7/31/2023 0 Comments Veeam data domainYou may not need to completely reconfigure an installation to implement an offline element. The offline storage options listed above highlighted a number of options where you can implement an offline or semi-offline copy of the data. In the ransomware era, it’s a good idea to add another “1” to the rule where one of the media is offline. This is great because it can address nearly any failure scenario and doesn’t require any specific technology. The 3-2-1 rule states to have three different copies of your media, on two different media, one of which is off-site. We at Veeam have been promoting the 3-2-1 rule a lot. Storage snapshots were mentioned above as what I call a “semi-offline” technique for primary storage, but if the storage device holding backups supports this capability it may be worth leveraging to prevent ransomware attacks. Take storage snapshots on backup storage if possible These types will use a different security context for access by the Veeam processes, they are shown in the user interface as shown below:Ĥ. NFS mounts in a Linux Server functioning as a backup repository.ExaGrid deduplication appliances using the native Veeam agent.Hewlett Packard Enterprise (HPE) StoreOnce deduplication appliances using Catalyst.Data Domain deduplication appliances using DDBoost (or NFS mount when not DDBoost-enabled, though DDBoost is recommended).Here are a few examples of backup storage using different file systems (and different authentication): This additional step however can be a protection for the backup storage between operating systems. Ransomware does exist on other operating systems, to be clear. This authentication for Veeam backups and restores can be made over Linux authentication and by using a different file system (ext3, ext4, etc.) the propagation risk of ransomware is reduced. The good example here is a Linux system functioning as a repository. In the unlikely event that a domain controller would need to be fully restored, there can be an issue if the storage containing the backups is an Active Directory authenticated storage resource. The best examples here are backups of critical things like a domain controller. I have long advised Veeam customers to put some backups on storage that uses different authentication. Having different protocols involved can be another way to prevent ransomware propagation. Leverage different file systems for backup storage Offline when not being written to or read from.ģ. It’s not connected directly to the backup infrastructure and uses a different authentication mechanism. Powered off and in most situations can be a different authentication framework (for example, vSphere and Hyper-V hosts are on a different domain).Ĭan be used as recovery techniques and usually have a different authentication framework. There are a number of offline (and semi-offline) storage options for Veeam, explained below: MediaĬompletely offline when not being written or read from. One of the best defenses against propagation of ransomware encryption to the backup storage is to have offline storage. Have offline storage as part of the Availability strategy The takeaway here is to consider authentication in the design and implement as much separation as possible from production workloads. Some designs have the Veeam infrastructure not joined to the domain (for smaller environments) and for larger environments joined to a domain dedicated for tools like backup. Whatever you do, please don’t use DOMAIN\Administrator for everything! Additionally, other security contexts shouldn’t be able to access the backup storage other than the account(s) needed for the actual backup operations. The username context that is used to access the backup storage should be very closely kept and used exclusively for that purpose. This is a generic best practice and in the ransomware era it’s more important than ever. Use different credentials for backup storage The goal here is to provide options which you can implement as you see fit. Not using Veeam yet? No worries, you can take this advice and implement it accordingly.Īdditionally, it’s important to note that there is no one-size-fits-all strategy to protect your backup infrastructure from ransomware. Here are a number of tips I’ve prepared to incorporate into your designs, both new designs and existing designs using Veeam. That’s the Availability you want when things don’t go as planned, should ransomware become an issue in your data center. One important part of being resilient to ransomware is being able to recover from backups. Here at Veeam, we see customers and partners encounter ransomware in a number of situations including the data center. The ransomware threat is real and it’s much more than just a PC problem.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |