hamburger icon close icon
NetApp Cloud Backup

10 End-to-End Security Features in NetApp Cloud Backup

Backups serve as a lifeline for organizations when a data loss crisis occurs. There are a few reasons that lead to data loss, such as data corruption, human error, or malware attacks. That’s why having a backup solution that ensures point-in-time recovery is essential. To guarantee a reliable backup, it’s important to ensure that your on-prem and cloud backup data is always secure and tamper-proof.

In this blog, we’ll explore the different security capabilities offered by NetApp Cloud Backup that will help protect your mission-critical data backups.

Here’s a preview of the security capabilities we’ll cover:

Features That Make Cloud Backup a Fully Secure Solution

NetApp Cloud Backup provides an efficient native backup solution that protects your on-premises or cloud ONTAP systems. Cloud Backup comes with a number of features that ensure your data backup copy remains secure throughout its lifecycle. Let's take a closer look at what they are.

1. Encryption at Rest

The backup copy stored by NetApp Cloud Backup is always encrypted at rest using AES-256 bit encryption. It integrates seamlessly with object storage encryption capabilities offered by the cloud platform, whether it’s AWS, Azure, or Google Cloud. AES-256 is one of the strongest encryption standards and uses the longest key length of 256 bits. Because of this key length, it’s practically impossible for an attacker to decrypt the data using brute force. With cloud-native encryption in AWS, Azure, and Google cloud, the keys are managed by the platform itself. Cloud Backup also provides an option for customers to manage the encryption keys, which we’ll discuss later on.

2. Encryption in Flight

In Cloud Backup, in-flight encryption of backup data that is sent to object storage uses TLS 1.2 HTTPS. This makes it more secure than its predecessors such as SSL 2.0/3.0 and TLS 1.01 and 1.2 as data transmitted across networks is more tamper-proof while using TLS 1.2. Although target object storage like AWS S3 and Azure Storage supports the earlier versions of TLS, Cloud Backup connections mandate the usage of TLS 1.2 for enhanced data security.

3. No Middleman

There is no intermediate media gateway where data is stored; the backup is done directly from ONTAP to the destination object storage, removing the risk for any middleman vulnerabilities. When backup data is staged on another device or location before getting transported to cloud object storage, the data's security is also affected by the media gateway's security. As the intermediate media gateway is eliminated in Cloud Backup, the backup data is securely transferred and stored in the cloud.

4. Customer Managed Key Support

By default, Cloud Backup’s object storage encryption-at-rest feature selects the platform-managed encryption key. However, there’s also the option to use customer-managed encryption keys for storage encryption. This feature provides additional security as the keys used for encryption are completely controlled by the customer. It uses the key management solutions offered by the cloud platforms themselves, such as AWS KMS, Azure Key Vault, or Google Cloud KMS. Access to these keys and key management services is restricted by native IAM and role-based access control mechanisms offered by the cloud platforms

5. Secure Connectivity

NetApp Cloud Backup can take backups over a private network connectivity between source and destination. For example, you can take a backup of on-prem ONTAP data to Azure blob storage over a VPN or express route connection. The data can be routed to the storage over a private endpoint that ensures all the data is transferred over private connections only. Similar constructs like VPC endpoint and private access are supported for AWS and Google Cloud, respectively. Since data traverses over private networks, there’s less of a chance for it to get intercepted by threat vectors.

6. Proxy Support

If your organization’s internet access is secured by a proxy, you can use the same one for Cloud Backup as well. Proxies act as a layer of protection preventing attackers from entering your network. Cloud Backup supports Proxy and customer certificates for both backup and restore flows as another layer of protection. 

7. SOC 2 Compliance

SOC 2 is a compliance standard followed by organizations in different industries. SOC 2 audit reports address concerns such as security, availability, processing integrity, privacy controls, and confidentiality. These reports are based on an organization’s adherence to the Technical Standards Committee (TSC) of the American Institute of Certified Public Accountants’ (AICPA) Trust Services Criteria. SOC 2 Type 2 reports evaluate the effectiveness of these controls for a specific review period. Cloud Backup is SOC 2 Type 2-certified and provides out-of-the-box compliance for this standard.

8. Customer Controlled

Backup data is always stored in a cloud environment controlled by the customer. It never leaves the perimeters of this environment. NetApp doesn’t access or manage customer data, meaning Cloud Backup users can manage access authorization for complete control over their backup data. Furthermore, access can be configured and aligned with an organization's security standards.

9. Secured Control Plane

Cloud Backup is centrally managed from the SaaS-based Cloud Manager service. Cloud Manager provides multi-tenancy and allows you to manage users and resources. It also supports role-based access control with multiple roles available that limit access permissions, such as SnapCenter admin, compliance viewer, workspace admin, and more. NetApp Cloud Backup separates data and metadata, ensuring that customer data is stored separately from the Cloud Backup control plane. Without authorized client credentials, it's impossible to retrieve and rebuild data due to block-level deduplication, which hides the structure of data at rest. Security can be further strengthened by  integrating with SSO solutions for ONTAP systems, which ensure holistic identity and access management across organizations.

10. Managed Infrastructure

Cloud Manager is delivered by default as a managed service in a SaaS model. SaaS-based managed services offer better security than on-prem backup solutions. All security aspects are managed by the service provider with best-in-class industry expertise and a regularly updated technical stack, leaving minimal room for external infiltrations to the service.

There are fewer moving parts in the architecture that could introduce vulnerabilities. As the cloud environment hosting the backup data is managed by the customer, it can be secured through cloud-native security controls like RBAC and MFA. ONTAP environments spanned across different clouds are managed securely from the Cloud Manager interface, which further reduces exposure.

To further reduce risks to the data, Cloud Manager and Cloud Backup are also able to be deployed in a software-only mode that is completely customer-managed and segmented from the internet. Read more about Cloud Backup’s dark site option.


One of the most noteworthy advantages of NetApp Cloud Backup is bolstered security. With advanced encryption mechanisms, secure connectivity, storage, and a managed control plane approach, Cloud Backup provides best-in class protection for your mission critical data.  However, that isn’t the only advantage that it provides. Some other benefits include independent immutable read-only backups, alignment with 3-2-1 backup strategy, indexed catalog for single-file search and restore, and cost optimization.

New call-to-action
Semion Mazor, Product Evangelist

Product Evangelist