With the newest release V12, Veeam Backup & Replication is now capable of implementing immutability with HPE StoreOnce Catalyst stores. HPE calls this ‘Independent Software Vendor (ISV) Controlled Data Immutability (ISV-DI)’. With this post I want to quickly describe the requirements and configuration steps.
There are some requirements, that need to be met in order to use immutability with StoreOnce systems.
- you need to have a Gen4 StoreOnce system with at least firmware 4.3.2
- you need to configure Dual Authorization
- Maximum ISV Controlled Data Retention needs to be set to 365000 in the StoreOnce Catalyst Store
- you need to use forward incremental backup jobs and/or enable GFS for Backup Copy Jobs
- → For more information check the helpcenter
Enable Dual Authorization
With Dual Authorization certain tasks on a StoreOnce require a second factor before they’re executed. This second factor isn’t a OTP token or something similar but rather a second user/password which you need to approve the task. In regards to immutability, Dual Authorization prevents disabling immutability or deleting the whole Catalyst store.
It’s very critical to store the credentials for this security user at a safe place, or even better only offline.
If you haven’t configured Dual Authorization, you won’t be able to configure immutability in the Veeam Console and might see the following error:
Also the StoreOnce dashboard will give you a hint, that Dual Authorization is disabled.
So, before you start with anything else, enable Dual Authorization (if necessary). This can be done during the initial deployment:
If you upgraded from an earlier firmware or haven’t configured Dual Authorization at the initial deployment, you need to do 2 steps.
First create a new user with the SecurityOfficer role.
Next go to ‘Dual Authorization’ and click the 3 dots, choose ‘Configure Dual Authorization’ and enable it.
To finalize this step, login with the newly created security officer, go to Dual Authorization and approve the request.
Configure Maximum ISV Controlled Data Retention
When creating a new Catalyst Store, go to the Security Settings and set the ‘Maximum ISV Controlled Data Retention’ to ‘365000’.
This can also be done for existing Catalyst Stores if you edit the store. Just keep in mind that after setting the value, you will need to approve it again with the Security Officer.
Add Catalyst Store to Veeam
To finalize the configuration, add the Catalyst Store to Veeam and configure the immutability as required.
You can also enable immutability on existing stores but this will only affect new backup chains.
Update 17.03.2023: The current or a new backup chain will be made immutable. All closed backup chains won't be protected.
The configuration of immutability for StoreOnce Catalyst stores isn’t complicated and the setting should be enabled in every environment. Afterwards backups cannot easily be deleted, either by accident or by an attacker.
From a security perspective you should consider the following points, which affect the effectiveness of the solution:
- keep the Security Officer’s credentials secret
- an attacker will be able to circumvent the immutability if he gets access to those credentials
- I would even go as far and say that you print them out and stick them physically on the StoreOnce
- keep the iLO Interface secure or even disconnected: all StoreOnce security measurements won’t help if someone physically wipes the device remotely via iLO
- monitor the immutability setting in Veeam: If an attacker can’t delete your backups, he might just alter or completely disable immutability in Veeam
Nice to see with v12 that more vendors are progressing to immutability for their storage. 👍
thanks for the detailed info
My “to play with” list since V12 launch keeps growing and growing!
Great blog, thank you!
I don’t live in the HPE world very much, so it’s nice to see what is offered there. This looks pretty cool, and I’m glad to see more immutability options!
Thank you for the guide!
Can we please double check that? “You can also enable immutability on existing stores but this will only affect new backup chains.”
When going through: https://helpcenter.veeam.com/docs/backup/vsphere/hardened_repository.html?ver=120
That would mean the immutability would be set also on the already existing backup chains.
Thanks a lot for looking at it!
But my wording my be wrong anyway as the current backup chain indeed will be immutable. What I wanted to say is, that existing backups/GFS restore points won’t get immutable. I’m planing to write a part 2 where I will do some tests and see how it behaves.
I just wanted to clarify as to what will happen to the existing backup chains on the store after we enable the immutability. I was kind of hoping for the same behavior as the hardened repository, thats why I linked that one, but after reading the article I wasnt sure whether I need to create an AF or not, as you said “this will only affect new backup chains”, so I wanted to clarify that.
Not sure if thats just me, who got confused by this, anyway thanks a lot for clarification :)
I will also correct the sentence regarding the existing backup chains in this post. Thanks for making me aware of this 😊