As we all know, data backup security is a top priority for every organisation. In my first article I spoke about Security Analyzer feature. In this second part of our series on Veeam’s security features, we’re going to focus on one of the most important new features introduced with Veeam Backup & Replication v12: Four-Eyes Authorization.
So, what exactly is Four-Eyes Authorization?
The Four-Eyes Authorisation, or the “two-person rule” as it’s also known, is a feature that needs the OK from a second administrator to perform certain sensitive operations in Veeam Backup & Replication. This makes it much harder for any one user to mess up or do something dodgy with important data, because it stops them doing anything important on their own.
“The four-eyes principle requires that a critical activity must be approved by at least two people, minimizing errors or security breaches.”
Here are the best practices to implement four-eyes authorization and the limitations you should know.
First of all, and in my humble opinion the most important thing, you’ll need at least two administrators to avoid finding yourself with an operational lockout.
All requests and approvals are logged. This helps to make sure that everything is auditable and transparent.
If you want to disable this feature get the go-ahead from another administrator.
Authorization Flow
Here I try to describe an example of flow about the authorization from security officers.
The goal is to have a double approval that permit to backup administrator to do critical operations. Admins send a request by a form to backup referrals and from Veeam Console start the critical operation. Only after referrals verifies documents and send its opinion to the security officers the latters approves the request. Obviously, the backup administrator and the approval can be from the same office, but the security officers need to be from a different office.
I think is more simple to show a graphical example
And how do I enable it?
Ok go ahead to see how to enable Four-Eyes Authorization. As I wrote make sure at least two users must have the role of Veeam Backup Administrator and two user with Veeam Security Administrator. After this check you can activate 4-eyes in main menu under Users and Roles > Authorization. Flag the “Require additional approval for sensitive operations” option and you must specify a time window for approval or rejection (from 1 to 30 days).
Great, now you can see, in this list, what operations need approval from a second administrator:
- Deletion of backup files or snapshots from disk or configuration database.
- Removal of backup repositories and storage from the infrastructure.
- Adding, modifying, or deleting users or user groups.
- Enabling/disabling Multi-Factor Authentication (MFA) for all users or groups.
- Resetting MFA for a specific user.
- Changing automatic logoff settings for users or groups.
- Operations on Veeam Cloud Connect, such as removing cloud repositories or imported backups.
I’ve come up with a few examples to show why the request needs to be approved by a security administrator, to reduce the risk of irreversible data loss.
- If an administrator attempts an accidental deletion of a backup file.
- If someone try to disable MFA from Veeam users
- Every change to user privileges must be confirmed by a second administrator, preventing unauthorized privilege escalation.
- Removing backup repository
Let’s have a look at some screenshots, assuming an administrator attempts to delete one or more backup files.
Then you get a message where is specified the operation needs an approval
To submit click on Yes and you can check your request in Pending-Approval menu
With a right-click mouse on the event you can see the request details
Now we can see what happens on the Security Administrator side with VBR console opened. The Pending approvals shows an event. Security Admin can approve or reject the request after checking the documentation provided by the referrer.
Clicking on Approve a popup appear to confirm your choice
IT’s possible to see more info with a click on Show Requests
Confirm with Yes and deletion process starts
At the end of the process you can see the result.
My final thoughts
Four-Eyes Authorization feature in Veeam Backup & Replication is simple but powerful. It introduces an extra layer of security by giving you more control over critical operations and it helps companies avoid risks related to insider threats or human error. It’s not a magic solution, but when you combine it with other security best practices and a correct and detailed internal workflow, permits to have a strong and reliable backup infrastructure. If you “waste” your time to implement and test this feature, you’ll see a big improvement in your data protection strategy and demonstrate your commitment to cyber resilience.
Sources
-
Veeam Help Center – Four-Eyes Authorization
-
our lab
That’s the end of the Four-Eyes Authorization section. The next article will cover the Malware detection.