Link Search Menu Expand Document

Protect

Protect backups – The 3-2-1-1-0 rule

Veeam offers many ways to keep data out of reach of attackers. A properly designed backup infrastructure must include a data protection mechanism.

This can be offered by features such as

  • Storage deduplication appliances through proprietary mechanism such as immutability or protected snapshots
  • object storage through immutability
  • tape through real air gapping
  • hardened linux repository through WORM mechanisms as described later.

Ideally, all retentions shall be protected through air gap or immutability. But since the dwell time of the attackers is approximately one month average, it is fundamental to protect at least four weeks of restore points to mitigate the attack.

The 3-2-1 rule is very general and it works for all data types (individual and corporate) and all environment types (physical and virtual). When backing up your environments with Veeam, this rule becomes the “3-2-1-1-0 backup rule” where 1 media is offsite and 1 media is air-gapped, immutable or offlined. 0 means “0 errors” when enforcing the automatic recoverability verification of every backup with Veeam’s SureBackup.

Veeam Backup & Replication™ can help you to fulfill each 3-2-1-1-0 backup rule requirements.

  • Have at least three copies of data: production, primary backup, backup copy
  • Store the copies on two different media: Veeam is storage-agnostic, meaning it supports tapes, disks, cloud storage and more. You can store your backups to any of the listed media.
  • Keep one backup copy offsite: set up Backup Copy Jobs to transfer your backup offsite faster with built-in WAN acceleration or use Scale-Out-Repositories’ capacity tier to copy data to (cloud) object storage.
  • Keep copies of your backups on immutable, air-gaped or offline medias.
  • Use SureBackup jobs to ensure you can recover from your backups or replicas.

By following the rule, you create multiple layers of resiliency and security. Data and workloads will be made immutable (protection against deletion and modification), stored offline (protected against insider threats), air-gapped (protected against insider and other business continuity disasters e.g. fire, flood, earthquake, etc).

In addition, what we use to call a “protocol gap” can be added in order to make it more difficult for attackers to destroy your data. The idea is to use different kinds of repositories, that rely on different technologies (disk block, cifs, nfs, s3, proprietary dedupe appliances protocols…), to make it more difficult for the weapon tools to target your data.

Backup infrastructure protection

Protecting your infrastructure successfully is all about understanding the current attack vectors; what and whom you are protecting the Veeam infrastructure against. Knowing what and whom you are protecting against makes it easier to take the correct countermeasures. One of those countermeasures is hardening.

Looking at the different Veeam Backup & Replication components you must protect the following components:

  • Veeam Backup Server
  • User Accounts
  • Backup repositories
  • Backup data flows

Consider the Veeam Backup & Replication Server to be the Number one target on your infrastructure and it should have very restricted access. As a rule, the backup server is the single greatest target an attacker will claim on your network. Also, the backup repositories which hold the backup files are a primary target.

Backup proxies must be considered the target for compromise. During backup, proxies obtain from the backup server credentials required to access virtual infrastructure servers. A person having administrator privileges on a backup proxy can intercept the credentials and use them to access the virtual infrastructure.

Staff education

By deploying an employee awareness training, you make sure that your employees are aware of strange behaviour and of their critical role in protecting the organization’s services and data. This is not only for the IT department, but for everyone within the organization, because every organization is becoming an IT company rapidly, and everyone in a company can witness suspicious behaviors, or be targeted for social engineering and can potentially open a breach.


Back to top

Copyright © 2023 Solutions Architects, Veeam Software.
Please note that information provided in this guide is not produced or verified by Veeam R&D but is a result of community effort based on the field observations.