3-2-1-1-0 Golden Backup Rule with VBO365


Userlevel 7
Badge +11

Hi all

 

I hope you all read my post about the 3-2-1-1-0 golden rule - 3-2-1-1-0 Golden Backup Rule | Veeam Community Resource Hub.

Perfect in combination with Veeam Backup & Replication to save your backups as good as possible to protect them against ransomware, hackers, ...

But what with Veeam Backup for Office 365 ?

There is no built-in option for creating backup copy jobs, so there is by my knowledge no option to copy the backups on your primary repository to a secondary repository.

I know, Office 365 is running on high-available infrastructure but in case of ransomware or a hacker on your VBO365 server, all your backups can be deleted. So the rule 3-2-1-1-0 should also be implemented in this case.

An option could be : create a second job with the same settings as the primary job except writing to another repository. Then you have a second copy of your O365 data. In my opinion that is not a good solution : twice the network-traffic needed (not ideal if VBO365 is running on-premises and not in the public cloud) and is also not protected against malware. Those backups can also easily be deleted like the one on the primary repository.

Another option can be if you are using local storage or iSCSI storage as a repository, using a Veeam agent to backup all drives including your repository and putting that on another repository (Veeam Cloud Connect, VBR repository, ...). But is that ideal??? When the repository is small enough OK, but what if the customer has a lot of TBs of data and is using a long retention…

It’s indeed a solution and probably the best at this moment, but not a perfect or flexible solution I think.

If we are using VBO365 on the public cloud like Azure, we can use of course object storage as repository and if using GRS or so then the data is replicated to another geographically zone, perfect as an offsite backup and protected against a disaster, but protected against ransomware and hackers as an airgapped backup? Nope.

Immutable object storage (used on AWS and WASABI) would be the perfect solution like we can use as an capacity tier with a SOBR in VBR.

I would like to know what you guys are using as a best practice at the moment for implementing the golden backup rule 3-2-1-1-0 in combination with VBO365 and this on-premise and in the public cloud using object-storage.

I my opinion a feature request to Veeam would be : possibility to create backup copy jobs from the primary repository to a secondary repository and the possibility to use immutable object storage like AWS and Wasabi like with VBR.

 

I’m curious for your feedback ;-)


5 comments

Userlevel 7
Badge +20

Definitely having more options is the key here.  I like the backup copy option and definitely the Immutable repo as well which would be good.

Another option though to look at from outside the Veeam perspective is storage snapshots depending on what you use for your backend.  If using local storage from a SAN would work as well as iSCSI.  This would provide an added layer or secondary copy that you can revert to in a disaster scenario when data is deleted, etc.

Userlevel 7
Badge +11

Hi @Chris.Childerhose , correct about the storage snapshots. Not thought about that at first, but is indeed also possible with Synology NAS devices that can be used for smaller environments. The key is there to protect the NAS itself also as much as possible (not domain joined, strong password, rename default user-account, ...). But in case of a hacker that has access to the VBO365-server and the SAN/NAS also… It’s a nice extra layer, but does not give a full airgapped or immutable backup in my opinion.

Userlevel 7
Badge +20

Most definitely it does not fully airgap the backups no but another option. In this case if we need true airgap then a copy to another repo that could be taken offline would be good and don't forget good old tape as well. O365 does not support tape though.

We have a service that actually writes to an S3 frontend and then tapes out from the S3.  We can then take tapes offline and remove them to lock in a vault at Iron Mountain.  Then when needed tapes can come back online to restore from.

I think getting your data to a medium that allows offline capabilities will be one of the better protection strategies.

Userlevel 7
Badge +12

In most cases we integrate VBO in the regular backup concepts. So it runs on-premises, will be backuped via VBR and then gets copied to tape or off-site. Immutable object storage or a direct tape support would be nice, but for now we do this as a workaround.

Userlevel 7
Badge +11

@regnor , thx for your feedback. Indeed, it seems to be one of the few possibilities.

Comment