Link Menu Expand (external link) Document Search Copy Copied
Veeam

Protect

The ultimate goal of Data Protection is to have backups available when a restore is needed. Lately, with the rise of cyber attacks and especially ransomware - the focus has shifted to Cyber Resilience, that is the capability to not just restore data, but also to survive cyber attacks. The resilience of a Veeam system includes two key areas:

  • Protection of the backups
  • Protection of the Backup infrastructure

Protect the backups – The 3-2-1-1-0 rule

The original 3-2-1 rule (3 copies of your data, on 2 different media, at least 1 copy stored offsite) is very general and it works for all data types (individual and corporate) and all environment types (physical, virtual, containers, unstructured data…). Cyber Resilience has brought the need of expanding the original rule to a new and more comprehensive one, the 3-2-1-1-0 rule. This rule - when mapped to Veeam Backup & Replication capabilities - brings users to a higher level of resiliency.

Here is the description of the expanded rule, with the mapping to Veeam concepts:

3 - Have at least three copies of data: production, primary backup, backup copy; 2 - Store the copies on two different media: Veeam is storage-agnostic, meaning it supports tapes, disks, cloud storage and more. You can store your backups to any of the listed media; 1 - Keep one backup copy offsite: set up SOBR Capacity Tier, Backup Copy Jobs, Tape Jobs (or other policies with similar capabilities) to transfer your backups offsite, either in another owned facility or to cloud-based storage. 1 - Keep at least one copy of your backups on immutable, air-gapped or offline medias. Ideally, ALL copies should be Immutables. 0 - Use SureBackup jobs to ensure you can recover from your backups or replicas. 0 here means “0 errors” when enforcing the automatic recoverability verification of every backup with Veeam’s SureBackup.

Immutability everywhere

Veeam can leverage multiple technologies to protect its own backups:

  • Hardened Linux repository through WORM mechanisms (as described later)
  • Object storage through immutability
  • Storage appliances through proprietary mechanism such as immutability or protected snapshots
  • Tape through physical air-gapping

Regardless which technology is chosen, as a best practice all retention copies should be protected through air gap or immutability. Short term retentions shall be made immutable for at least one to two weeks to protect against deletion, and long term retention shall be made immutable for at least 4 weeks to protect against encryption.

In addition, a protocol gap can be added in order to make it more difficult for attackers to destroy data. The idea is to use different kinds of repositories, that rely on different technologies (block, object, proprietary dedupe appliances…), to make it more difficult for the attackers to target your data.

The goal is to create multiple layers of resiliency. Data and workloads will be made immutable (protection against deletion and modification), stored offline (protected against insider threats), air-gapped (protected against insider and other business continuity disasters e.g. fire, flood, earthquake, etc).

A single layer can fail, as long as at least one layer survives and can be used to restore data and workloads.

Protection of the Backup infrastructure

Protecting your infrastructure successfully is all about understanding the current attack vectors; what and whom you are protecting the Veeam infrastructure against. Knowing what and whom you are protecting against makes it easier to take the correct countermeasures. One of those countermeasures is hardening.

Looking at the different Veeam Backup & Replication components, you must protect:

  • Veeam Backup Server
  • User Accounts
  • Backup repositories
  • Backup data flows

The Veeam Backup & Replication Server is the Number one target on your infrastructure; as such, it should have very restricted access. The other primary targets are the backup repositories holding the backup files; we discussed about their protection earlier in this chapter.

Backup proxies must also be considered a target. During backups, proxies obtain from the backup server credentials required to access virtual infrastructure servers. An actor having administrator privileges on a backup proxy can intercept the credentials and use them to access the virtual infrastructure.

Consider the use of Encryption at rest to protect Backup repositories in addition to immutability, and also enabling Traffic Encryption to protect the Backup data flows, as mentioned in section 2.8 Encryption.

Staff education

By delivering an employee awareness training, you make sure that your employees are aware of their critical role in protecting the organization’s services and data, and will learn how to behave properly and securely during an incident. This is not only for the IT department, but for everyone within the organization, because every organization is becoming an IT company rapidly, and everyone in a company can witness suspicious behaviors, or be targeted for social engineering and can potentially open a breach.

Back to top

Copyright © 2019 - 2025 Solutions Architects, Veeam Software.
Please note that information provided in this guide is not produced or verified by Veeam R&D but is a result of community effort based on the field observations.