Link Menu Expand (external link) Document Search Copy Copied

Secure by Design

Adding security to an already existing infrastructure is much harder and costly than thinking about it at design time. Security should not be an afterthought, but a founding component of the design.

Some concepts that should be followed during the Design phase are worth mentioning.

Simplicity

Overly complex designs become harder for the IT team to manage and overlook, and it makes it easier for an attacker to exploit and stay in the shadows. Simpler designs that can be easily overviewed are basically more secure. Use the K.I.S.S. principle for your designs.

Note: KISS is an acronym for “Keep it simple, stupid” as a design principle noted by the U.S. Navy in 1960. The KISS principle states that most systems work best if they are kept simple rather than made complicated; therefore simplicity should be a key goal in design and unnecessary complexity should be avoided. A simple design is easier to overview and to secure as a whole. You can refer to this wikipedia article for further information.

Zero Trust

Zero Trust is a security principle that suggests to always verify approved access and operates under the assumption that breaches will happen.

Veeam applies Zero Trust to data protection, what we call Zero Trust Data Resilience, to protect digital infrastructure and data. The cornerstone principles are:

  • Least Privilege Access:
    • Controlled access for the Backup Infrastructure (only validated users can establish connections to the backup solution)
    • Granular Self-Service Roles and Restricted Backup Admin Roles
    • Identity and Access Management (IAM) best practices (such as Multi-factor Authentication)
    • Four-Eyes principle for critical operational decisions
  • Assume Breach:
    • Segmentation (minimize the attack surface and blast radius by segmenting backup software and backup storage into separate resilience zones)
    • Multiple Resilience Zones and 3-2-1-1-0 Backup Rule (a multi-layered security strategy to reduce the risk of data loss)
    • Education and training for employees
    • End-to-end encryption
  • Proactive Validation
    • Continuously monitor activity (by the usage of Veeam Malware detection technology, Veeam ONE and the integration with external Security tools)
    • End-to-End Visibility
  • System Resilience
    • Immutability of the Backups

Along this document, specific solutions will be leveraged to fulfill one or more principles.


Back to top

Copyright © 2019 - 2025 Solutions Architects, Veeam Software.
Please note that information provided in this guide is not produced or verified by Veeam R&D but is a result of community effort based on the field observations.