With the newest release V12, Veeam Backup & Replication is now capable of implementing immutability with HPE StoreOnce Catalyst stores. HPE calls this ‘Independent Software Vendor (ISV) Controlled Data Immutability (ISV-DI)’. With this post I want to quickly describe the requirements and configuration steps.
Requirements
There are some requirements, that need to be met in order to use immutability with StoreOnce systems.
- you need to have a Gen4 StoreOnce system with at least firmware 4.3.2
- you need to configure Dual Authorization
- Maximum ISV Controlled Data Retention needs to be set to 365000 in the StoreOnce Catalyst Store
- you need to use forward incremental backup jobs and/or enable GFS for Backup Copy Jobs
- → For more information check the helpcenter
Enable Dual Authorization
With Dual Authorization certain tasks on a StoreOnce require a second factor before they’re executed. This second factor isn’t a OTP token or something similar but rather a second user/password which you need to approve the task. In regards to immutability, Dual Authorization prevents disabling immutability or deleting the whole Catalyst store.
It’s very critical to store the credentials for this security user at a safe place, or even better only offline.
If you haven’t configured Dual Authorization, you won’t be able to configure immutability in the Veeam Console and might see the following error:
Also the StoreOnce dashboard will give you a hint, that Dual Authorization is disabled.
So, before you start with anything else, enable Dual Authorization (if necessary). This can be done during the initial deployment:
If you upgraded from an earlier firmware or haven’t configured Dual Authorization at the initial deployment, you need to do 2 steps.
First create a new user with the SecurityOfficer role.
Next go to ‘Dual Authorization’ and click the 3 dots, choose ‘Configure Dual Authorization’ and enable it.
To finalize this step, login with the newly created security officer, go to Dual Authorization and approve the request.
Configure Maximum ISV Controlled Data Retention
When creating a new Catalyst Store, go to the Security Settings and set the ‘Maximum ISV Controlled Data Retention’ to ‘365000’.
This can also be done for existing Catalyst Stores if you edit the store. Just keep in mind that after setting the value, you will need to approve it again with the Security Officer.
Add Catalyst Store to Veeam
To finalize the configuration, add the Catalyst Store to Veeam and configure the immutability as required.
You can also enable immutability on existing stores but this will only affect new backup chains.
Update 17.03.2023: The current or a new backup chain will be made immutable. All closed backup chains won't be protected.
Conclusion
The configuration of immutability for StoreOnce Catalyst stores isn’t complicated and the setting should be enabled in every environment. Afterwards backups cannot easily be deleted, either by accident or by an attacker.
From a security perspective you should consider the following points, which affect the effectiveness of the solution:
- keep the Security Officer’s credentials secret
- an attacker will be able to circumvent the immutability if he gets access to those credentials
- I would even go as far and say that you print them out and stick them physically on the StoreOnce
- keep the iLO Interface secure or even disconnected: all StoreOnce security measurements won’t help if someone physically wipes the device remotely via iLO
- monitor the immutability setting in Veeam: If an attacker can’t delete your backups, he might just alter or completely disable immutability in Veeam