Ransomware and malicious acts within our IT environments are rampant across the world, and the last line of defence is going to be your backups.
In Veeam Backup & Replication v10 we introduced the ability to store your Veeam backups in AWS and S3 Compatible Object storage using the Object Lock API. This would mean that you would have a secondary copy of your backup data most likely offsite and in an immutable state, which means it can’t be modified and is protected against insider malicious activity.
Fast forward to the release of Veeam Backup & Replication v11, and we have enabled a way of storing data, agnostic to hardware in your primary location leveraging Linux with the NEW Hardened Linux Repository.
Benefits of immutable storage backup
By definition, immutability is a solution that prevents data deletion or modification from the storage.
Knowing that data is critical to all businesses—leveraging an immutable copy of your backup data ensures that there is an untouched version of that source data that is always recoverable and safe from any failure scenario.
Veeam Backup & Replication v11 enables you to store your short-term retention backups locally onsite for fast recovery with the protection of immutability. In addition, you can now tier those backups into an immutable object storage offering offsite, giving you additional protection against unforeseen malicious activity or accidental deletion.
Immutable backup storage can help in the following cases:
- Production data is corrupted or compromised
- Accidental deletion of production data
- Insider malicious activity, administrators modifying backup job retention or deleting restore points.
What is the Hardened Linux Repository?
The Hardened Linux Repository enables primary backups to be immutable, not by packaging a storage appliance together, but by offering the ability to achieve local immutable backup storage by using generic compute and storage with a supported Linux x64 distribution that provides this functionality.
Immutability protects your data from loss because of malware activity or other failure scenarios mentioned above by temporarily prohibiting the deletion and modification of data.
Let’s take a quick look at an overview video from Danny Allan, CTO for Veeam, walk through the value of the Hardened Linux Repository capability in Veeam Backup & Replication v11:
What to look for in a backup provider that supports immutability
Everything we do here at Veeam is designed to promote and support simplicity, regardless of the complexity under the hood. The Veeam Hardened Repository is no different.
You will need:
- A physical server with direct attached storage or SAN attached storage. It will run as a virtual machine but consider the implications on where this is running and where the storage is presented from.
- A Linux distribution (64-bit edition of Linux must be able to run 32-bit programs)
- The Linux distribution is advised to support the XFS file system (block clone technology)
- The Linux distribution must support the chattr command
- Veeam Backup & Replication v11 or higher/newer
- Veeam backup types used must be forward incremental with periodic synthetic or active full.
- Veeam backup copy jobs must have GFS points configured.
You will notice from the above that there is no requirement for specific hardware or appliances! The hardened repository will be added to your Veeam Backup & Replication management server in the same way you add all other repository types. A super simple wizard driven approach requires only one checkbox mark to enable this feature.
We also advise where possible to use XFS, which enables Veeam to use fast cloning. “Fast clone” is the Veeam technology that helps create quick file copies, increases the speed of synthetic backup creation and transformation, reduces disk space and decreases the overall impact on the storage device.
A storage solution that prevents deletion and modification of backups
Now you know the purpose behind it and why we are doing this for our primary backups. But you have only seen part of the How — on the Linux server itself you do not need to set anything, Veeam will have that covered for you.
By default, the immutability is set to seven days for standard backups on the repository. It is very important that your job configuration reflects this so that your active backup chain is protected.
Ransomware or outside malicious activity are well-known 24/7/365 threats. Take a lesson from history – even the great city of Troy, that resisted outside threats for centuries, was quickly destroyed from within. When you use the immutable flag even the kings of backups themselves, the backup administrators, cannot delete those backup files.
Single access credentials
Protect the keys to the kingdom! It’s clear to see that a lot of this new feature is focused on the security and protection of your backup data. By focusing on access control, we are further reducing the possible attack vectors by not allowing Veeam or the backup administrator to have unbridled access to an elevated user account that was or is used initially to deploy Veeam services. These one-time use for deployment credentials are not stored by Veeam Backup & Replication.
Single use creds are recommended when using the hardened repository, but persistent credentials can be used. If persistent credentials are used, then the rights for the Veeam services will be reduced as part of the configuration steps.
When implementing the hardened repository with single-use credentials, access to the backup folder must be defined with the correct user permissions.
I hear you asking, how do we get started?
Basically, you can take advantage of this hardware-agnostic approach to primary immutable backup storage by bringing your own Veeam-supported Linux distribution with sufficient storage capacity. If you are an existing customer already using existing Linux repositories, you can easily convert those to also take advantage of the new features in V11 by simply updating the managed server configuration and changing the owner and permissions. This powerful solution coupled with XFS and the available block cloning technology brings a storage-efficient way to store primary immutable onsite backups that remain safe from ransomware.
Try Veeam Backup & Replication v11 today, FREE for 30 days to test and see for yourself the power of reliable ransomware protection offered with the NEW Hardened Linux Repository.
Learn more about security-enabled online and offline backups.