Has anyone ever used Myota to secure Veeam backups?

[kapple]

Hi,

We have been contacted by a company called Myota. This company provides a method to process backups to S3 Compatible block storage that are broken up into blocks across backup targets, and those blocks are encrypted. They call this Myota’s BucketZero Object Storage, and is used as ransomware protection. I won't go through what they promise in their marketing materials. However, they do market themselves as being a Veeam certified solution.

Any internet search of Veeam + Myota brings up a bunch of hits from Myota, and other resellers. However, I have yet to find any information about Myota from Veeam or the Veeam forums.

Has anyone used this company? If so, what are your impressions of Myota, and their solution?

I am inherently distrustful of 3rd party applications I have never heard about, and even more so when the company that they indicate they work with (Veeam), does not appear to mention them anywhere on their official platforms.

Any information about your experience with, and knowledge of Myota will be appreciated.

Thanks,
Ken

[sfirmes]

@kapple Veeam doesn't have a certification program. We do have our Validation program which is called Veeam Ready and Myota is not listed as a validated product with our software at this time.

Also we have our Unofficial Object Storage Compatibility list for Veeam Backup & Replication and they aren't listed there either.

While their product might work with Veeam, it hasn't been validated via the Veeam Ready Program.

Hope this helps.

[kapple]

Thank you Steve, this is good information to have.

[Gostev]

Did you understand how it provides a better protection of your data against ransomware vs. simply enabling backup encryption in Veeam from technical perspective? Can you share?

I do see added opportunity for data loss due to backups being spread across different backup targets, as the overall reliability is reduced proportionally to the number of backup targets (you need ALL of them to be able to restore, losing even one means losing everything). And also opportunities for data corruption due to much additional data processing (chunking data across backup targets and encrypting data outside Veeam).

But I don't really see any benefits... what am I missing?

[kapple]

Gostev,

The basic premise is that they "Shred and Spread" the backup data, and encrypt each chunk of data using a randomly generated encryption key. The encrypted chunks are then encoded into multiple immutable data 'shards.' These shards are encrypted versions of the file that are then stored across multiple storage nodes with double parity.

I am just familiarizing myself with what their service offers, but for now, this is my basic understanding of what their software does.

[Gostev]

Got it, thanks. Your explanation sounded way too familiar and I realized I heard recently about a virtually identical company called Calamu. Sharing just in case you want to check out someone more known.

Personally I see zero added value from such offerings comparing to just enabling regular backup encryption in Veeam and using an immutable storage. These offerings seem to be built for storing unencrypted production data like documents, there their value prop does make sense. While for backups which can be encrypted natively, in my opinion they add nothing but a bunch of unnecessary recovery risks.

[GabeGumbs]

Hello,

I am Gabriel Gumbs from Myota and I think I can help clarify some of this. We have not done a good job communicating our Veaam relationship so allow me to address our Veeam certified status. We are working our way through Veeam’s readiness process. Veeam introduced support for object storage in January 2018 with the release of v9.5 update 4, and since then Myota has been used as either object storage or file storage to secure our joint customers’ data - including their Veeam backups. Myota is used as a SOBR with Veeam (a backup repository), and with the introduction of Veeam 12 you can also go direct to Myota as an object storage target.

Since I’m already clarifying, let me spell out some other things we should do a better job communicating to the broader audience:

• Backup encryption keeps information confidential (so long as the keys are safe), but it does not prevent data from being re-encrypted which threatens the availability of that data. Confidentiality is crucial. But threats like ransomware don’t (only) attack that. Ransomware attacks availability. Myota’s Shred & Spread™ encryption method is not susceptible to availability attacks as the data is encrypted in shards, geographically dispersed, and uses a unidirectional gateway to air-gap the encrypted pieces. A confidential backup is no good if you lose access to it. That’s the added protection of Myota plus the existing encryption.

The suggestion was made to use regular encryption with an immutable storage. Myota is an immutable storage which ensures data remains unchanged once written. Myota also allows operations on that encrypted data without decrypting it – backup restoration can be performed without decryption. Things such as object lock and other governance controls meant to preserve the integrity of the data are great when used in combination with Myota’s homomorphic immutability, but by themselves, object locking is easily bypassed with Privilege Escalation attacks (https://attack.mitre.org/tactics/TA0111/) – a problem worsened when an organization uses a singular cloud root account. Again, that is all additional protection on top of what Veaam already provides.

• The same fault tolerance process used to ensure the availability of data (even in the loss of a backup target) is tasked with performing erasure coding and continuous integrity checks. This guarantees recovery in the event of a loss backup target. This is a design feature of Myota’s Spread and Shred™ which does not rely on needing all of the data from each backup target to restore. This fault tolerance is configurable by the customer to account for different risk tolerances – additional targets can be auto-provisioned to self-heal.

It's important to note that Myota's approach does not require modifications of metadata and file operations, except for collecting data from storage nodes. This makes it a flexible and scalable solution for implementing various backup and data protection strategies - this means less infrastructure (and the cost that goes with it) is needed.

One of the most significant advantages of Myota is its impact on real-time recovery. Traditional methods, with their rigid structures, can delay recovery processes. In contrast, innovations such as our homomorphic immutability, with its dynamic and selective defense mechanisms, ensures that essential operations continue unhindered, even during a ransomware attack. This means faster recovery times and minimal operational disruption.

At some point we’re going to get all this into some killer marketing material! For now, we’ve just been too focused on building cool tech, serving out common customers with Veaam, and protecting the world’s data.

GG-

[ober72]

I think the "privilege escalation" danger is a valid point. If someone gets access to your storage with root access then the immutability can be removed. I think this is why Veeam is now advising to abide by the Zero Trust framework. Immutability combined with Zero Trust. Here is a whitepaper that describes this in more details: https://www.veeam.com/whitepapers/zero- ... ief_wp.pdf