Introduction
Hi guys,
This article is based on a request from one of our customers who asked us to conduct a study on the use of immutability with StoreOnce and related legal aspects. In addition, the request was to delve into the workflow of dual authorization.
BUT first of all I would like to thanks
@regnor to permit me to re-use parts or screenshots from his StoreOnce posts - Part1 - Part2 and Part3
Transitioning from technician to architect roles in your career brings new considerations.
In operational work, you simply follow instructions, but as an architect, you must be able to design and justify the necessary operations.
This use case explains the use of StoreOnce with Veeam and its built-in immutability feature, with a focus on the legal aspects and audits that companies are subject to.
What is a cybersecurity audit?
An IT Security Audit is a systematic analysis of an organization's security system.
Its primary objective is to verify the effectiveness of security controls, policies, and procedures in place. The audit uses a checklist to validate the operation of these controls and provide concrete data on the company's security posture to its administration, suppliers, and customers.
Cybersecurity audits are critical for preventing and mitigating cyber attacks. Security testing identifies weaknesses in protection systems and fills gaps to make them unassailable by malicious attackers.
A security audit is a thorough evaluation of your organization's information system. It measures the system's security against industry best practices, established standards, or federal regulations.
The audit evaluates information system components and the hosting environment.
The text discusses applications, software, and security patches developed by system administrators, as well as internal and external network vulnerabilities, and corporate personnel's methods of collecting, sharing, and storing sensitive information.
VEEAM + STOREONCE BACKUP INFRASTRUCTURE PROJECT - GENERAL SCOPE
The customer's plan is to use Veeam as the data backup platform and HPE StoreOnce 5260 as the repository containing the backups.
At this stage the current HLD is as shown in the image below.
So let's go over all the requirements for the box.
The requirement is to use HPE's Dual Authorization associated immutable backups. This makes it necessary to examine all aspects related to them and in particular:
- Security concepts in StoreOnce
- Immutable backups with Veeam v12 and StoreOnce
- Technical aspects of immutable backups
- Legal aspects of immutable backups (inability to delete data in case of contract change or early termination, etc etc)
- Best practices on the Dual Authorization process
- Organization of operational flows for Dual Authorization.
For each of these points we will go on to list possible interactions between Veeam and Storeonce as well as touch on specific points related to non-technical issues.
SECURITY CONCEPTS IN STOREONCE
HPE StoreOnce has multiple advanced protection mechanisms to prevent data from being encrypted, altered or deleted by a cyber or ransomware attack. Through the use of the data communication protocol called Catalyst, it is also possible to transfer data to HPE StoreOnce using additional features such as deduplication, replication and immutability.
In the logic of backup activities, one of the key aspects regarding data resilience is the data immutability component.
But what is data immutability? On HPE StoreOnce, the Catalyst protocol provides the following capabilities for data immutability:
- Provides a layer of protection against malicious attacks.
- Prevents modification of Catalyst objects.
- Prevents backups from being deleted before the immutable retention period.
Immutable data is data that cannot be modified or deleted by any client application, backup administrators or malicious attackers who have access to the data. An immutable backup object cannot be deleted or altered until the immutable timestamp expires.
StoreOnce adopts an additional security feature with the aim of strengthening security robustness and minimizing unwanted deletions called "compliance." Thanks to it, in fact, the "dual authorization" mechanism is activated, which makes it impossible for any storage administrator to delete volumes of immutable data without there being an authorization from an additional figure called "Security Officer."
The last aspect to consider as a security focus point is that HPE never reveals the StoreOnce root account to the end user. In addition to credentials, HPE does not provide shell access. This prevents any user from using any known or unknown vulnerabilities in the shell to increase their privileges.
These features require StoreOnce firmware version 4.3.2 or later.
IMMUTABLE BACKUP WITH VEEAM 12 AND STOREONCE
What has been described in the previous paragraph opens up the necessary considerations for integration between Veeam Backup & Replication V12 and StoreOnce. Veeam v12 introduced full support for immutable backups to StoreOnce using Store Catalysts with the ISV (Independent Software Vendor) controlled data immutability feature enabled.
The starting concept is to follow the classic 3-2-1 rule for one's data protection. In fact, the rule is the safest route to take to try to avoid ransomware attacks or otherwise ensure that you can recover your data through an excellent data protection strategy.
Rule 3-2-1 specifies that it would be necessary to have:
3 = at least three copies of the data, the primary data and two copies;
2 = store copies on two different types of different storage;
1 = keep one backup copy off-site, on tape or in the cloud.
Today, with the increasing prevalence of ransomware and other advanced attacks, the 3-2-1 rule has morphed into 3-2-1-1-0
1 = that a copy is immutable or air-gapped
0 = that backups are truly usable through automated verification testing.
This leads us to take into consideration the data protection offered by StoreOnce.
The Catalyst protocol offers increased performance and optimization for the workload performed by Veeam, it also ensures full use of advanced built-in features such as source-side deduplication and immutability.
Catalyst stores, used as repositories for our backups, must be set in compliance mode. This allows us to isolate and protect data from ransomware attacks through a role-based access control method using Dual Authorization that effectively restricts the modification and deletion of immutable files even by StoreOnce administrators without approval of the Security Officer role.
TECHNICAL ASPECTS OF IMMUTABLE BACKUPS
How it works?
When you create an immutable backup, you put a real lock on the data. This lock blocks any attempt to modify or delete the data, either intentionally or accidentally, for a certain period of time specified when the backup is created. Immutable data is covered by WORM protection, which means "Write Once, Read Many" meaning that it is written once (but not rewritten under any circumstances) and can be read an infinite number of times.
After the set period has elapsed, the lock expires and the backup is no longer immutable.
WHY USE IMMUTABLE BACKUPS?
One reason people are increasingly opting for immutable backups is related to the increasing frequency of ransomware attacks. These attacks encrypt corporate data or systems and then demand a ransom to return them. More effective ransomware can also damage, encrypt or delete backups. Immutability makes the ransomware attack less dangerous. Immutability alone is not the panacea for all evils as no defense is 100 percent effective, but it is still an active part of a data resilience strengthening strategy.
It also secures against human error. The "lock" of immutability prevents accidental deletion and subsequent loss of data, even by those who might have the necessary permissions to access the protected information.
We report a table with advantages and disadvantages of immutable backups.
Benefits | Disadvantages |
They protect data from hardware malfunction, ransomware, malware, viruses and so on | Substantial initial investment and ongoing maintenance expenses. |
They make it more difficult to lose data due to hardware malfunction or human error | Immutable data may be retained for longer than expected and result in increased costs. |
They provide better prevention from threats from internal or external malicious users | Immutability does not protect against physical failure of storage media, such as hard drives or tapes, which may be damaged or lost. |
They prevent unauthorized modification of data | Integration and management of immutable backups often require specialized skills and resources |
They allow files to be restored quickly and safely after an attack or natural disaster | To perform tasks on immutable backups, IT staff must work in conjunction with storage media. |
They preserve data for legal or compliance purposes | Without frequent testing you may only discover the corrupted data when restoring immutable data. |
They secure the backup chain by securing backup data. | Immutable backups could be exposed to Trojan-based ransomware or sleeper attacks. |
SECURING IMMUTABLE BACKUPS
Immutable backups play a crucial role in security strategy, but they are not enough on their own. They must be combined with other defensive tools. A reasoned approach to data backup and recovery must include at least some of the following features (those found in VEEAM and StoreOnce in parentheses):
- Encryption of backups (Veeam encrypted backups)
- Verification of backups with periodic testing and updates (Veeam SureBackup)
- Role-based access control to limit unauthorized access (Veeam "Least Privilege Model" + StoreOnce "Users and roles")
- Zero-Trust model that provides strict verification of user identity (Veeam "Four Eyes authentication" + StoreOnce "Dual Authorization")
- Multi-factor authentication (VEEAM + StoreOnce: MFA)
- Automated alerts and mitigation measures when an attack or threat is detected (Veeam: Inline scanning, secure restore, Veeam One Threath Centre)
The pairing Veeam Backup & replication V12 + StoreOnce covers all these needs.
AIR-GAPPED OR IMMUTABLE BACKUPS: WHAT IS THE DIFFERENCE?
A further consideration when talking about resilience is related to network isolation. Air-gapping is a technique that consists to isolate the server or other storage media from the network. The storage device is consequently physically isolated and protected from malware, viruses or ransomware that can leak into network-connected systems.
Air-gapped devices are not necessarily the same as those for immutable backups, although they share the same purposes.
Isolating a storage device may represent a form of immutability because no one can access to the system via the network and change the stored data. In reality, the data are not really immutable. In fact, even if not directly connected to the network, a malicious user could still physically access the server and delete the backup data.
While air-gapping prevents remote access to data, immutability more effectively secures it by preventing anyone from modification or deletion, regardless of where it is stored and who can access it.
Thus, the application of both capabilities would achieve greater security.
LEGAL ISSUES OF IMMUTABLE BACKUPS
After having exposed the technical aspects related to immutable backups, we now go on to explain all those legal issues related to keeping immutable backups.
We start with the assumption that immutable backups can prove valuable when you are required to keep multiple copies of data ensuring compliance with regulatory requirements and avoiding regulatory sanctions and harms to corporate reputation.
In certain industries such as finance or health care, which require strict data retention policies, immutable storage ensures that data remains intact for the required period, facilitating regulatory compliance.
Companies are subject to regulation by States and the European Union Commission. There are two specific regulations at the European level:
- GDPR (General Data Protection Regulation) is a European regulation that governs how companies and other organizations process personal data.
- NIS 2 (Network and Information Security v2) is a European Directive passed in 2016 that requires, for all states that are part of the Union, to adopt certain common and strategic measures to secure networks and IT systems.
GDPR and the NIS Directive have the same goal, which is that companies take appropriate and technical measures to guarantee a high level of safety.
The NIS Directive 2 complements the various European regulations and guidelines on data protection and privacy. Its main goal is to strengthen cybersecurity measures especially in those critical sectors that could seriously compromise entire nations such as energy, transports and financial services.
Let's look more specifically two important points:
- traceability and auditing
- portability of data
Traceability and auditing
The GDPR in Art. 32 regarding data processing security generically describes "the use of appropriate technical and organizational measures to ensure a level of security appropriate to the risk" including
- the ability to promptly restore the availability and access of personal data in the event of a physical or technical incident;
- a procedure to regularly test, verify and evaluate the effectiveness of technical and organizational measures to ensure the security of processing.
With these specifications, the GDPR requires companies to be able to demonstrate compliance of backup data through accurate and traceable records. With immutability, it is possible to provide an unalterable backup chain of data versions, thus having easier exposure during audit procedures and consequently ensuring that backups have not been altered.Dove il GDPR indica cosa si deve fare la direttiva NIS2 specifica come si deve fare la protezione dei dati di backup.
In more detail, it indicates some measures to be taken into consideration that can be listed below
- Risk analysis and IT system security policies;
- incident management procedures;
- business continuity strategy and contingency plans;
- backup management and disaster event recovery;
- contingency plan drills; testing of networks and IT systems;
- best practices usage and security training for staff;
- use multi-factor authentication or continuous authentication solutions; secure voice, video, and text communications; and secure emergency communications systems by the individual internally, as appropriate.
DATA REGULATIONS AND DATA PORTABILITY
The data portability regulation are also governed by the GDPR, the data portability requirements allow people to reuse their data even through different services than the initial ones. In fact, Article 20 of the GDPR proposes the "Right to data portability" through automated means, where possible directly between providers.
This claim allows users to move, copy, and transfer easily and securely their personal information from one provider to another without compromising its functionality.
It’s all for now.
I will discuss the technical specifications for HPE StoreOnce, the dual authorization flow functionality in the next post.