Beat Ransomware with Double-Play Immutability from Veeam

For the last few years, I have spent a lot of effort along with others at Veeam carefully watching the industry behavior when it comes to ransomware and its devasting impact it can have on an organization. I’ve also spent a lot of time putting together a lot of great works in the form of whitepapers, webinars and other assets to get the word out. For example:

The important takeaway is that today, it is easier than ever to have backup copies ready to restore from ransomware with Veeam.

What are the Immutability Options?

I say there are more options than ever, but in fact, I’ve made a word for a backup copy that is in a state where recovery from ransomware is favorable: a copy on an ultra-resilient media. Ultra-resilient is a media type that is offline, air-gapped or immutable. Some media can in one state be all three at once, take for example WORM tape media when removed from the library.

Today, it doesn’t have to be cloud or tape only to get these levels of data comfort, there are more ways than ever to have ultra-resilient backup copies. Here’s the quick list:

  • Tape media, especially when media is removed from library or WORM
  • Veeam Cloud Connect backups with Insider Protection
  • Rotating media or removable drives that are offline
  • Immutable backups that are in a cloud target that is Veeam-Ready Object with Immutability
  • The Veeam hardened repository

What is Double-Play Immutability?

This is a way of implementing the 3-2-1 Rule with exceptional modern standards, even doing better than the 3-2-1-1-0 Rule. Check out a recent blogpost I did explaining the 3-2-1 and 3-2-1-1-0 Rule.

Double-play or even triple-play Immutability is where the implementation has two backup copies that are ultra-resilient. Let’s walk through a few examples so you can see both how easy this is and how resilient this is against ransomware. Each example has the explicit ultra-resilient copies identified with a number of first copy, second copy, third copy, etc.

Double-Play: Hardened Repository and Veeam-Ready Object with Immutability

This configuration would be leveraging the following configuration:

  • One Scale-out Backup Repository configured as followed:
  • One extent being a hardened repository
  • The capacity tier targeting a Veeam-Ready Object with Immutability provider (AWS S3 for example)
  • Copy mode configured

This is a robust configuration visualized in the diagram below:

Double-Play Immutability with the SOBR

Double-Play: Hardened Repository and Veeam Cloud Connect Backup with Insider Protection

This configuration would be leveraging the following configuration:

  • One backup repository being a hardened repository
  • A backup copy job to a Veeam Cloud & Service Provider partner offering Cloud Connect with Insider Protection

This is a robust configuration visualized in the diagram below:

Service Providers with Veeam Cloud Connect can achieve double-play copies that are ultra-resilient

Triple-Play: Hardened Repository and Veeam-Ready Object with Immutability and Tape Jobs

In baseball, a triple-play is a thing of beauty — it’s just as awesome if leveraging the following example configuration:

  • One Scale-out Backup Repository configured as followed:
  • One extent being a hardened repository
  • The capacity tier targeting a Veeam-Ready Object with Immutability provider (AWS S3 for example)
  • Copy mode configured
  • A backup to tape job configured as well

This is a robust configuration visualized in the diagram below:

Triple-Play Immutability for the Win

You can get the point that between the capabilities of the backup copy job (which there is a whole double-play immutability story there with the hardened repository site-to-site), the value of Veeam Cloud & Service Provider partners and the Veeam Ready Object with Immutability partners, it becomes very easy to add the second or third immutable copy.

Adding ultra-resilient copies without complete reconfiguration of your backup infrastructure

The examples above and some of the other ones that may make sense to you do not have to be a heavy lift to get started. This is where the Backup Copy Job and the Scale-out Backup Repository can help you out big time!

  • You can configure backup copy jobs to a newly created hardened repository or a Cloud Connect Backup target without reconfiguring your backup jobs
  • You can create a Scale-out Backup Repository and add your existing repositories to it to incorporate the copy mode as well as introduce the hardened repository with seal mode for the existing repositories.

It’s somewhat ironic that the Scale-out Backup Repository can play such a critical part in this double-play immutability story. It was initially designed to handle the situation of a backup target being full, then it was expanded to accommodate the lower cost opportunities by policies for object storage — here it is being the hero for ransomware resiliency.

Absolute Portability Drives Complete Recovery

What is really powerful here is that each copy is absolutely portable and self-describing. You only need to have the password the backups were encrypted with as part of the Veeam backup job. No part of the Veeam infrastructure is required, no servers on premises or in the cloud are needed either. These backup copies are each complete and fully recoverable only from the data they are. Additionally, there is no persistent connection back to the Veeam infrastructure to protect these copies in a ransomware scenario.

When it is this easy to have multiple ultra-resilient copies of backup data, there really is no reason not to have one, two or even three copies. Having copies that are ultra-resilient is by far the strongest best practice to drive high confidence for data recovery in a ransomware scenario.

What do you think about double-play or triple-play immutability? Share your comments and the configurations you would recommend below.

Similar Blog Posts
Business | December 4, 2024
Business | October 8, 2024
Business | September 9, 2024
Stay up to date on the latest tips and news
By subscribing, you are agreeing to have your personal information managed in accordance with the terms of Veeam’s Privacy Policy
You're all set!
Watch your inbox for our weekly blog updates.
OK