3 Key Ways Druva Protects AWS Data From Insider Threats

Akshay Panchmukh, Product Manager

Following the onset of the Covid-19 pandemic, enterprises were forced to digitize overnight, creating a spark of digital revolution using cloud technologies. Per McKinsey’s reports¹, there was a 22% increase in business digitization globally from 33% to 56% as a result of the pandemic.

Numbers that speak

This shift in the approach became a new ground zero and an opportunity for ransomware attackers to breed and spread. Since the start of the pandemic, ransomware attacks have increased by nearly 500%². Cybercrime is a growing, highly successful, and profitable industry. According to Cybersecurity Ventures, cybercrime costs will grow by 15% per year to reach US$10.5 trillion by 2025: the third greatest “economy” in the world³. By 2021, weekly ransomware activity had grown 10.7 times from the previous year, according to Fortinet. Cybercriminals are also becoming more demanding, with the average ransom payment in Q1 2021 rising 43% over Q4 2020, Coveware reports⁴.

When we talk about ransomware and cyber security, we generally tend to miss one group of threats — insiders to the businesses. These can be current or previous employees or business associates with access to important internal information and enough access to put your business in danger — knowingly or unknowingly. A 2021 report from Cybersecurity Insiders also suggests that 57% of organizations feel insider incidents have become more frequent over the past 12 months⁵. The cost of insider threats (related to credential theft) for organizations in 2020 was $2.79 million. These numbers are especially scary for enterprises responsible for terabytes or petabytes of sensitive data.

Our thoughts

Insider threats are typically one of three different personalities, described below with cost data from the Ponemon institute⁶:

  • Malicious internal users: Ones who intentionally intend to harm the business.
    • The average cost per incident because of a malicious user-led attack is $604,100.
  • Negligent internal user: One who is careless without the intention to harm the business but doesn’t care about the outcome. They are the most common persona of the three.
    • The average cost per incident because of a negligent user-led attack is $277,600.
  • Accidental internal user: One who has no negative intention but accidentally interacts with malicious/ransomware content.
    • The average cost per incident because of an accidental user-led attack is $672,100.
insider threats

What motivates an insider threat?

Insiders represent a serious threat as they know which files and where to target and have the right access to manipulate or delete. They are more dangerous as they are driven by emotions in addition to financial motives.

Actor motivations

Source: Verizon report on insider threats

How Druva can help protect from insider threats?

Here at Druva, we are working hard to understand bad actors’ personas and enhance ways to restrict them from abusing privileges intentionally or unintentionally. We shortlisted some of our critical enterprise use cases and developed a solution accordingly.

Druva’s industry-leading application for AWS workload backup and disaster recovery has recently introduced new features to help protect from insider threats. Below, we walk through each feature, describe how it works, and provide use cases.

  1. Manual Deletion Prevention 
  2. Data Lock 
  3. EBS Recycle Bin 
Druva native workloads

1. Manual deletion prevention

Manual deletion prevention is a layer of immutability at the customer’s AWS account level that prevents manual deletion or import of snapshots and archival of snapshots to the S3 and EBS Snapshot archival tier if enabled on the AWS account via Druva backend support request. There are no settings on the frontend level so no configurations can be changed prior to a proper background check on the request made. 

Druva’s support would need to raise a service desk ticket to enable or disable this following all the proper authentication. This keeps your data between four walls without any doors to access it besides a request through a verified channel. The admin portal needs to be updated to allow the service desk to set these values, once set it cannot be changed back by the service desk. Druva also sends requests to required personnel if there are any attempts to manually delete, import, or archive any data from Druva’s console.

This enhances data security by ensuring:

  • No user manually performs deletion or import of backups
  • No user manually archives to S3 or EBS snapshot archive tiers
  • Specific accounts have no deletion access unless requested via the service desk
insider threats

Why you should use it?

If you plan to keep a critical account safe from the manual deletion of snapshots, you can simply enable the settings for manual deletion prevention. This will give insider threats zero level of authority to play around with your data.

Who can use it?

The feature applies to enterprise and elite customers. All admins will have access and will need to raise a service desk request to enable it.


  • Zero level AWS account access in the Druva console
  • Protection from insider threats
  • Helps with a secured high availability AWS account
  • Reduced chance of tampering in snapshots

2. Data lock

Data lock is a simple one-step feature that lets you enable a lock on the retention of snapshots created by Druva. Once a data lock is activated using a backup policy, the retention rules set on a snapshot cannot be reduced by any user.

If a policy is a data-locked policy, no matter the type of resource (EC2, EBS, RDS, EKS, DynamoDB, Redshift, etc.), it will come into effect with all resource types that Druva native workloads support. You can also view the estimated deletion date of the snapshots from the Druva console.

This enhances data security by ensuring:

  • Retention on snapshots is locked to prevent tampering or deletion
  • No manual archival to S3 tiers
  • Zero trust security to keep important data safe

Why you should use it?

More dangerous than the actions of rogue admins are the after-effects. However, it’s simple to defend against this with Druva. If you know which backup policies need to be locked with retention on snapshots, simply enable the data lock and let the snapshot be deleted naturally after serving its expected life cycle.

Having retention-locked snapshots will help to follow the company’s strict compliance and audit checking before someone unintentionally or accidentally deletes the snapshots. You can govern these settings and disable them following a verified channel checking the authenticity of the request. You can raise a service desk ticket with Druva Support and our team would check the authenticity of the request and help with disabling the setting on the policy or required snapshots.

Who can use it?

The feature applies to enterprise and elite customers. All admins have access to the feature.


  • Helps with strict compliance and audit processes
  • Quick security settings
  • Protection from insider threats at the snapshot level
  • Zero trust with governance

3. AWS EBS Recycle Bin

EBS snapshots are the point-in-time copy of your data and possibly the simplest way to make systems highly available and scalable in AWS. As easy as it is to manage the EBS snapshot, it is equally easy to delete a snapshot — creating potential issues for the organization. Druva’s AWS recycle bin feature covers you from accidental or intentional deletion of EBS snapshots and was recently launched at AWS re: Invent 2021. 

You simply need to create retention rules on snapshots or regions from your AWS console and assign bin tags to those retention rules. Druva will discover those bin tags and allow you to add them to EBS snapshots. You can roll back a required EBS snapshot within the retention period via a single click from the Druva console.

This enhances data security by ensuring:

  • Accidentally deleted EBS snapshots are recoverable
  • EBS snapshots in the recycle bin can be quickly rolled back to a previous version

Why you should use it?

There can be two scenarios — first, an inexperienced user may accidentally delete an EBS snapshot needed for compliance. If it has the recycle bin tag attached, you can save this costly accident and roll back the data. Second, the effects of a malicious user targeting EBS snapshots for deletion would be prevented by bin tags on the snapshots. Admins can save the day by reviving those snapshots from the Druva console.

Who can use it?

The feature applies to enterprise and elite customers. All admins have access to the feature.


  • Easy to add bin tags
  • One-click revival
  • Prevents accidental deletion of EBS snapshots

Last few words 

We at Druva aim to provide a best-in-class 100% SaaS product. These security features help make your life easy by increasing resilience to malicious insiders. Druva does this by enabling configurations to protect your data and snapshots from insider threats. Even if they gain access to EBS snapshots, you have another method of defense and chance to roll back from the AWS recycle bin.


We’re excited to announce that these security features—including manual deletion prevention, and AWS EBS recycle bin—are available to all elite and enterprise customers for AWS workloads today. Our Data Lock feature will be available to all elite and enterprise customers in early September 2022.

Learn more about what Druva can do for your AWS environment on the Druva website.



¹ McKinsey & Company, “How COVID-19 has pushed companies over the technology tipping point—and transformed business forever,” 5 October 2020. ² Bitdefender, “2020 Consumer Threat Lnadscape Report,” 25 March 2021. ³ Cybersecurity Ventures, “Global Cybercrime Damages Predicted To Reach $6 Trillion Annually By 2021,” 26 October 2020. ⁴ Coveware, “Ransomware Attack Vectors Shift as New Software Vulnerability Exploits Abound,” 26 April 2021. ⁵ Cybersecurity Insiders, “2022 Insider Threat Report,” 27 January 2022. ⁶ Ponemon Institute, “2020 Cost of Insider Threats Global Report,” 29 January 2020.