What is immutability?
For a backup to be “immutable” this means that it is unable to be changed or deleted. Typically, immutable backups can only be deleted once a set time period has expired. Immutable backup data is safe from potential changes or deletions during that time, meaning that its original integrity stays intact.
Why is immutability important?
Immutability is important because it adds an extra layer of security to your backups, ensuring that even in the event of a data loss incident, your data remains safe and unaltered after the fact.
Immutability can help in situations like:
-
Accidental deletion of production data
-
Corrupted or compromised production data
-
Insider malicious activity
-
A hacker attack modifies the retention policy
What are the Options for Immutability?
There are a number of options for immutability with Veeam with links for additional information:
Immutable on-premises storage:
-
Veeam Hardened Repository: A disk-based storage server. Server vendors can range from HPE, Cisco, Dell or Lenovo (Veeam Ready Vendors) and take advantage of Veeam’s deduplication, compression and XFS Block Cloning, including immutability.
-
On-premises S3 compatibility featuring object lock immutability with Veeam deduplication and compression. This includes vendors like ObjectFirst, Cloudian, Scality, IBM, Minio, Hitachi, SpectraLogic Black Pearl, etc.
-
Deduplication Appliances that are disk-based, but have their own deduplication and compression built in. Specifically, Veeam and HPE StoreOnce have an integration for controlled data immutability (ISV-DI) which requires dual authorization to be enabled. While others like Exagrid, Quantum, Infinidat, etc. leverage time retention locks or secure snapshot technologies for immutability.
-
Pure Storage FlashBlade//S is also an on-premises S3 -compatible vendor that leverages object lock immutability and SafeMode Retention Lock as an added layer to protect against insider threats or the compromise of administrator credentials.
Immutable cloud-based options:
-
Veeam's own Veeam Data Cloud Vault. a fully managed, secure cloud storage resource on Azure safeguarding your data on Zero Trust storage that’s always immutable and logically air-gapped from production.
-
Public providers, including Amazon and Microsoft Azure, can provide immutability when you create an S3 bucket or an Azure container. Immutability can be extended long term via archive capabilities to tier data off to Amazon S3 Glacier or Microsoft Azure Archive respectively.
-
There are also cloud providers like Wasabi that provide offsite storage that leverage S3-compatible object lock.
-
Ecosystem providers, including IBM and Veeam Cloud & Service Providers (VCSPs) provide immutability on the backend. They can also be used as a DR site that extends capabilities to replicate the most critical workloads to achieve low RTOs.
Focusing on Hardened Repositories
A hardened repository is a Linux repository that supports the following two key features:
-
Immutability: when you add a hardened repository, you specify the time period while backup files must be immutable. During this period, backup files stored in this repository cannot be moved, modified or deleted, but can be copied.
-
Single-use credentials: credentials that are used only once to deploy Veeam Data Mover, or transport service, while adding the Linux server to the backup infrastructure. These credentials are not stored in the backup infrastructure. Even if the Veeam Backup & Replication server is compromised, the attacker cannot get the credentials and connect to the hardened repository.
Why are hardened repositories useful?
To protect data from malware and ransomware incidents.
What does a hardened repository do?
Deny deletion of backups and protects against external threats, not malicious insiders.
How do they work?
They usse immutable attribute in Linux and use non-root single-use account.
DISA STIG Compliance
The Linux operating system, when employed as a hardened repository, must adhere to the security guidelines outlined by the Defense Information Systems Agency (DISA) for each specific operating system.
The Defense Information Systems Agency (DISA) developed Security Technical Implementation Guides (STIGs) to serve as configuration standards for security purposes. These tools are carefully crafted to maintain the highest possible security standards for both device hardware and software, thus protecting the Department of Defense's (DoD) IT network and systems from potential threats.
Hundreds of STIGs exist, each one meticulously crafted for a particular software application, router, operating system, or piece of hardware, demonstrating the extensive reach of these security guidelines. By securing the settings of IT systems, organizations can reduce weaknesses and minimize the likelihood of cyberattacks.
Veeam Hardened Repository ISO
The Veeam Hardened Repository ISO is a dedicated installation image that ensures the correct deployment of a Veeam Hardened Repository, incorporating Veeam's best practices and implementing full hardening measures for optimal security.
The installer requires you to define certain settings, but most of the configuration is pre-determined, enabling a DISA STIG hardened repository after completing the guided installation process.
Veeam Hardened Repository ISO offers these advantages:
-
The biggest benefit is that the system is already hardened with a customized installer, so you don't have to worry about making any further customizations or running any scripts.
-
The system does not have a root user.