Backup and encryption while protecting confidential information in the Russian Federation
The purpose of this article is to show how to properly back up encrypted folders so that the files in them remain encrypted.
Imagine that we have a typical enterprise (Fig. 1). As in many similar organizations, our organization uses the well-known 1C: Enterprise, the database of which is stored on the server shown in the illustration.
Fig. 1. Scheme of a fictional enterprise
')
Since the 1C: Enterprise database contains the confidential information being processed, it is necessary to protect it from unauthorized access. For this, we decided to encrypt the 1C database.
After encryption, the 1C database files on the server will be stored in an encrypted state. Encryption will be implemented by means of the CyberSafe Top Secret program. It is clear that once there is data, you need to back them up. That's just the data we will have is not simple, but encrypted.
Further in this article will be told:
The bundle of software we use (CyberSafe Top Secret and Acronis Backup & Recovery programs) was chosen for a reason. We implement the requirements of the legislation on the protection of confidential information (which includes personal data). If you have ever been interested in the protection of personal data, then you are probably familiar with two main regulations:
We complied with the requirements of the legislation regarding the periodic backup of processed data, as well as their protection from unauthorized access.
Backups are performed using Acronis Backup & Recovery 11 Advanced Server software, which has FSTEC certificate No. 2677 dated July 16, 2012.
Protection against unauthorized access is implemented through the use of CyberSafe Top Secret, which, together with the use of a certified CryptoPro CSP crypto-provider and a GOST algorithm for data encryption, is also considered to be a certified tool.
By the way, whatever TrueCrypt fans say, it’s still impossible to use it to protect personal data, since it is not a certified encryption tool. She has no FSTEC certificate and will never have it. As for EFS, it is considered certified only in a special version of Windows, which has a certificate of FSTEC.
If we go beyond the scope of TrueCrypt, then not only this program, but any other program that uses cryptodisks, will not be suitable for solving our task. Even if this program is certified. Earlier we wrote about the vulnerabilities of cryptodisks and if the task is solved through cryptodisks, then the cryptodisk should be protected by means of an operating system (network authentication) that is not certified (or do you have a certified version of Windows?). In addition, data from the cryptodisk over the network are transmitted in unencrypted form. To encrypt the data transmitted between the client and the server on which the cryptodisk is “shared”, you need to configure a VPN (of course, you need to use a certified solution). Consequently, the scheme based on the use of cryptodisks will be an order of magnitude more expensive than that given in this article.
For greater clarity, let's call our server, which stores the 1C database, briefly and clearly: SERVER. On the logical drive H: there is a folder 1C (H: \ 1C), in which the database 1C is stored. The folder is shared, the network path looks like this: \\ SERVER \ 1C. We need to encrypt this folder.
CyberSafe program must be installed on all computers that need to work with an encrypted folder, that is, on the administrator's computer and on the computer of all users who work with 1C.
Run the CyberSafe Top Secret program and go to the Transparent Encryption section, click the Add button . folder and add our network folder (Fig. 2).
Fig. 2. CyberSafe Top Secret Program
Click the Apply button. The Transparent Encryption window will appear, in which you need to click the Yes or Yes button for everyone if you are going to encrypt several folders at once. Next, you need to select certificates of users who will have access to the folder (you can create your own certificate in the Private Keys section, import the keys of other users in the All Keys section). Usually you need to select certificates of administrators and backup operators. In fig. 3 shows the certificate selection window. Since the program is used in a real enterprise, the email addresses of users are hidden.
Fig. 3. Choosing a certificate
After clicking the Apply button, you will be prompted to add an administrator key, click Yes . Everything, the folder is protected.
Note In the CyberSafe Top Secret program, you can add both an empty folder and a folder with files. No difference. You can encrypt an empty folder and add files to it later.
To make the encrypted folder available, you need to start the CyberSafe Top Secret program, select the folder and click the Enable button. Then the password entry window will appear. You need to enter the password of your certificate (if, of course, it was specified when encrypting the folder). When you finish working with the folder, you need to turn it off by clicking the Shut Down button.
If someone tries to open files located in an encrypted network folder from another computer (or from a computer on which the encrypted folder itself is stored), he will find that these files are encrypted.
So, the folder is encrypted. The 1C: Enterprise program can work with it as with the most ordinary folder, with the exception of a slight performance loss. The backup tool is Acronis Backup & Recovery, which is installed on our server.
This program was not chosen randomly, because Acronis during backup saves file streams, in which they store information about the keys with which the folder with the 1C database was encrypted. In addition, when using Acronis, it is not even necessary to complete the 1C process, which is required by some other backup tools.
The Acronis setting itself is simple - you need to specify what you are copying (Fig. 4) and where to copy (Fig. 5).
Fig. 4. What we copy
Fig. 5. Where to copy
Pay attention to exactly where the backup is performed: the backup is stored on the D-Link network storage.
If you are not using Acronis and another backup tool, make sure that it supports saving file streams. Even some archivers (if you do not use backup software, but create a backup manually) support file streams. For example, in WinRAR, when creating an archive, on the Advanced tab (Fig. 6), you must enable the Save file streams check box .
Fig. 6. Creating an archive
After that, the archive with the encrypted folder can be unpacked on another computer or on another hard disk. If desired, such an archive can be transferred to the addressee. For decryption, you need the destination certificate to be specified when encrypting a folder.
Why do we need all these dances with a tambourine and using the CyberSafe Top Secret program? After all, you can encrypt using the EFS folder H: \ 1C on the server and our database will also be encrypted.
And now the most important thing: everything is correct, if you perform transparent encryption of the folder with the database, the database will be encrypted, but the backup copies will not. After all, when using EFS, all programs on the server, including Acronis, will see all files encrypted using EFS decrypted. When using CyberSafe, other programs, including Acronis, see the database files initially encrypted. It is very important. I think it is not necessary to say what happens if the backup falls into the wrong hands. Files in the backup will not be encrypted, therefore, anyone can read them.
So, you already know that when using CyberSafe, the backup tool will “see” the originally encrypted files. This is the main feature of our solution. However, it should be noted and others:
Introduction
Imagine that we have a typical enterprise (Fig. 1). As in many similar organizations, our organization uses the well-known 1C: Enterprise, the database of which is stored on the server shown in the illustration.
Fig. 1. Scheme of a fictional enterprise
')
Since the 1C: Enterprise database contains the confidential information being processed, it is necessary to protect it from unauthorized access. For this, we decided to encrypt the 1C database.
After encryption, the 1C database files on the server will be stored in an encrypted state. Encryption will be implemented by means of the CyberSafe Top Secret program. It is clear that once there is data, you need to back them up. That's just the data we will have is not simple, but encrypted.
Further in this article will be told:
- How to organize transparent encryption of the network folder with the database 1C.
- How to properly back up encrypted data using Acronis Backup & Recovery, so that they remain encrypted in the backup.
- Why is it impossible to use EFS to solve our problem?
Letter of the law
The bundle of software we use (CyberSafe Top Secret and Acronis Backup & Recovery programs) was chosen for a reason. We implement the requirements of the legislation on the protection of confidential information (which includes personal data). If you have ever been interested in the protection of personal data, then you are probably familiar with two main regulations:
- Government Decree of 01.11.2012 N 1119 “On the approval of requirements for the protection of personal data when they are processed in personal data information systems”.
- Order of the FSTEC of Russia of February 18, 2013 N 21.
We complied with the requirements of the legislation regarding the periodic backup of processed data, as well as their protection from unauthorized access.
Backups are performed using Acronis Backup & Recovery 11 Advanced Server software, which has FSTEC certificate No. 2677 dated July 16, 2012.
Protection against unauthorized access is implemented through the use of CyberSafe Top Secret, which, together with the use of a certified CryptoPro CSP crypto-provider and a GOST algorithm for data encryption, is also considered to be a certified tool.
By the way, whatever TrueCrypt fans say, it’s still impossible to use it to protect personal data, since it is not a certified encryption tool. She has no FSTEC certificate and will never have it. As for EFS, it is considered certified only in a special version of Windows, which has a certificate of FSTEC.
If we go beyond the scope of TrueCrypt, then not only this program, but any other program that uses cryptodisks, will not be suitable for solving our task. Even if this program is certified. Earlier we wrote about the vulnerabilities of cryptodisks and if the task is solved through cryptodisks, then the cryptodisk should be protected by means of an operating system (network authentication) that is not certified (or do you have a certified version of Windows?). In addition, data from the cryptodisk over the network are transmitted in unencrypted form. To encrypt the data transmitted between the client and the server on which the cryptodisk is “shared”, you need to configure a VPN (of course, you need to use a certified solution). Consequently, the scheme based on the use of cryptodisks will be an order of magnitude more expensive than that given in this article.
Setting up transparent network folder encryption
For greater clarity, let's call our server, which stores the 1C database, briefly and clearly: SERVER. On the logical drive H: there is a folder 1C (H: \ 1C), in which the database 1C is stored. The folder is shared, the network path looks like this: \\ SERVER \ 1C. We need to encrypt this folder.
CyberSafe program must be installed on all computers that need to work with an encrypted folder, that is, on the administrator's computer and on the computer of all users who work with 1C.
Run the CyberSafe Top Secret program and go to the Transparent Encryption section, click the Add button . folder and add our network folder (Fig. 2).
Fig. 2. CyberSafe Top Secret Program
Click the Apply button. The Transparent Encryption window will appear, in which you need to click the Yes or Yes button for everyone if you are going to encrypt several folders at once. Next, you need to select certificates of users who will have access to the folder (you can create your own certificate in the Private Keys section, import the keys of other users in the All Keys section). Usually you need to select certificates of administrators and backup operators. In fig. 3 shows the certificate selection window. Since the program is used in a real enterprise, the email addresses of users are hidden.
Fig. 3. Choosing a certificate
After clicking the Apply button, you will be prompted to add an administrator key, click Yes . Everything, the folder is protected.
Note In the CyberSafe Top Secret program, you can add both an empty folder and a folder with files. No difference. You can encrypt an empty folder and add files to it later.
Work with an encrypted folder
To make the encrypted folder available, you need to start the CyberSafe Top Secret program, select the folder and click the Enable button. Then the password entry window will appear. You need to enter the password of your certificate (if, of course, it was specified when encrypting the folder). When you finish working with the folder, you need to turn it off by clicking the Shut Down button.
If someone tries to open files located in an encrypted network folder from another computer (or from a computer on which the encrypted folder itself is stored), he will find that these files are encrypted.
Backup Setup
So, the folder is encrypted. The 1C: Enterprise program can work with it as with the most ordinary folder, with the exception of a slight performance loss. The backup tool is Acronis Backup & Recovery, which is installed on our server.
This program was not chosen randomly, because Acronis during backup saves file streams, in which they store information about the keys with which the folder with the 1C database was encrypted. In addition, when using Acronis, it is not even necessary to complete the 1C process, which is required by some other backup tools.
The Acronis setting itself is simple - you need to specify what you are copying (Fig. 4) and where to copy (Fig. 5).
Fig. 4. What we copy
Fig. 5. Where to copy
Pay attention to exactly where the backup is performed: the backup is stored on the D-Link network storage.
If you are not using Acronis and another backup tool, make sure that it supports saving file streams. Even some archivers (if you do not use backup software, but create a backup manually) support file streams. For example, in WinRAR, when creating an archive, on the Advanced tab (Fig. 6), you must enable the Save file streams check box .
Fig. 6. Creating an archive
After that, the archive with the encrypted folder can be unpacked on another computer or on another hard disk. If desired, such an archive can be transferred to the addressee. For decryption, you need the destination certificate to be specified when encrypting a folder.
Why not use EFS?
Why do we need all these dances with a tambourine and using the CyberSafe Top Secret program? After all, you can encrypt using the EFS folder H: \ 1C on the server and our database will also be encrypted.
And now the most important thing: everything is correct, if you perform transparent encryption of the folder with the database, the database will be encrypted, but the backup copies will not. After all, when using EFS, all programs on the server, including Acronis, will see all files encrypted using EFS decrypted. When using CyberSafe, other programs, including Acronis, see the database files initially encrypted. It is very important. I think it is not necessary to say what happens if the backup falls into the wrong hands. Files in the backup will not be encrypted, therefore, anyone can read them.
Other features of our solution
So, you already know that when using CyberSafe, the backup tool will “see” the originally encrypted files. This is the main feature of our solution. However, it should be noted and others:
- Data encryption and decryption occurs on the client, and not on the server - unlike EFS, the encryption and decryption process does not occur on the server, as already noted. Therefore, if the attacker gains access to the server, there is neither encryption software nor the keys on it. Yes, CyberSafe Top Secret is not installed on the server. It is needed only on the computers of users who need to work with an encrypted folder.
- Data encryption during transmission over the network - EFS, alas, does not support data encryption over the network. This means that the data between the database server 1C and the client are transmitted in decrypted form. When using transparent CyberSafe encryption, encryption and decryption occur on clients, that is, on users' computers working with 1C. Consequently, data is transmitted over the network in encrypted form.
- Access restriction - not everyone can work with a transparent network folder, but only those whose certificates are specified when encrypting the folder - this is an additional level of data protection. Yes, access control also occurs at the system level — by setting access rights, but using certificates makes data protection even more reliable.
- We cannot back up files to network storage — we cannot encrypt a folder on the network storage (due to the lack of support for NTFS, the hard disk on the network storage is formatted as ext3), but we can back up the encrypted folder with Acronis.
- Incremental copying capability - TrueCrypt fans can argue, they say, you can create a virtual encrypted disk container, “share” it and store the 1C database in it (however, the shortcomings of this solution have already been considered earlier), and Acronis will copy the same virtual hard disk file. Such a file can easily occupy several gigabytes and every day you will have to copy it completely, even if only one file of several kilobytes in size has changed in the folder. It is possible to use such a solution, but there is no talk about any rationality, both in terms of system load and disk space usage. In the case of our solution, you can perform incremental backups, that is, copy only new and modified files. You do not need to copy the entire folder every day. An incremental solution saves disk space and reduces the overall load on the system, including the network, because it uses network storage.
Links
- State register of certified information security tools
- Order of the FSTEC of Russia of February 18, 2013 N 21
- Government Decree of 01.11.2012 N 1119 “On approval of requirements for the protection of personal data when processing them in personal data information systems”
- CyberSafe Top Secret Program
- Transparent encryption: advantages and disadvantages
Source: https://habr.com/ru/post/259323/
All Articles