ESX Virtualization

VMware ESXi, vSphere, VMware Backup, Hyper-V... how-to, videos....

Nakivo Backup and Replication - #1 Backup solution for Virtual, physical, cloud, NAS and SaaS

Fight Ransomware with Veeam 10 Immutability Feature

By | Last Updated:

Shares

Ransomware is a real problem for everyone. Within the deep inside of you heard you always hope that your organization won't get hit, but how do you minimize the risk? In this post, we'll see that you will soon be able to Fight Ransomware with Veeam 10 Immutability Feature and that it is dead easy to configure.

If you have a security breach on your network and the attacker has suddenly access to some privileged accounts, you know that you have a problem. Not only that your data can be wiped out, but also the remote backups stored at some object storage (Amazon, Azure …) remain unprotected. You never know if there wasn't a keylogger running on somewhere on the network or even your management workstation…

With Veeam 10 Copy mode enabled, your backups bits are copied up to the cloud on a regular basis as soon as they are created, and also, when they fall out of the operational restore window that you defined on your capacity tier.

And when Veeam moves (or copies) blocks to the capacity tier, you can set an immutability flag (It is a native function called “object lock” present within Amazon AWS, but not at Azure yet).

This immutability is to prevent accidental deletion of data by admins, malware, or an admin with bad intentions. (Yes, even that can happen). After you set the lock for let's say 3 days, your backups cannot be deleted during that period.

It is as simple as that. It is an object lock which applied to every bit which is copied to the cloud storage.

Screenshot from the lab…

Now, you might have a question. What if there is a malicious admin which changes back the immutable backups to non-immutable (he/she unchecks that box). What's gonna happen? Will all the backups protected by the object locks become vulnerable again right after? Or, there this logic wants that the original period marked as immutable is followed to the end making the step simply useless. And so no backups of the last 3 days cannot be deleted.

The reply can be found on Amazon itself as Veeam is leveraging under the hood, Amazon's S3 technology called Object Lock.

And this is very powerful as nobody is able to delete that data once it's uploaded there.

To get things working altogether however you must follow certain steps:

Let's do a quick tutorial on how to create an Amazon Bucket, get the access key details, enter those to Veeam BDR console, and configure a backup repository.

I assume that you know how to create an Amazon account and apply for an S3 storage service. As for the access, you'll need to create an Acces Key which you'll enter as an external account to your Veeam Backup and Replication.

So just quickly, this can be a really simple post but saves time to newcomers as there are few gotchas here and there along the process.

Step 0: At Amazon go to your Name and click on the drop-down menu called My Security Credentials. Click the Create New Access Key and leave the Pop-Up window Open!!! (otherwise, you won't be able to see the secret access key again.

Then at Veeam console, go to the Menu > Manage Cloud Credentials > And then enter the Access key ID and Secret Access key you have just created At Amazon into Veeam.

Step 1: Create your bucket at Amazon S3 and during the creation Enable versioning and Object lock there. (2 checkboxes). Because once your bucket is created you cannot enable the Object locking feature.

Step 2: Veeam 10 go to the Backup Repositories > Right Click > Add Backup Repository > Object Storage > Amazon S3.

Put some meaningful name …

Then pick the Amazon Account credentials you've entered into Veeam console previously > Chose a region > Click Next

And you can then select the bucket and create a folder.

Now, the idea is not to backup your data directly to Amazon S3 as you need fast restores possibility from OnPrem storage. So you should configure the Scale-out backup repository (SOBR) with your local storage OnPrem and Amazon repository.

Like this, you have the option for the capacity tier to specify that you can Copy backups to the object storage as soon as they are created and also move backups to the object storage once their age out of the operational restore window.

SOBR needs at least one local backup repository.

Note: You can read my detailed post about copy mode feature here – Veeam Copy Mode

The Veeam 10 shall be released in a couple of weeks. The exact date is not known, but it won't take long that you'll read the announcements on this blog. You can be 100% sure about that. -:)

Final Words

The fact that one can protect the data by locking is just perfect and allows enterprises to be more resilient against “inside-man” attack or against ransomware type attack where the attackers do gain access to higher privileged enterprise accounts, including Veeam's admin accounts.

The Veeam 10 will have support for Amazon S3 and the Immutability feature, however, other cloud vendors support it already as well. Cloudian for for OnPrem storage or Wasabi as a cloud storage platform is also providing native object lock features.

The Copy Mode of the Capacity Tier is definitely another plus which will be a “feature to have”. It allows you to secure your environment by separating backup files and storing them on different sites via a simple checkbox.

More from ESX Virtualization

Stay tuned through RSS, and social media channels (TwitterFBYouTube)

 

Shares
Vote !

About Vladan SEGET

This website is maintained by Vladan SEGET. Vladan is as an Independent consultant, professional blogger, vExpert x16, Veeam Vanguard x9, VCAP-DCA/DCD, ESX Virtualization site has started as a simple bookmarking site, but quickly found a large following of readers and subscribers.

Connect on: Facebook. Feel free to network via Twitter @vladan.