Deconstructing the Role of Storage in Cyber Essentials Plus

The Cyber Essentials Plus (CE+) scheme, backed by the UK government, mandates a hands-on audit of five technical controls: firewalls, secure configuration, access control, malware protection, and patch management. Interestingly, data backup is not one of these five testable controls; it is a recommendation. The scheme's primary focus is on defensive measures to prevent a breach. A successful attack, however, makes your recovery capability, which hinges entirely on your backup storage, the most critical part of your business continuity plan. The average cost of a breach for small UK businesses has increased by 249% in recent years, making recovery a vital focus. Therefore, while you won't fail an audit for using a specific type of storage, an inadequate backup strategy undermines the entire purpose of the certification. This reality shifts the focus to building a resilient data foundation that can withstand a worst-case scenario.

Building a Resilient Backup Strategy for CE+ Alignment

The National Cyber Security Centre (NCSC) recommends a clear strategy for data resilience. This guidance, while not a formal requirement, outlines a best-practice approach that auditors recognise as a sign of security maturity. Adhering to these principles demonstrates a commitment beyond the minimum required controls. A key recommendation is using cloud storage for your off-site backup copy. The German Federal Office for Information Security (BSI) also highlights that a documented backup strategy is mandatory for commercial IT systems. Following these guidelines is crucial for a successful security posture. Here are the core recommendations:

• Follow the 3-2-1 Rule: Maintain at least three copies of your data on two different media types, with one copy stored off-site.
• Leverage Cloud Storage: The NCSC explicitly identifies cloud storage as a perfect solution for the off-site copy.
• Isolate Backups: Ensure backup devices are not permanently connected to the network, as ransomware actively targets connected backups.
• Test Your Restores: The NCSC recommends testing your restore process at least monthly to ensure backups are viable.

This framework provides a clear path to designing a storage system that supports the goals of Cyber Essentials Plus.

The Critical Role of Immutability and Data Sovereignty

To truly defend against modern threats like ransomware, your backup storage needs specific technical capabilities. The NCSC advises that your chosen cloud service should save files as immutable versions each time there is a change. Immutability, or WORM (Write-Once-Read-Many), makes data unchangeable and undeletable for a set period. This provides a guaranteed-clean copy of your data for recovery, even if your live systems are compromised. Impossible Cloud's Object Lock feature delivers this capability, creating a powerful defence against ransomware. Furthermore, data sovereignty is a growing concern for UK businesses. Storing data in UK-only data centers ensures compliance with GDPR and avoids exposure to foreign laws like the US CLOUD Act. This aligns with the CE+ goal of protecting data integrity by keeping it under a consistent legal framework.

Achieving Compliance with an Enterprise-Ready Architecture

A CE+ audit is a technical verification, and your storage platform must stand up to scrutiny. Impossible Cloud is built on an enterprise-ready architecture designed for this purpose. It offers 100% S3 API compatibility, ensuring seamless integration with your existing backup tools like Veeam or NovaBackup without costly rewrites. The platform's Identity and Access Management (IAM) features, including MFA and role-based access control, directly support the 'User Access Control' principle of Cyber Essentials. All data is encrypted in transit and at rest, fulfilling another core security expectation. Our architecture is built for consistency and eliminates single points of failure, ensuring your secure cloud backups are always available for a restore test or a real emergency.

Simplifying Recovery with an 'Always-Hot' Storage Model

The NCSC's recommendation to test restores monthly means that recovery drills must be fast and efficient. Traditional cloud storage often uses complex tiering, where data is moved to slower, cheaper storage over time. Restoring from these 'cold' tiers can cause significant delays and surprise fees, making regular testing impractical. Impossible Cloud employs an 'Always-Hot' architecture, where 100% of your data is immediately accessible. This model simplifies operations, provides predictable performance, and eliminates restore delays. It ensures you can meet recovery time objectives (RTOs) without friction, strengthening your overall compliance posture. Predictable costs, with no egress fees or API call charges, also mean that testing your restores never results in an unexpected bill.

A Partner-Ready Solution for MSPs and Resellers

For Managed Service Providers (MSPs), guiding clients through Cyber Essentials Plus certification is a significant value-add. Impossible Cloud is a partner-ready platform designed to make this process simpler and more profitable. The predictable pricing model, with zero egress fees, allows MSPs to build BaaS and DRaaS offerings with stable, defensible margins. Our multi-tenant console provides the necessary tools for managing multiple clients, including role-based access control and detailed reporting. With UK distribution through Northamber plc, we provide local access and support for our channel partners. This enables MSPs to deliver sovereign cloud solutions that are perfectly aligned with the security and compliance needs of UK businesses.

Implementing Your CE+-Aligned Storage Strategy

Transitioning to a compliant storage solution is a straightforward process. The key is to ensure your data remains protected and sovereign throughout its lifecycle. A well-planned migration minimises risk and protects your past investments in backup software and scripts. Here is a simple checklist to guide your implementation:

1. Define Data Policies: Classify your data and define retention periods that align with both regulatory requirements and business needs.
2. Configure Immutability: Use Object Lock to set immutability policies on your most critical backup data, making it ransomware-proof.
3. Set Up Access Controls: Implement the principle of least privilege using IAM roles and policies to ensure only authorized personnel and applications can access data.
4. Automate and Test: Configure your existing S3-compatible backup tools to point to the new storage endpoints and schedule automated, regular restore tests to validate the process.

By following these steps, you can leverage a UK data residency solution that is both powerful and easy to manage.

Secure Your Data and Achieve Certification with Confidence

Meeting Cyber Essentials Plus storage requirements is not about a single product, but about a comprehensive strategy for resilience. By choosing a sovereign cloud storage solution that is predictable, secure, and enterprise-ready, you move beyond a simple checkbox exercise. You build a foundation that genuinely protects your organisation from data loss and operational disruption. An architecture featuring immutable storage, end-to-end encryption, and UK-only data centers provides the assurances needed to pass a CE+ audit with confidence. It demonstrates a proactive approach to security that aligns with the highest standards of data protection. Ready to build your resilient, compliant storage strategy? Talk to an expert or start a free trial to see how Impossible Cloud can help you achieve your security goals.