Credential Handling
- Use least-privilege credentials only
- Do not use root/admin cloud credentials
- Rotate keys periodically
Access Control
- Restrict who can access your backup bucket/folder
- Use IP allow-lists where supported
Encryption
- Prefer providers with encryption at rest
- Always use TLS/HTTPS endpoints
Separation of Duties
Keep at least one backup in a separate provider/account to reduce the risk of a single compromise wiping everything.