Ransomware is a real problem for everyone. Within the deep inside of you heard you always hope that your organization won't get hit, but how do you minimize the risk? In this post, we'll see that you will soon be able to Fight Ransomware with Veeam 10 Immutability Feature and that it is dead easy to configure.
If you have a security breach on your network and the attacker has suddenly access to some privileged accounts, you know that you have a problem. Not only that your data can be wiped out, but also the remote backups stored at some object storage (Amazon, Azure …) remain unprotected. You never know if there wasn't a keylogger running on somewhere on the network or even your management workstation…
With Veeam 10 Copy mode enabled, your backups bits are copied up to the cloud on a regular basis as soon as they are created, and also, when they fall out of the operational restore window that you defined on your capacity tier.
And when Veeam moves (or copies) blocks to the capacity tier, you can set an immutability flag (It is a native function called “object lock” present within Amazon AWS, but not at Azure yet).
This immutability is to prevent accidental deletion of data by admins, malware, or an admin with bad intentions. (Yes, even that can happen). After you set the lock for let's say 3 days, your backups cannot be deleted during that period.
It is as simple as that. It is an object lock which applied to every bit which is copied to the cloud storage.
Screenshot from the lab…
Now, you might have a question. What if there is a malicious admin which changes back the immutable backups to non-immutable (he/she unchecks that box). What's gonna happen? Will all the backups protected by the object locks become vulnerable again right after? Or, there this logic wants that the original period marked as immutable is followed to the end making the step simply useless. And so no backups of the last 3 days cannot be deleted.
The reply can be found on Amazon itself as Veeam is leveraging under the hood, Amazon's S3 technology called Object Lock.
And this is very powerful as nobody is able to delete that data once it's uploaded there.
To get things working altogether however you must follow certain steps:
Let's do a quick tutorial on how to create an Amazon Bucket, get the access key details, enter those to Veeam BDR console, and configure a backup repository.
I assume that you know how to create an Amazon account and apply for an S3 storage service. As for the access, you'll need to create an Acces Key which you'll enter as an external account to your Veeam Backup and Replication.
So just quickly, this can be a really simple post but saves time to newcomers as there are few gotchas here and there along the process.
Step 0: At Amazon go to your Name and click on the drop-down menu called My Security Credentials. Click the Create New Access Key and leave the Pop-Up window Open!!! (otherwise, you won't be able to see the secret access key again.
Then at Veeam console, go to the Menu > Manage Cloud Credentials > And then enter the Access key ID and Secret Access key you have just created At Amazon into Veeam.
Step 1: Create your bucket at Amazon S3 and during the creation Enable versioning and Object lock there. (2 checkboxes). Because once your bucket is created you cannot enable the Object locking feature.
Step 2: Veeam 10 go to the Backup Repositories > Right Click > Add Backup Repository > Object Storage > Amazon S3.
Put some meaningful name …
Then pick the Amazon Account credentials you've entered into Veeam console previously > Chose a region > Click Next
And you can then select the bucket and create a folder.
Now, the idea is not to backup your data directly to Amazon S3 as you need fast restores possibility from OnPrem storage. So you should configure the Scale-out backup repository (SOBR) with your local storage OnPrem and Amazon repository.
Like this, you have the option for the capacity tier to specify that you can Copy backups to the object storage as soon as they are created and also move backups to the object storage once their age out of the operational restore window.
SOBR needs at least one local backup repository.
Note: You can read my detailed post about copy mode feature here – Veeam Copy Mode
The Veeam 10 shall be released in a couple of weeks. The exact date is not known, but it won't take long that you'll read the announcements on this blog. You can be 100% sure about that. -:)
The fact that one can protect the data by locking is just perfect and allows enterprises to be more resilient against “inside-man” attack or against ransomware type attack where the attackers do gain access to higher privileged enterprise accounts, including Veeam's admin accounts.
The Veeam 10 will have support for Amazon S3 and the Immutability feature, however, other cloud vendors support it already as well. Cloudian for for OnPrem storage or Wasabi as a cloud storage platform is also providing native object lock features.
The Copy Mode of the Capacity Tier is definitely another plus which will be a “feature to have”. It allows you to secure your environment by separating backup files and storing them on different sites via a simple checkbox.
- Free Veeam VMCE Study Guide Download
- Veeam Backup and Replication 9.5 U4b released
- What is Veeam Cloud Connect And How To Setup?
More from ESX Virtualization
- Better Windows Shell and Terminal Emulator – Cmder
- What is VMware Platform Service Controller (PSC)?
- What is vCenter Embedded Linked Mode in vSphere 6.7?
- Top 5 Backup Solutions for Physical Servers
- Chocolatey is a cool package manager for Windows
- VCP and VCAP during VMworld 2019 are 50% OFF