It’s safe to argue that, to date, the May 2018 implementation of the General Data Protection Regulation (GDPR) in the European Union, as well as the two-year ramp-up period that lead to the activation date, has elevated the status and industry press coverage of compliance-related issues more than any other data protection and compliance standard set by governing bodies.
The truth is, today, the stakes are high for organizations that continue to struggle with the proper management of sensitive, personal data or regularly failed audits, and IT professionals know this. In fact, in a recent study, Veeam customers were asked which corporate governance regulations have had the greatest impact on their data protection strategy and even though the new standard had been active for less than half a year, 28% answered “GDPR”, which was enough to make it second on a long list of regulation standards, some of which have been in effect for two decades (source:
So why is there so much concern? Because no business can afford a data breach and the subsequent debilitating press coverage, or customer alienation and fines that accompany such a negative event. According to a 2018 study, the average total cost of a data breach is $3.86 million, which for those of you who are curious, breaks down to $148 lost or stolen per record! And probably most concerning, for those respondents who had been through a data breach, they said they’re not completely convinced they can prevent a future data breach event from occurring. Almost 28% of this group indicated a recurring material breach was likely to happen over the next two years (source:
The good news is, for Veeam customers who are losing sleep at night over compliance or other use cases, the latest release of Veeam Availability Suite includes Veeam DataLabs Staged Restore, which is a new and powerful feature designed to help manage compliance and ensure that sensitive data is removed from backups before the data has a chance to make it back to a live environment. Veeam DataLabs Staged Restore can also be used for other helpful use cases outside of compliance, including masking data for DevOps.
As I have already mentioned, the primary purpose of Veeam DataLabs Staged Restore is to enable a process to be injected into the recovery process of your virtual machines (VMs) that can help you easily and confidently manage compliance-related issues, such as those related to GDPR. The most typical use case is ensuring compliance after a failure scenario when recovering a machine back into production where data potentially needs to be removed or masked.
The ability to inject a script into the recovery process allows for the restore point to be modified before landing into the environment. In this scenario, a use case may be a DevOps environment where a business would like to leverage the latest version of data in their own segregated environment for versioning. But, from an operations point of view, the data may contain personal identifiable information (protected by compliance standards) that must be masked before landing in the new environment.
Veeam DataLabs Staged Restore workflow
As usual with Veeam workflow it's pretty simple and you can perform Staged Restore only when it’s required:
- Choose Entire VM recovery
- Identify workloads that you wish to restore
- Select the point in time you wish to recover from
- Select ‘Staged Restore’ restore mode
Follow the simple steps to customize the restored machine’s settings. Small hint – settings are automatically populated with original machine configuration, so you can simply click Next if you want to restore machine with original configuration. Additionally, you can enable Secure Restore option which we’ve explained in the previous blog post -link-
The last step is our main place of interest as it shows the Staged Restore settings that you are going to use.
Veeam DataLabs Staged Restore settings
Veeam DataLabs Staged Restore is one of the latest additions you will see as a selection option when the entire VM recovery wizard is started. If needed, this also gives us the option to inject an additional script into the VM we are recovering. The wizard shown below has several options.
Virtual lab – The virtual lab is an isolated virtual environment that is fully fenced off from the production environment. The network configuration of the virtual lab mirrors the network configuration of the production environment.
Application group (optional) – An application group consists of any VMs that the machine you are recovering may need to have to authenticate and function. It’s a group of dependants to the proposed machine for recovery.
Script – It’s required that the script remains located on the Veeam Backup & Replication server as this is the route taken for the injection into the virtual lab.
Credentials – For the script to be injected into the VM and to be executed, the required credentials should have the ability to authenticate and run the script.
Once the wizard is completed, the recovery process will begin with the virtual lab appliance powering on within the environment, along with the presentation of the backup folder from the backup repository to your virtual environment. This uses a patented technology called vPower NFS.
Veeam DataLabs Staged Restore walkthrough
Now that we have our recovered VM that’s running in an isolated environment, the next step is to inject the script that we defined in the wizard. This entire process is automated, so there is no need for intervention. It is likely that by adding the script, the data will be modified in some form. All of these changes will be captured inside a production datastore that was defined during the restore wizard phase and not in the backup file, as we want to keep the backup file as a functional restore point.
Quick Migration to the environment
Finally, when the script has finished successfully, the process will continue the recovery steps. To do this we use a Veeam technology called Quick Migration. Veeam Quick Migration enables the ability to migrate the VM between datastores. When the process is complete you will have your recovered VM within the environment, including the injected process.
Let’s review the Staged Restore process workflow based on this simple diagram:
- VM is started in the virtual lab from compressed and deduplicated backup files that reside on the backup repository. If application group was selected, Veeam Backup & Replication will start VMs from the application group first.
- Injection of the script from Veeam B&R to the VM is performed with the set credentials
- Script gets executed inside the VM
- All the resulting changes or deltas are stored in the backup repository
- When Veeam B&R detects that script was executed successfully, machine in the lab is going to be shut down
- As a final step Veeam B&R will restore the VM from the backup but apply the changed blocks created by script execution with help of Quick Migration feature.
When the process is complete you will have your recovered VM within the environment, including the injected process. We hope this feature will help you be more reactive and efficient in staying compliant to a multitude of situations and requirements. Give Staged Restore a whirl and let us know your experiences in the comments!
- What is On-Demand SandBox and how you can use it?
- What is Staged Restore and how you can use it?
- What is the Application Group and why do you need it?
- What Is Data Replication?