This week I am in Halifax, NS for a Veeam-sponsored event, Atlantic Security Conference (ATLSECCON).
There I had a speaking session get accepted: Data Protection Security Mishaps that you can avoid. Here is the description:
When it comes to data protection, the risks are high. Too many times companies take adequate protections for live workloads; but are the same standards are applied to the durability of the data protection scheme? Different backup technologies offer different opportunities and risks for security the backup data.
In this breakout session, join backup expert Rick Vanover for practical security tips for data protection administrators to avoid being the next headline. Topics covered in this session include:
• Storage security strategies for backups
• Managing multiple security techniques
• Identifying backdoors from data protection solutions
• Implementing controls for each step of the data protection process
The session was very well attended and I got some great feedback! So, here’s the gist of my presentation:
Here is a summary list of the mishaps to avoid on what I presented:
- Today it’s more that tapes falling off the truck.
- The primary systems are protected well, the data protection application has many surfaces and is subject to the same security rules.
- Identify surface areas of data protection solutions. Kicker: You may have more than one data protection solution.
- Monitor restores. The Redirected restore could breach security profiles. Recommended solution includes the Veeam Restore Activity Report.
- Have monitoring and logging framework in place now. It’s a lot harder to set it up after an incident and know what to look for.
- Identify where data protection logging exists. In addition to aforementioned report, come components may have logging also (tape moves, modules within data protection solution, etc.).
- Storage for backups is usually an afterthought in most organizations. Primary storage may be secured well, backup storage should have the same standards.
- Know what frameworks are in use. VMware vSphere or System Center Virtual Machine Manager administrators can take a backup of a VM. Even if they don’t have access to the guest operating system.
- Don’t “lock your keys in your car”: Don’t rely on CIFS or SMB for backup storage that is managed by Active Directory. Why? What happens when you need to restore Active Directory? Same for storing VM backups inside of your VM infrastructure. What if that’s the problem?
- Don’t store backups at home. Get indoor public storage. It’s very affordable, has 24/7 access and can be an cost-effective alternative to storing backups (tape/disks) at home.
- Don’t “Overdo” Deduplication. Don’t double or triple dip deduplication (additional security surface areas and minimal gain for a lot of I/O and CPU consumption). Additoinally, beware of a Windows Server 2012 deduplicated volume encapsulated on a VHD or VHDX and copied or otherwise silently exiting the datacenter.
- Watch the encryption vs. performance discussion. Make sure different parties don’t “Temporarily” disable volume encryption because backups are slow…
- Use the 3-2-1 rule. Simple timeless rule can address almost any failure scenario:
- Keep 3 different copies of your data
- On 2 different media
- 1 of which is off-site
A special thank you to those who attended and for the ATLSECCON board for allowing me to present and Veeam to sponsor!