection immediately upon creation. Established "BackupTier" tagging strategy (Gold/Silver/Bronze) automating policy assignment by criticality.Automated solutions for unsupported resources:CreatedAzure Automationrunbooks forAzure Key Vaultsecrets and firewall configurations with 7-year retention. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:The organization achieved complete production coverage with automated backup protection deployed immediately upon resource creation, eliminating manual configuration delays. Policy-based enforcement ensured consistent compliance while automated remediation addressed gaps without manual intervention. |
|
|
|
|
|
|
|
| BR-1 |
BR-1.1 |
Enable automated backup for supported resources |
Child |
Backup automation and coverage |
Azure Backup should be enabled for Virtual Machines |
Implement automated backup for all business-critical resources ensuring consistent protection without manual intervention. Configure appropriate backup frequency and retention periods aligned with Recovery Point Objectives (RPO) and data retention requirements. Enforce backup policies through governance frameworks ensuring comprehensive coverage across resources. |
nan |
nan |
Backup protection provides the ultimate recovery mechanism when all other security controls fail, enabling organizations to restore operations after ransomware attacks, data corruption, accidental deletion, or infrastructure failures that render primary data inaccessible. Automated backup configuration eliminates human error in protection deployment while ensuring consistent coverage as infrastructure scales dynamically in cloud environments. Recovery point objectives achieved through backup frequency directly determine maximum tolerable data loss, making backup configuration a critical business continuity decision rather than purely technical implementation. Establish comprehensive automated protection through these backup capabilities: EnableAzure Backupfor supported resources including Azure Virtual Machines, SQL Server, SAP HANA databases,Azure Database for PostgreSQL,Azure Files, Azure Disks, and Azure Blobs configuring automated backup schedules aligned with business requirements. Backup configuration best practices: Deploy Azure Backup across resources:Enable Azure Backup on all supported business-critical resources including VMs, databases, file shares, and storage accounts ensuring comprehensive protection without coverage gaps.Configure backup frequency:Define backup frequency based on data change rates and RPO requirements using hourly backups for high-transaction databases and daily backups for less frequently changing data.Define retention policies:Establish rete |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
| BR-1 |
BR-1.2 |
Implement backup for unsupported resources |
Child |
Backup automation and coverage |
Azure Backup should be enabled for Virtual Machines |
Implement automated backup for all business-critical resources ensuring consistent protection without manual intervention. Configure appropriate backup frequency and retention periods aligned with Recovery Point Objectives (RPO) and data retention requirements. Enforce backup policies through governance frameworks ensuring comprehensive coverage across resources. |
nan |
nan |
Relying exclusively on Azure Backup's supported resource list creates protection gaps for critical infrastructure components including Key Vault secrets, container images, Cosmos DB data, and custom application configurations that lack native backup integration. Native protection features embedded in Azure services (blob versioning, soft delete, point-in-time restore) often provide superior recovery capabilities tailored to specific workload characteristics compared to generic backup approaches. Custom backup automation ensures organizations maintain comprehensive protection across their entire technology stack rather than accepting data loss risk for unsupported components. Extend protection to all critical resources through these approaches: Implement native backup capabilities or custom backup solutions for resources not supported by Azure Backup ensuring comprehensive protection across all business-critical services. Native backup implementation: Enable Azure Key Vault backup:ImplementAzure Key Vaultnative backup for secrets, keys, and certificates establishing automated export and secure storage of cryptographic materials.Configure storage account features:Enable blob versioning, soft delete, and point-in-time restore forAzure Storageaccounts providing native data protection without separate backup infrastructure.Implement container registry backup:Enable geo-replication forAzure Container Registryand implement automated image export to secondary storage ensuring contain |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
| BR-1 |
BR-1.3 |
Enforce backup policies through governance |
Child |
Backup automation and coverage |
Azure Backup should be enabled for Virtual Machines |
Implement automated backup for all business-critical resources ensuring consistent protection without manual intervention. Configure appropriate backup frequency and retention periods aligned with Recovery Point Objectives (RPO) and data retention requirements. Enforce backup policies through governance frameworks ensuring comprehensive coverage across resources. |
nan |
nan |
Manual backup configuration creates persistent coverage gaps as new resources deploy continuously in dynamic cloud environments, with unprotected resources remaining vulnerable until human intervention occurs-often discovered only after data loss incidents. Policy-driven enforcement transforms backup from reactive configuration into proactive governance that automatically protects new resources at creation time while continuously monitoring and remediating existing resources that drift from compliance. Centralized policy management ensures consistent protection standards across distributed teams and subscriptions where manual processes inevitably produce configuration inconsistencies. Automate backup protection through policy-driven governance: ImplementAzure Policyto enforce automated backup on new and existing resources ensuring consistent protection across subscriptions without manual configuration. Policy-based backup enforcement: Deploy built-in backup policies:AssignAzure Policydefinitions including "Configure backup on virtual machines" and "Azure Backup should be enabled for Virtual Machines" ensuring automatic compliance.Configure automatic remediation:Enable automatic remediation on backup policies ensuring non-compliant resources are automatically configured with appropriate backup protection.Define policy assignment scope:Apply backup policies at management group or subscription level providing centralized governance across multiple subscriptions and resource grou |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
| BR-2 |
nan |
Protect backup and recovery data |
Parent |
Backup data protection |
Azure Backup should be enabled for Virtual Machines |
Protect backup data and operations through multi-layered security controls including access restrictions, encryption, immutability, and geographic redundancy. Implement defense-in-depth protecting backup infrastructure from ransomware, malicious deletion, unauthorized access, and regional disasters ensuring recovery capability when needed. |
Organizations failing to protect backup data face threats from ransomware, malicious insiders, accidental deletion, and unauthorized access compromising recovery capability. |
Impact (TA0040): inhibit system recovery (T1490) deleting backup copies preventing restoration after ransomware attacks. |
A healthcare organization experienced ransomware attacks targeting backup systems and faced HIPAA compliance requirements for protecting electronic health records across geographically distributed medical facilities. |
Must have |
CP-9(8), SC-12(1), SC-13, SC-28, SC-28(1) |
3.5.1, 10.5.1, 12.3.4 |
11.3, 11.5, 3.11 |
PR.DS-1, PR.DS-5, PR.IP-4 |
A.8.13, A.8.24, A.5.14 |
CC6.1, CC6.7, A1.2 |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
Without backup protection: Ransomware backup encryption:Advanced ransomware targets backup systems encrypting or deleting backup copies eliminating recovery options forcing ransom payment or permanent data loss.Malicious backup deletion:Attackers with compromised credentials delete backup copies before executing destructive attacks preventing incident recovery and maximizing damage.Insider threat data exfiltration:Malicious insiders with backup access exfiltrate sensitive data through backup systems bypassing production data access controls and monitoring.Accidental backup corruption:Unauthorized configuration changes, accidental deletion, or improper backup management corrupt backup data rendering recovery impossible during emergencies.Unauthorized backup access:Inadequate access controls allow unauthorized users to restore, modify, or delete backup data creating security and compliance violations.Regional disaster vulnerability:Backup data stored only in primary region becomes unavailable during regional disa |
Defense Evasion (TA0005): indicator removal (T1070) and impair defenses (T1562) disabling backup monitoring and deleting backup logs. |
Challenge:Ransomware attackers were deleting backups before encryption, HIPAA required specific encryption controls, and regional disaster scenarios threatened data availability for critical patient care systems. |
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for Recovery Services vaults |
|
|
Credential Access (TA0006): steal application access token (T1528) compromising backup service accounts to access and corrupt backup data. |
Solution approach: Access control and authentication:ImplementedAzure RBACsegregating operations between Backup Operators (daily tasks) and Contributors (policy changes). Enabled MFA and security PIN for deletion operations preventing automated malicious actions.Encryption and compliance:Configuredcustomer-managed keysinAzure Key Vaultmeeting HIPAA requirements for organizational cryptographic control.Immutability and ransomware defense:Enabled immutable vaults with 365-day retention lock preventing deletion even by administrators. Configured 90-day soft delete providing extended recovery window.Network isolation:ImplementedAzure Private Linkeliminating public internet exposure for backup traffic. |
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for backup vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Soft delete should be enabled for Backup Vaults |
|
|
Collection (TA0009): data from cloud storage (T1530) exfiltrating sensitive data through backup systems bypassing production access controls. |
Configured alerts detecting unauthorized restore attempts providing early ransomware attack indicators. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:The organization successfully defended against ransomware attempts where backups remained intact and recoverable despite compromised administrative credentials. Customer-managed encryption keys and multi-factor authentication prevented unauthorized access to backup data during security incidents. |
|
|
|
|
|
|
|
| BR-2 |
BR-2.1 |
Secure backup access and operations |
Child |
Backup data protection |
Azure Backup should be enabled for Virtual Machines |
Protect backup data and operations through multi-layered security controls including access restrictions, encryption, immutability, and geographic redundancy. Implement defense-in-depth protecting backup infrastructure from ransomware, malicious deletion, unauthorized access, and regional disasters ensuring recovery capability when needed. |
nan |
nan |
Backup infrastructure becomes a prime target for sophisticated adversaries who understand that destroyed backups eliminate recovery options following ransomware attacks or destructive malware deployment. Privilege access controls, multi-factor authentication, and soft delete capabilities transform backup systems from passive data storage into actively defended critical infrastructure that maintains availability even during compromise attempts. Audit logging and alerting enable security teams to detect backup tampering patterns before adversaries execute destructive attacks, providing critical early warning of advanced persistent threats. Defend backup infrastructure through these security controls: Implement access controls, authentication, and audit logging for backup operations protecting against unauthorized access and malicious activity. Access control configuration: Implement Azure RBAC for backup:AssignAzure role-based access controlroles including Backup Contributor, Backup Reader, and Backup Operator segregating duties and enforcing least privilege access to backup operations.Require multi-factor authentication:Enforce multi-factor authentication for critical backup operations including restore, retention changes, backup deletion, andRecovery Services vaultconfiguration preventing unauthorized access.Enable Azure Private Link:Configureprivate endpointsforRecovery Services vaultsrestricting backup traffic to private networks preventing backup data exfiltration over pub |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for Recovery Services vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for backup vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Soft delete should be enabled for Backup Vaults |
|
|
|
|
|
|
|
|
|
|
|
| BR-2 |
BR-2.2 |
Encrypt backup data |
Child |
Backup data protection |
Azure Backup should be enabled for Virtual Machines |
Protect backup data and operations through multi-layered security controls including access restrictions, encryption, immutability, and geographic redundancy. Implement defense-in-depth protecting backup infrastructure from ransomware, malicious deletion, unauthorized access, and regional disasters ensuring recovery capability when needed. |
nan |
nan |
Unencrypted backups expose sensitive organizational data to unauthorized access through compromised storage, lost backup media, or malicious insiders with infrastructure permissions who lack legitimate business access to production data. Encryption transforms backup data from readable information into cryptographically protected ciphertext, ensuring confidentiality even when storage controls fail. Customer-managed encryption keys provide additional protection against cloud provider compromise scenarios while meeting regulatory requirements for cryptographic control, though they introduce key management complexity requiring documented recovery procedures. Protect backup data confidentiality through encryption: Implement encryption for backup data at rest and in transit protecting confidentiality and meeting regulatory requirements. Encryption configuration: Enable platform-managed encryption:Azure Backupautomatically encrypts backup data using AES-256 encryption with platform-managed keys requiring no additional configuration for baseline protection.Implement customer-managed keys:Configurecustomer-managed keysinAzure Key Vaultfor backup encryption providing organizational control over encryption keys and meeting specific compliance requirements.Protect encryption keys:Enable soft delete and purge protection forAzure Key Vaultstoring backup encryption keys preventing key deletion and ensuring backup recoverability.Encrypt on-premises backups:Configure passphrase-based encrypti |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for Recovery Services vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for backup vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Soft delete should be enabled for Backup Vaults |
|
|
|
|
|
|
|
|
|
|
|
| BR-2 |
BR-2.3 |
Implement backup immutability and redundancy |
Child |
Backup data protection |
Azure Backup should be enabled for Virtual Machines |
Protect backup data and operations through multi-layered security controls including access restrictions, encryption, immutability, and geographic redundancy. Implement defense-in-depth protecting backup infrastructure from ransomware, malicious deletion, unauthorized access, and regional disasters ensuring recovery capability when needed. |
nan |
nan |
Mutable backups that adversaries can delete or corrupt provide false confidence in recovery capabilities, with ransomware attackers specifically targeting backup systems before executing encryption to eliminate recovery options and force ransom payment. Immutability transforms backups from modifiable data stores into write-once storage that maintains recovery points regardless of administrative access or credential compromise. Geographic redundancy protects against regional disasters, datacenter failures, and localized security incidents that could destroy both production systems and co-located backups simultaneously. Ensure backup data integrity and availability through immutability: Configure immutable backup storage and geographic redundancy protecting against ransomware, corruption, and regional disasters. Immutability configuration: Enable immutable vault:Configure immutable vaults for Recovery Services vaults preventing backup deletion, retention reduction, and soft delete disablement for specified lock periods protecting against ransomware.Configure vault lock periods:Define minimum retention lock periods based on regulatory requirements typically 180 days or longer ensuring backup data cannot be prematurely deleted.Implement multi-user authorization:Require multi-user authorization for immutability configuration changes preventing single administrator from weakening backup protection.Monitor immutability status:Track immutability configuration across Recovery Services |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MariaDB |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for MySQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Geo-redundant backup should be enabled for Azure Database for PostgreSQL |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for Recovery Services vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Immutability must be enabled for backup vaults |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
[Preview]: Soft delete should be enabled for Backup Vaults |
|
|
|
|
|
|
|
|
|
|
|
| BR-3 |
nan |
Monitor backups |
Parent |
Backup automation and coverage |
No Azure Policy available |
Implement continuous monitoring of backup operations, coverage, and compliance ensuring all business-critical resources maintain protection meeting defined standards. Monitor backup health, detect failures, and alert on anomalies enabling rapid response to backup issues before they impact recovery capability. |
Organizations failing to monitor backup operations and compliance lack visibility into backup failures, coverage gaps, and policy violations creating false security assumptions. |
Defense Evasion (TA0005): impair defenses (T1562) disabling backup monitoring to hide malicious activity targeting backup systems. |
A retail organization operating global e-commerce platform discovered 50 unprotected production VMs during audit and experienced silent backup failures causing 3-day data loss before detection. |
Should have |
CP-9(1), SI-4, AU-6, AU-7 |
10.4.1, 10.6.2, 12.10.5 |
8.2, 8.11, 11.2 |
nan |
A.8.13, A.8.16 |
CC7.2, A1.2 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without backup monitoring: Silent backup failures:Backup jobs fail without detection leaving resources unprotected with outdated or missing backup copies discovered only during recovery attempts.Coverage gaps:New resources deployed without backup protection remain vulnerable to data loss while appearing in asset inventories suggesting comprehensive protection.Configuration drift:Backup policies and retention settings change through unauthorized modifications weakening protection without visibility or alerting.Compliance violations:Resources missing required backup protection create regulatory audit failures and penalties discovered only during compliance assessments.Capacity issues:Backup storage capacity exhaustion prevents new backups from succeeding causing silent protection degradation across resources.Security incidents:Unauthorized backup access, deletion, or configuration changes occur without detection indicating potential security compromises. |
Impact (TA0040): inhibit system recovery (T1490) silently corrupting or deleting backups over time before executing destructive attacks. |
Challenge:Rapid cloud expansion with thousands of protected items across multiple Azure regions created visibility challenges. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Lack of backup monitoring transforms backup systems int |
|
Silent backup failures went undetected, and audit revealed significant coverage gaps threatening business continuity and compliance. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Centralized visibility:DeployedAzure Backup Centerwith unified view across numerous vaults in multiple regions. ImplementedAzure Backup Reportstracking job success rates and storage trends.Proactive alerting:ConfiguredAzure Monitoralerts routing failures to on-call team and flagging jobs exceeding 6-hour duration as early warning signals.Compliance monitoring:LeveragedAzure Policydashboards and automated weekly reports showing coverage by business unit.Configuration protection:Implemented alerts requiring approval for retention reductions or protection disablement on critical resources. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:The organization dramatically reduced backup failure detection time through proactive alerting and centralized monitoring. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Comprehensive compliance monitoring eliminated audit findings related to unprotected business-critical resources while enabling storage optimization through identification of obsolete backups. |
|
|
|
|
|
|
|
| BR-3 |
BR-3.1 |
Monitor backup health and operations |
Child |
Backup automation and coverage |
No Azure Policy available |
Implement continuous monitoring of backup operations, coverage, and compliance ensuring all business-critical resources maintain protection meeting defined standards. Monitor backup health, detect failures, and alert on anomalies enabling rapid response to backup issues before they impact recovery capability. |
nan |
nan |
Backup systems failing silently create false confidence in recovery capabilities until disaster scenarios reveal months of unsuccessful backup attempts, making continuous health monitoring essential to validate protection effectiveness. Centralized backup monitoring aggregates status across distributed infrastructure enabling proactive failure remediation before data loss windows exceed recovery point objectives. Performance tracking identifies backup infrastructure scaling requirements and degradation patterns that indicate system stress or malicious interference before complete backup failures occur. Monitor backup system reliability through centralized observability: Implement centralized monitoring of backup operations tracking job status, failures, and performance ensuring backup reliability. Backup health monitoring: Enable Azure Backup reports:ConfigureAzure Backup ReportsusingLog Analytics workspaceproviding centralized visibility into backup jobs, storage consumption, and protected items across subscriptions.Implement Backup Center:UseAzure Backup Centerfor unified backup management and monitoring providing single interface for backup estate governance acrossRecovery Services vaults.Configure job monitoring:Track backup job completion status, duration, and failure rates identifying performance degradation and reliability issues requiring investigation.Monitor storage consumption:Track backup storage growth and capacity utilization forecasting storage requirements and |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| BR-3 |
BR-3.2 |
Monitor backup compliance and coverage |
Child |
Backup automation and coverage |
No Azure Policy available |
Implement continuous monitoring of backup operations, coverage, and compliance ensuring all business-critical resources maintain protection meeting defined standards. Monitor backup health, detect failures, and alert on anomalies enabling rapid response to backup issues before they impact recovery capability. |
nan |
nan |
Health monitoring detects backup system failures but validating protection compliance requires tracking which resources maintain required backup coverage versus organizational policies and regulatory requirements. Compliance monitoring identifies resources that bypass or lose backup protection creating data loss risks that escalate until discovered through audit findings or disaster scenarios. Automated compliance reporting transforms manual auditing into continuous validation that catches coverage gaps immediately rather than discovering missing backups when recovery becomes necessary. Validate protection compliance through continuous monitoring: Implement compliance monitoring ensuring all business-critical resources maintain required backup protection meeting organizational policies. Compliance monitoring: Leverage Azure Policy compliance:MonitorAzure Policycompliance dashboards tracking resources with missing or misconfigured backup protection identifying coverage gaps.Implement backup coverage reports:Generate regular reports showing backup protection status across resource types, subscriptions, and resource groups quantifying coverage percentages.Track policy exemptions:Monitor backup policy exemptions ensuring documented business justification and regular review preventing exemption abuse weakening protection.Audit configuration changes:Track backup configuration changes including retention policy modifications, backup schedule adjustments, and protection disablement i |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| BR-4 |
nan |
Regularly test backup |
Parent |
Recovery readiness |
No Azure Policy available |
Periodically validate backup configurations and recovery procedures through structured testing ensuring backup data integrity and recovery capability meet defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Test recovery procedures at appropriate frequency balancing operational impact with recovery confidence. |
Organizations neglecting regular backup testing discover backup inadequacies only during actual disasters when recovery fails. |
Impact (TA0040): data destruction (T1485) and inhibit system recovery (T1490) causing maximum damage when untested backup configurations fail during recovery. |
A financial services organization assumed their Azure backup strategy was adequate until a ransomware incident affecting their Azure SQL databases and Azure App Services revealed critical gaps in recovery procedures and significantly longer restoration times than expected. |
Should have |
CP-4, CP-4(1), CP-9(7), CP-10 |
12.10.6 |
11.4, 11.5 |
PR.IP-9, RC.RP-1 |
A.5.30, A.8.13 |
A1.3, CC9.1 |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Without backup testing: Incomplete backup configurations:Backup jobs complete successfully but capture incomplete data sets missing critical components discovered only during recovery attempts causing extended downtime.Recovery procedure failures:Documented recovery procedures contain errors, missing steps, or incorrect commands failing during high-pressure disaster scenarios when mistakes are costly.RTO/RPO violations:Actual recovery time significantly exceeds defined objectives due to unexpected complications, infrastructure limitations, or procedural inefficiencies discovered during testing.Corrupted backup data:Backup data contains corruption, inconsistencies, or errors rendering recovery impossible despite successful backup job completion and monitoring.Skills and knowledge gaps:Staff lack practical recovery experience leading to errors, delays, and poor decisions during actual disaster recovery when expertise is critical.Dependency identification failures:Application dependencies and configuration requirements unknown until recovery attempt causing ca |
|
Challenge:Untested backup configurations, undocumented recovery procedures, and unfamiliar operations team resulted in extended downtime during security incident. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Business continuity plans proved unrealistic when actual recovery capabilities were tested under pressure. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Solution approach: Structured testing program:Established quarterly Azure SQL Database and Azure App Service recovery tests validating complete restoration. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Documented actual recovery time revealing gaps preventing target RTO achievement.Incremental recovery validation:Performed monthly Azure Files share-level restore tests confirming rapid recovery capability. ValidatedAzure Cosmos DBpoint-in-time restore granularity for transaction data.Disaster recovery scenarios:ExecutedAzure Site Recoveryfailover tests and full infrastructure restoration to isolated environments validating backup completeness and application dependencies.Team readiness:Trained operations team through quarterly hands-on recovery drills usingAzure BackupandAzure Site Recovery, substantially reducing average recovery time through improved familiarity with Azure recovery tools.Continuous improvement:Documented numerous improvements from testing includingAzure Automationrunbook opportunities and documentation gaps. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Updated runbooks with automated database refresh and application redeployment scripts. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Outcome:The organization significantly reduced Azure workload recovery time through automation developed during testing exercises. |
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
Regular testing revealed unrealistic recovery objectives which were adjusted to achievable targets, ensuring business continuity plans reflected operational reality. |
|
|
|
|
|
|
|
| BR-4 |
BR-4.1 |
Implement backup recovery testing |
Child |
Recovery readiness |
No Azure Policy available |
Periodically validate backup configurations and recovery procedures through structured testing ensuring backup data integrity and recovery capability meet defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Test recovery procedures at appropriate frequency balancing operational impact with recovery confidence. |
nan |
nan |
Backup systems validating data capture but never testing recovery create unverified assumptions about restoration capabilities that fail catastrophically during actual disasters when backup corruption, configuration errors, or procedure gaps prevent successful recovery. Regular recovery testing transforms theoretical backup protection into validated capability by identifying integrity issues, procedure deficiencies, and infrastructure limitations before critical business incidents. Measuring actual recovery time against business requirements ensures recovery objectives remain achievable as systems evolve rather than discovering missed targets during production outages. Validate backup effectiveness through structured recovery testing: Establish structured backup recovery testing program validating data integrity, recovery procedures, and time objectives. Recovery testing strategy: Define testing scope:Establish recovery testing scope including full system recovery for Tier 1 applications, database recovery for Tier 2 applications, and file-level recovery for Tier 3 resources balancing thoroughness with operational impact.Schedule regular tests:Conduct recovery tests quarterly for critical systems, semi-annually for standard systems, and annually for less critical systems ensuring regular validation without excessive operational burden.Test different recovery scenarios:Validate multiple recovery scenarios including point-in-time restore, cross-region failover, individual file |
nan |
nan |
nan |
nan |
nan |
nan |
nan |
| BR-4 |
BR-4.2 |
Validate disaster recovery capabilities |
Child |
Recovery readiness |
No Azure Policy available |
Periodically validate backup configurations and recovery procedures through structured testing ensuring backup data integrity and recovery capability meet defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO). Test recovery procedures at appropriate frequency balancing operational impact with recovery confidence. |
nan |
nan |
Individual backup recovery tests validate technical capability but disaster scenarios require coordinated recovery of multiple interdependent systems with complex dependencies that single-system testing cannot validate. End-to-end disaster recovery testing reveals organizational readiness gaps including team coordination failures, communication breakdowns, and undocumented dependencies that prevent successful recovery despite technically sound backups. Tabletop exercises, failover drills, and business continuity validation ensure teams can execute coordinated recovery under stress rather than discovering procedural gaps during actual disasters when time pressures amplify errors. Validate organizational disaster preparedness through comprehensive exercises: Test end-to-end disaster recovery scenarios validating organizational readiness for major incidents requiring complete system recovery. Disaster recovery testing: Conduct tabletop exercises:Perform tabletop disaster recovery exercises simulating various disaster scenarios validating team coordination, decision-making processes, and communication procedures.Execute failover drills:Test cross-region failover capabilities activating backup infrastructure in secondary regions validating geo-redundancy effectiveness and recovery procedures.Validate business continuity:Ensure recovered systems support business operations testing application functionality, user access, integration points, and performance requirements.Test recovery |
nan |
nan |
nan |
nan |
nan |
nan |
nan |