Customer don't want encryption enabled


Userlevel 7
Badge +6

Good morning Community!

I’ve a question to you folks, based on a true story.

Do you often have not enterpries customers that ask you to NOT enable backups encryption to avoid having to manage “keys” in case of recovery need?

And if so, how do you handle it at the security level?

Having them not encrypted need to make backup repositories super strong and access notifications enabled.

But. Other than that?

Do you guys have any other tips to share?


17 comments

Userlevel 7
Badge +8

When I was an MSP we had a hosted password vault, MFA protected that we could grant delegated customer access to their own customer section for all or specific passwords, so we’d generate the password and save in our vault, grant “trusted” staff the access to the password (either permanently or, more preferably, on demand), could grant view only or edit, it had full change log including password history so we could get all previous password iterations.

 

With the risk of password loss mitigated (we had additional data protection mechanisms in place on our side to protect against password loss via offline air-gapped backups), customers would then only not want encryption enabled when it would be something such as a dedupe appliance which, for non-enterprise at least, disappeared in demand along side the rise in object storage & our Veeam Cloud Connect offering.

Userlevel 7
Badge +6

Wow, that’s a new one! I’ve seen some be too precious on storage efficiency (like deduplication) to implement encryption but that was for on-prem copies only.

Userlevel 7
Badge +7

When I was an MSP we had a hosted password vault, MFA protected that we could grant delegated customer access to their own customer section for all or specific passwords, so we’d generate the password and save in our vault, grant “trusted” staff the access to the password (either permanently or, more preferably, on demand), could grant view only or edit, it had full change log including password history so we could get all previous password iterations.

 

With the risk of password loss mitigated (we had additional data protection mechanisms in place on our side to protect against password loss via offline air-gapped backups), customers would then only not want encryption enabled when it would be something such as a dedupe appliance which, for non-enterprise at least, disappeared in demand along side the rise in object storage & our Veeam Cloud Connect offering.

What application did you use? Sounds interesting for almost every MSP 😎

Userlevel 7
Badge +6

I’ve also sometimes heared this argument when suggesting to encrypt tapes. Customers are afraid that in case of a DR they’ll either fail to provide the key or that they decryption might not work. That’s the reason why I install Enterprise Manager to create a key recovery key, which will be exported and stored at a safe place. Just like with every other key/password I recommend to keep them outside of the production IT infrastructure, so that they will be available when everything else is offline.

Userlevel 7
Badge +8

We have encryption on storage turned on but when it comes to VCC clients most of them use encryption passwords for backups and we preach this to them too.  They manage the password as we never have it and if needed we do a screen share for them to type it in same with credentials for backups.

Userlevel 7
Badge +3

I think the worry can be split between 3 things.

  1. What happens if we lose the password, or password manager in a ransomware attacok.

I worked for a place that was 100% on prem, on prem backups, passwords, (there was a second DR site) with huge worry that the PW manager would also get encrypted stored on a file server, or a malicious it user etc. 1password solves a lot of that. 

  1.  Performance.

On older systems encrypting used to cause a pretty decent performance hit. Now things like encryption at rest on the SAN, or encrypting tape jobs is very minimal.  

  1. Dedupe

Systems that have dedupe won’t work very well with encrypted data.

 

This is one of those “it depends” things for me.  The first thing i ask is SHOULD the data be encrypted, or does it NEED it? Just clicking encrypt everything because you are paranoid isn’t always the best idea. It might cost you a fair bit too. On the other end, is there personal data or classified information being backed up? Even if you AirGap it, someone could steal those tapes and import them. 

 

I have a few jobs with multiple copies, air gapped, and in a VERY secure location. The data isn’t sensitive for these jobs and I leave encryption off. Others are encrypted on the SAN and Tapes due to the information they store. 

 

Userlevel 7
Badge +8

I think the worry can be split between 3 things.

  1. What happens if we lose the password, or password manager in a ransomware attacok.

I worked for a place that was 100% on prem, on prem backups, passwords, (there was a second DR site) with huge worry that the PW manager would also get encrypted stored on a file server, or a malicious it user etc. 1password solves a lot of that. 

  1.  Performance.

On older systems encrypting used to cause a pretty decent performance hit. Now things like encryption at rest on the SAN, or encrypting tape jobs is very minimal.  

  1. Dedupe

Systems that have dedupe won’t work very well with encrypted data.

 

This is one of those “it depends” things for me.  The first thing i ask is SHOULD the data be encrypted, or does it NEED it? Just clicking encrypt everything because you are paranoid isn’t always the best idea. It might cost you a fair bit too. On the other end, is there personal data or classified information being backed up? Even if you AirGap it, someone could steal those tapes and import them. 

 

I have a few jobs with multiple copies, air gapped, and in a VERY secure location. The data isn’t sensitive for these jobs and I leave encryption off. Others are encrypted on the SAN and Tapes due to the information they store. 

 

Some really great points Scott.  Especially the question about “is it required” should always be answered and what you are trying to achieve with it.  Not a just because scenario.  Great points here too.

Userlevel 7
Badge +3

I think the worry can be split between 3 things.

  1. What happens if we lose the password, or password manager in a ransomware attacok.

I worked for a place that was 100% on prem, on prem backups, passwords, (there was a second DR site) with huge worry that the PW manager would also get encrypted stored on a file server, or a malicious it user etc. 1password solves a lot of that. 

  1.  Performance.

On older systems encrypting used to cause a pretty decent performance hit. Now things like encryption at rest on the SAN, or encrypting tape jobs is very minimal.  

  1. Dedupe

Systems that have dedupe won’t work very well with encrypted data.

 

This is one of those “it depends” things for me.  The first thing i ask is SHOULD the data be encrypted, or does it NEED it? Just clicking encrypt everything because you are paranoid isn’t always the best idea. It might cost you a fair bit too. On the other end, is there personal data or classified information being backed up? Even if you AirGap it, someone could steal those tapes and import them. 

 

I have a few jobs with multiple copies, air gapped, and in a VERY secure location. The data isn’t sensitive for these jobs and I leave encryption off. Others are encrypted on the SAN and Tapes due to the information they store. 

 

Some really great points Scott.  Especially the question about “is it required” should always be answered and what you are trying to achieve with it.  Not a just because scenario.  Great points here too.

You bet. I can create a VM with 32 vCPU and 512GB of memory, but “Is it required?” should be answered for everything in IT.

 

Is it required should be considered with is it wanted/desired though, because sometimes I want a fancy tool to monitor my infrastructure. It may not be “Required” to make things run, but it will keep the lights on preventatively solve issues. 

 

 

Userlevel 7
Badge +6

That's amazing, so many interesting food for thought.

@MicoolPaul  the software you mention could be really interesting! As @JMeixner  i'd like to know that software name (if possible).
@regnor  yes, Enterprise Manager could be a solution, but it need some resources that SMEs choose to not set for that.
@Chris.Childerhose  with encryption on storage don't you protect only cold access to storage? Once it's mounted and decrypted, doesn't backups file become readable even without encryption key?
@Scott what you say is totally true, especially performance and dedupe scenarios.

Userlevel 7
Badge +8

That's amazing, so many interesting food for thought.

@MicoolPaul  the software you mention could be really interesting! As @JMeixner  i'd like to know that software name (if possible).
@regnor  yes, Enterprise Manager could be a solution, but it need some resources that SMEs choose to not set for that.
@Chris.Childerhose  with encryption on storage don't you protect only cold access to storage? Once it's mounted and decrypted, doesn't backups file become readable even without encryption key?
@Scott what you say it's totally true, especially performance and dedupe scenarios.

Yes the encryption at rest ensures protection of the data when it sits on the storage array not in flight, etc.  You still need to ensure all the other paths and scenarios are covered.  Most of our clients use encryption but it is them that manages the passwords as it is a Security issue for us to retain them as that gives us access to their environment if we wanted to so we have them type those for us and never manage them ourselves.

We also use KMIP servers to encrypt other things with backup like tape and plan to implement more MFA as well including when v12 comes out for console. 😎

Userlevel 7
Badge +6

[..] and plan to implement more MFA as well including when v12 comes out for console. 😎

I’m really looking forward about MFA 😎 hopefully it'll be compatible to most third party MFA device solutions.

Userlevel 7
Badge +8

When I was an MSP we had a hosted password vault, MFA protected that we could grant delegated customer access to their own customer section for all or specific passwords, so we’d generate the password and save in our vault, grant “trusted” staff the access to the password (either permanently or, more preferably, on demand), could grant view only or edit, it had full change log including password history so we could get all previous password iterations.

 

With the risk of password loss mitigated (we had additional data protection mechanisms in place on our side to protect against password loss via offline air-gapped backups), customers would then only not want encryption enabled when it would be something such as a dedupe appliance which, for non-enterprise at least, disappeared in demand along side the rise in object storage & our Veeam Cloud Connect offering.

What application did you use? Sounds interesting for almost every MSP 😎

@JMeixner, @marcofabbri  We used ITGlue, which unfortunately is now owned by Kaseya, which might put some people off with their love of sneaky contract changes… It’s a SaaS platform with a web front-end.

 

They had the “MyGlue” feature for end-user/customers, and ITGlue itself for the documentation side of things, it was handy to be able to store customer details in there as well in general, DR plans etc, helped streamline a lot of processes.

Userlevel 7
Badge +6

Thanks @MicoolPaul, never heard of it and in fact there’s no partner atm in Europe. So strange!

https://www.itglue.com/

Userlevel 7
Badge +8

Thanks @MicoolPaul, never heard of it and in fact there’s no partner atm in Europe. So strange!

https://www.itglue.com/

If you request a demo, they’ll find one 😉

Userlevel 7
Badge +6

Thanks @MicoolPaul, never heard of it and in fact there’s no partner atm in Europe. So strange!

https://www.itglue.com/

If you request a demo, they’ll find one 😉

Haha that’s for sure! :)

Userlevel 7
Badge +2

When I was an MSP we had a hosted password vault, MFA protected that we could grant delegated customer access to their own customer section for all or specific passwords, so we’d generate the password and save in our vault, grant “trusted” staff the access to the password (either permanently or, more preferably, on demand), could grant view only or edit, it had full change log including password history so we could get all previous password iterations.

 

We do something like this as well as a MSP.  We store passwords stored in IT Glue including encryption keys, Object storage secrets, etc.  Some of our clients have “My Glue” access so that they can view and possibly make edits to things, but mostly, we manage and maintain it, so they don’t have to.  

Also, if you happen to need a documentation tool, IT Glue works great, but they development lifecycle is REALLY slow (some requests for seemingly basic items have been waiting for literal years), and they are now owned by Kaseya.  I’d recommend looking at Hudu as well and comparing the two.  If I had a do-over, I’d probably be looking VERY heavily at Hudu, but being that ITG is now part of Kaseya, I believe we’re also contract locked in at the moment.

https://www.hudu.com/

 

 

Userlevel 7
Badge +2

[..] and plan to implement more MFA as well including when v12 comes out for console. 😎

I’m really looking forward about MFA 😎 hopefully it'll be compatible to most third party MFA device solutions.

 

And software solutions.  This is one thing I do like about ITG, and I think Hudu may have as well...it can act as a virtual MFA device.  This is great for shared accounts.  Just feed the secret key into your password manager and it’ll generate the OTP’s for MFA logins.  I initially had an issue with setting up MFA in Wasabi with IT Glue because Wasabi generates a Base64 secret instead of Base32.  That said, You can find decrypter tools that will decrypt Base64 to 32 and then feed that into Glue.  However, last time I tried, Glue accepted the Base64 secret, so that step my no longer be needed.

Comment