Quick tips for Veeam® Backup Security
Cyber-attacks typically have two high level objectives, the first being to cripple business operations by encrypting vital production data, and the second more recent trend is the capture and breach of Sensitive Personal Identifying Information (PII). Backups play a key role in defense against cyber-attacks, potentially allowing systems to be restored to a known safe operational point in time; yet they also present a 'one stop shop' for the acquisition of PII.
The definition of PII is broad but can be summarized as information that if lost, compromised, or disclosed could result in substantial harm, embarrassment, inconvenience, or unfairness to an individual. In addition, exposed PII can used by criminals to conduct identity theft, blackmail, stalking, or other crimes against their victims.
Often incidents involving data breach are significant enough to make the front pages, causing irreparable reputational harm to the organizations involved. In this article we will look at some key areas for consideration to ensure backups are kept secure, and to avoid them becoming an easy source for any data breach campaigns.
Veeam Backup Encryption
Encryption is the key tactic employed in most ransomware attacks, so let's start by looking at Veeam encryption opportunities to beat cyber criminals at their own game.
Veeam Backup & Replication offers inbuilt encryption to protect data in backups so it is important that organizations consider using this feature. Encryption within Veeam Backup & Replication operates at the following levels: Backup job, Backup copy job, VeeamZIP and for Tapes in media pools. However, there are some caveats and nuances that need to be understood before enabling backup encryption.
One important point to realize is that encryption in Veeam Backup & Replication is not retroactive. If encryption is enabled for an existing backup job, Veeam Backup & Replication does not encrypt the previous backup chain created with this job. You may therefore wish to start a new chain so that the unencrypted previous chain can be separated and secured by other means. Also, if you enable encryption for an existing job, during the next job session Veeam Backup & Replication will create a full backup file.
Encryption also has a negative impact on deduplication ratios if you use a deduplicating storage appliance as your target. A different encryption key is used for every job session therefore encrypted data blocks sent to deduplicating storage appliances appear as different even though they may contain duplicate data. Disabling data encryption will achieve a higher deduplication ratio but at the cost of reduced security. Organizations therefore need to conduct their own risk assessments in order to make informed decisions regarding their cyber security.
Veeam Database Configuration Encryption
Another source of security risk is the Backup & Replication configuration database which stores credentials to connect to virtual servers and other systems in the backup & replication infrastructure. All passwords stored in this database are encrypted, however, a user with administrator privileges on the backup server could decrypt the passwords, which presents a potential threat.
To secure the Backup & Replication configuration database, follow these guidelines:
- Check that only authorized users can access the backup server and the server which hosts the Veeam Backup & Replication configuration database (if the database runs on a remote server).
- Enable data encryption for configuration backup to secure sensitive data stored in the configuration database.
For more information visit the Veeam resource:Creating Encrypted Configuration Backups.
Network Data Encryption
For complete security, data needs to be protected both 'in transit' and 'at rest'. Backup data which is encrypted and written to a backup target volume is secure and considered data 'at rest', but that data may also need protection on its journey in transit from the source to the backup repository server. Intercepting data in the middle of a transfer is a common tactic used in cybercrime, so encryption of data in transit is also vitally important.
Veeam Backup & Replication encrypts data transferred between public networks by default. However, this is not the case for data in transit within the same network. If you wish to encrypt your internal network traffic you must create a network traffic rule for this network and enable the data encryption within this rule.
Physical access security to company IT assets and networks is of course a huge topic and the techniques available will depend on the size of the organization and the physical real estate available to store equipment. Here are some guidelines that can be implemented across most scenarios:
If you are using equipment racks whether in a datacentre on onsite within your office, lock these racks by default.
Be smart about physical equipment placement. For example, do not place the Veeam Repository server(s) in the same rack or racks as your production storage or other hypervisor hardware.
Implement Role Based Physical Access Controls by following the principle of least privilege. Give people the correct physical access rights to do their job. For example, a web development team do not need access to racks containing backups servers and likewise a backup systems administrator does not need access to development platforms.
Of course many organizations are not in a position to have their own datacentre, or want the overhead of maintaining one. Regardless of whether you are renting datacentre space, or just using an Infrastructure as a Service (IaaS) model, always check how the physical security is arranged to ensure it fits with your security policy.
The task of reducing the potential opportunity for a cyberattack is known as reducing your attack surface. This involves removing as many of the potential vulnerabilities as possible that exist within your IT ecosystem. This includes physical access as described above, in additional to network and application vulnerabilities.
In our earlier article The Blocky for Veeam® - 5 Step Guide to a Safer Network we looked at the issues around the Microsoft Remote Desktop Protocol and how in some instances this could leave a door open for cyber criminals. In order to improve backup security, it is important to remove as many unwanted software applications, protocols and unnecessary application features as possible to further reduce your attack surface.
Removal of all non-essential applications and features within your Veeam deployment is part of the Infrastructure Hardening process and should be applied to Veeam Backup & Replication installations.
While many utilities may offer useful features to the backup administrator, if they provide 'back-door' access to the system, they should be removed. Also consider additional software such web browsers and Java on your Repository servers. Elements which do not belong to the operating system or to active Veeam components should be removed. This will also make software patch level maintenance much easier.
For the Veeam Backup & Replication Server the following hardening procedures should be considered at a minimum:
- Remove the Backup & Replication Console from the Veeam Backup & Replication server. The console is installed locally on the backup server by default.
- Switch off the Veeam vPower NFS Service if you do not plan on using the following Veeam features: SureBackup, Instant Recovery, or Other-OS File Level Recovery (FLR) operations.
Be aware that the Backup & Replication Console cannot be removed through the installer or by using Add/Remove in Windows. You must also first de-install all Veeam Explorers before removing the console. Refer to the Veeam help centre documentation for your current version of Veeam Backup & Replication for more information.
Another target for the hardening process is The Veeam Backup Enterprise Manager (Enterprise Manager) which is a management and reporting component that allows you to manage multiple Veeam Backup & Replication installations from a single web console. Similarly, when Enterprise Manager is not in use de-install it and remove it from your environment for added security.
Cyber security can seem a daunting task with so many loop holes to plug, but with a systematic approach you can achieve a great level of protection for your backup environment. For any questions please get in touch through our contact form, the Blocky team are always ready to help.