Link Search Menu Expand Document
Veeam

Security

Security zones

From a security perspective all related components can be deployed in a workgroup or a domain.
When talking about security zones then the components should be put as followed:

  • DMZ
    • API/Portal server
  • MANAGEMENT
    • VB365 Management server
  • STORAGE
    • VB365 Proxy server(s)

You can put one of the following services in front of the API/Portal server:

  • Web Application Firewall (WAF)
  • Reverse Proxy Server
  • Load Balancer (LB)

This can provide additional advantages:

  • Sits between external clients and the API/Portal server, preventing anyone from directly accessing the web server
  • Less exposure of the internal infrastructure

The following diagram represents an example of the different security zones:

VB365 security zones

Certificates

In VB365, certificates are heavily used between all different components as well as the Microsoft 365 cloud. Please check the Certificates Overview page for more details.

Encryption

  • Communication data traffic between VB365 components are encrypted.
  • Backup data is automatically encrypted in-flight between Backup Proxies and Object Storage Repositories.
  • Backup data is stored encrypted at-rest in Object Storage Repositories using an encryption password specified by the administrator.
  • Use separate encryption passwords for each Object Storage Repository. When a client decides to leave the service, you can hand over the encryption password without compromising any other repositories.
  • Backup data is not encrypted at-rest for the following types of backup repositories:
    • A local directory on a backup proxy server.
    • Direct Attached Storage (DAS) connected to the backup proxy server.
    • Storage Area Network (SAN).
    • Network Attached Storage (SMB shares version 3.0 or later).
  • Do not use 3rd party encryption software for backups in backup repositories as this may lead to unpredictable system behavior and inevitable data loss. Only use encryption that is transparent such as Bitlocker.
  • Do not use deduplication software or deduplication appliances for JetDB-backed repositories. This is not supported.
  • The encryption algorithm used is AES-256.

Source: About Data Encryption

Back to top

Copyright © 2019-2022 Solutions Architects, Veeam Software.