How to: Veeam Backup Environment Security Best Practice

This article will outline the best-practice security measures you can take to ensure your customers backups are safe and secure

The hints in this guide won't apply to all environments and may not be applicable to yours. Please contact support if you have any questions about the following 

  1. Backup Server Setup

  2. Hive Access

  3. Recycle Bin Days

  4. Encryption

  5. Cold Storage

1. Backup Server Setup

The following refers to customers utilizing Veeam Backup and Replication only. 

Securing your Veeam Backup and Replication (VBR) server is critical to operating a secure backup environment for you customers. Access to this server should be restricted on all levels, and operated solely by the MSP priority engineers. As well as being best-practice for performance, Probax recommends allocating no less than the necessary IOPS to run and maintain VBR software efficiently, according to Veeam's recommendations

The following are considerations should be made:

    • Where possible, allocate a physical backup server for VBR, ideally on a separate host to your production environment or if necessary, on your hypervisor. In the event the above is not available, allocating a separate VM for managing backups and VBR operations is best practice.

    • Restrict access to the VBR server's Windows, with only dedicated backup engineers allowed to login/provided with credentials
    • Within Veeam, ensure VBR console login credentials are securely kept and only accessed by dedicated backup engineers. Also, enforce policy to ensure engineers using VBR log out of the software console after use

      Veeam is set to release VEEAM VERSION 12 in Q1, 2023. With this comes multiple new security features, such as VBR console MFA, auto logout periods and more.
      More information in Veeam's blog.

      2. Account Access In Hive

      Probax recommends allocating a separate VM for all backup environments, with the necessary IOPS to run and maintain VBR software. Doing so has many benefits, and allows for clean and secure utilization of Veeam's backups, separately from core customer infrastructure. The following are considerations for doing so:

        • Restrict access to the backup server, with only dedicated backup engineers allowed to utilize the VM

        • Within Veeam, ensure VBR console login credentials are securely kept and only accessed by dedicated backup engineers
        • Enforce policy to ensure engineers using VBR log out of the software console after use
        • Enable MFA for all users with access to Customer Accounts within Hive (more information in our KnowledgeBase)

          3. Recycle Bin Days

          'Recycle Bin Days' refers to the way in which Probax integrates Veaam's 'Insider Protection' technology into Hive, which stores any files deleted through Veeam in the cloud recycle bin for an allotted time. Probax allows users to set an amount of days to which deleted data will be accessible only by Probax as it is stored in the cloud recycle bin. Further, the days set also apply to backups removed through Hive, at the storage space level, and at the account level too. 

          This feature is completely free to use, and works to protect your data in case of accidental/malicious deletion of backup chains (Note: Charges are still incurred for data stored on the cloud during the recycle bin day period. Please contact our sales team for more information). 
          https://kb.probax.io/cloud-tasks-and-insider-protection

          Customers utilising this feature will not be able to access these files directly through their VBR console until they have them mounted locally. Probax can provide these files to the local site via a restore-drive or FTPs storage space, that can then be mounted for a restore.
          Contact support for more information. 

          4. Encryption On Cloud Backup Jobs 

          Encryption on jobs targeted to the Probax Veeam environment is designed to protect your data should someone gain access to your storage space or the backup files themselves. By doing so, a malicious subject who were to get access to your storage space credentials (your username, password, and DNS as set in Hive) would not be able to access, manipulate, delete, reconfigure and edit any job properties or job data. Probax recommends encryption for customers with larger backup environments, involving multiple parties having access to Hive/Veeam.

            • Enforce encryption for any cloud jobs that are being actively utilised/storing critical information 

            • Store encryption keys in a password manager, with only dedicated backup engineers having access to the credential

            5. Cold-storage For Long-Term Retention

            Though not strictly a dedicated security measure, Probax recommends keeping long-term retention for critical servers. Doing so ensures the best possible Last Viable Backup, that is secure and immutable in the cloud. Find out more here:
            https://kb.probax.io/overview-honeycomb-cold-storage

            For more assistance and advice, please email through to the sales/pre-sales team to organise a best-practice session.