Skip to main content
  • EN
Solved

Veeam and IBM FlashSystem - least priviladge

Hello,

I have added to veeam IBM FlashSystem as Spectrum Virtualize, and there is used superuser accout(most powerfull account on FlashSystem) for access. 

Question, does sombody know if possible to create least privilade account on FlashSystem ??? If yes, which role this account should have 

Thanks

3 comments

coolsport00
Userlevel 7
Badge +19

Hi @tedew -

I was able to find documentation for variou user roles online. Go to the documentation of IBM Flashsystem Spectra Virtualize to review system roles from the link below:

https://www.ibm.com/docs/en/spectrumvirtualsoftw/8.3.x?topic=overview-user-roles

I don’t use this type of storage, so I can’t answer for sure what you need to use with Veeam. I do see this system is supported:

https://helpcenter.veeam.com/docs/backup/vsphere/system_requirements.html?zoom_highlight=storage+integration&ver=120#ibm-flashsystem--formerly-spectrum-virtualize--includes-ibm-storwize-and-ibm-svc-

...but Veeam doesn’t provide account privileges required; they don’t for any Storage System. 

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
coolsport00
Userlevel 7
Badge +19

And to confirm Veeam doesn’t state what access to IBM to use, here are a couple other links to Veeam’s Storage Integration Guide regarding IBM storage:

Adding IBM: https://helpcenter.veeam.com/docs/backup/storage/ibm_add_launch.html?ver=120

IBM Limitations to be aware of: https://helpcenter.veeam.com/docs/backup/storage/storage_limitations_ibm.html?ver=120

Hope all the info shared helps.

Shane Williford - Veeam VMCA/VMCE | Veeam Legend | VUG Leader | VCP-DCV | Twitter: @coolsport00
Scott
Userlevel 7
Badge +8

Don’t use superuser

Next, I assume you are adding the SAN for storage snapshots? 

If so, create a new account on the SAN for Veeam. - it might need Admin as it is dealing with storage snapshots (if you are using those) creating and deleting volumes etc. 

Next, create strong passwords for the new Veeam account and make sure the SuperUser account has the password changed and is strong. print those out and store them in a safe and not in a text file or password vault.

 

After speaking to some industry insiders, I know of a high profile ransomware case recently where the bad actors went in, and managed to SSH into the SAN for Veeam. They deleted all of the volumes and pool then restarted the SAN. 

Even if you have immutability turn on in Veeam, strong passwords, MFA, and more, it won’t protect from that. 

Often the point of entrance is a phishing attempt or security vulnerability. If they gain access to your workstation, or someone who leaves a password manager open, you are no better off. Having printed out copies of a password in a safe is the way to go as a break glass account for the SAN SuperUser and Veeam account. 

Don’t even add other accounts on that SAN, unless you are looking for a monitoring account for Storage Insights or some other type of monitoring system. those are Read Only.

 

 

 

 

 

Comment


Terms & Conditions