Maintain control of your Microsoft 365 data
mcz
Veeam Legend
Posts: 835
Liked: 172 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

encryption possible?

Post by mcz »

Hi guys,

I am missing the functionality to encrypt my office365 backup. Is this not part of the beta?
By the way: Will there be a full integration into veeam b & r when the product goes rtm?

Thank you!
russell01
Veeam ProPartner
Posts: 9
Liked: 1 time
Joined: Oct 28, 2016 1:46 pm
Contact:

Re: encryption possible?

Post by russell01 »

+1 for this - Encryption is a must have feature
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: encryption possible?

Post by Vitaliy S. »

What kind of integration are you searching for? Do you want to use backup repository encryption, backup copy jobs and built-in Explorer functionality?
mcz
Veeam Legend
Posts: 835
Liked: 172 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: encryption possible?

Post by mcz »

the backup itself should be encrypted and it would be nice to manage the whole office 365-thing from the common b & r console. But I would say encryption is a must have.
Vitaliy S.
VP, Product Management
Posts: 27055
Liked: 2710 times
Joined: Mar 30, 2009 9:13 am
Full Name: Vitaliy Safarov
Contact:

Re: encryption possible?

Post by Vitaliy S. »

Ok, thanks for sharing your ideas! When this product goes GA, there will be no integration with Veeam B&R, however based on the feedback we receive, it can be added in our next releases.
akz11
Novice
Posts: 4
Liked: never
Joined: Apr 06, 2017 1:07 pm
Contact:

Re: encryption possible?

Post by akz11 »

+1 for encryption at rest.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

Hi @akz11,

Encryption at rest is not included at this moment. The data is also stored in a running database of the type Jet Blue. Does bitlocker on the volume where you store your data a solution?
mcz
Veeam Legend
Posts: 835
Liked: 172 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: encryption possible?

Post by mcz »

Hi Mike,

any news? I know that it's not that easy to implement encryption with Jet Blue databases but you know, compliance and (data) security is a very important part, especially when you are using air-gapped-backups which are not on premises...
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

Michael,

Not sure what you mean by this. If you use air-gapped-backups, does that mean you backup the VBO VM with VBR? In that case you can put encryption on the backup?
mcz
Veeam Legend
Posts: 835
Liked: 172 times
Joined: Jul 19, 2016 8:39 am
Full Name: Michael
Location: Rheintal, Austria
Contact:

Re: encryption possible?

Post by mcz »

Mike I mean we are copying repository's content to another location. Unfortunatley our backup repository is on a NAS (iSCSI) and therefore we cannot backup it up via veeam (or better said not yet ;))
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

In that case, still no encryption. As said above, bitlocker is a way to do it, but I guess that won't work on your NAS either. I am not aware of potential encryption on a JetBlue database at this moment but to restore data, you will need the organization username and password.

Just opening the database will give you a lot of columns and tables, but it won't make any sense :-)
quincy71q
Service Provider
Posts: 5
Liked: never
Joined: Sep 15, 2016 2:53 pm
Full Name: Quincy de Jong
Contact:

Re: encryption possible?

Post by quincy71q »

Mike

I would like to start hosting tenets data on my environment, I can split the tenets so that they cant see each other data but what stops anyone on the SP side from accessing any data in the backups.
Ideally each tenet should be able to encrypt/lock down a backup so that I as service provider don't have access to the whole organisations email
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

Hi Quicncy,

Understood the use-case. But as you can see above we don't have it at this moment. This is certainly something we have in mind but the next version won't contain it. We are focused on delivering the SharePoint and OneDrive requirements first. After that we can put it on the table again
krakhger
Service Provider
Posts: 8
Liked: 2 times
Joined: Dec 16, 2016 6:03 pm
Contact:

Re: encryption possible?

Post by krakhger »

Hi all!
I am hosting office 365 backup for some small tenants. This is because they have only Laptops and iOS devices and no infrastructure for doing Office365 Backup.


I figured out that on my infrastructure I can open the backup with Veeam Explorer for Exchange without needing any password.
Regarding GDPR I am a processor, if I even store personal data for a customer. But if the data are encrypted, they are temporarely no personal data until decryption. So if I had only encrypted data on my repositories, I am not a processor and not affected by GDPR.

A Customer asked me to evaluate this regarding GDPR compliance, and I am afraid, this procedure is not compliant because anyone how get the files can access the data.
Ok, I can encyrpt the Storage where the office 365 files reside on. It is also not possible to copy the adb files because the office 365 Service keeps it locked. But every support engineer who as access to the infrastructure has also access to the tenants data.

In my opinion, to be able to operate Veeam Backup for Microsoft Office 365 and to avoid to be a processor, the data must be encrypted.
This is my private Technical Point of view, I am not a laywer!

Gerhard
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler » 1 person likes this post

Hi Gerhard,

First: welcome to the forums!

To make sure we are on the same page. You are storing data, so you are a processor. No matter if it is encrypted or not. Being a processor under GDPR is defined very broad, and simply storing data makes you already a processor.

That being said: it is not because you have access to the files that you are not compliant. However, as a processor, you do need to be able to audit that access. Inside the solution, we are building logging (for the next version) that will allow you to audit who has opened Veeam explorer for exchange, what he or she has done (including previewing data) and what he/ she has restored. That is step 1.

I am very much aware that this is not enough, on the file level (through windows auditing) you will most probably need to do the same thing (or if you have another 3rd party solution for that). In the end, every "workload" can be temporary stopped and files can be copied. This goes for this solution but also for VMs, for files if you are hosting file services or even websites. Which means that every IT administrator in your environment can be doing unauthorized things.

A next step (as I said already above) is to take it one step further and get encryption at rest with a key (or keys) that are only known by tenants. But even in that case, you will have to do more as I explained above.

To conclude, trying to make sure that you as a processor don't have access to data is practically impossible, and it is also not forbidden. But being able to audit what is going on is possible and is necessary for audits and research in case something happens

Makes sense?

Cheers
Mike
jbcap
Influencer
Posts: 18
Liked: never
Joined: May 24, 2018 4:12 am
Full Name: Jim Bell
Contact:

Re: encryption possible?

Post by jbcap »

For protecting the store - would standard windows file permissions work here? i.e. If we were to restrict folder permissions to a defined authorised user, and set the Veeam service to work under this context.
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

Jim,
First: Welcome to our forums!

I have not tested and worked with standard windows file permissions but I assume it will work. It is indeed the Veeam service that accesses the data but please note the required permissions in the user guide (https://helpcenter.veeam.com/docs/vbo36 ... tml?ver=20). It states that this service needs to run under the local system account
TitaniumCoder477
Veteran
Posts: 315
Liked: 48 times
Joined: Apr 07, 2015 1:53 pm
Full Name: James Wilmoth
Location: Kannapolis, North Carolina, USA
Contact:

Re: encryption possible?

Post by TitaniumCoder477 »

Mike,

While I am proficient as a Service Provider for Veeam B&R, I am very new to this particular product. At this point, I am still doing a comparative analysis of CloudBerry, Veeam, and Datto's 365 backup products. Am I correct in understanding that Veeam's 365 backup product does not encrypt data at rest? If not, surely the data is encrypted in transit at least? I cannot seem to find anything about encryption (yay or nay) in Veeam Backup for Microsoft Office 365 2.0 User Guide.

Thanks!
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

Encryption in transit is indeed happening.
fantis
Lurker
Posts: 1
Liked: never
Joined: Apr 11, 2019 6:05 am
Full Name: Fantis
Contact:

Re: encryption possible?

Post by fantis »

Hi,
any news about encryption at rest.
Is still not available for office365 backups

Thanks
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: encryption possible?

Post by Polina » 1 person likes this post

Hi Fantis and welcome to Veeam Forums!

There're no changes in terms of encryption in 3.0, but we're looking into some options for the future releases.
niffur00
Lurker
Posts: 1
Liked: never
Joined: Aug 24, 2019 6:21 pm
Full Name: Chris Ruffin
Contact:

Re: encryption possible?

Post by niffur00 »

Veeam really needs to make per-organization encryption at rest a priority.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: encryption possible?

Post by Polina »

Chris,

Your request is noted, thanks!
c.schulzejn
Enthusiast
Posts: 53
Liked: 3 times
Joined: Oct 24, 2018 8:22 am
Full Name: Christoph Schulze
Contact:

Re: encryption possible?

Post by c.schulzejn » 1 person likes this post

Pls note mine too =)
stephen.loera
Service Provider
Posts: 39
Liked: 7 times
Joined: May 11, 2016 4:59 am
Full Name: Stephen Loera
Contact:

Re: encryption possible?

Post by stephen.loera » 1 person likes this post

I would like to +1 this feature also.

Thank you for the development work!
lasseoe
Service Provider
Posts: 76
Liked: 7 times
Joined: Dec 17, 2012 4:39 pm
Full Name: Lasse Osterild
Location: Denmark
Contact:

Re: encryption possible?

Post by lasseoe »

+1 for this.

As a service provider this is an absolute MUST HAVE, without encryption at-rest it's a security and GDPR nightmare within the EU, basically a no-go.
Polina
Veeam Software
Posts: 2939
Liked: 681 times
Joined: Oct 21, 2011 11:22 am
Full Name: Polina Vasileva
Contact:

Re: encryption possible?

Post by Polina » 2 people like this post

Lasse,

I'll echo Niel's response in another thread: v4 will deliver encryption for object storage repositories and everyone who's interested in this feature can join the beta-testing and share their feedback.
dimaslan
Service Provider
Posts: 99
Liked: 9 times
Joined: Jul 01, 2017 8:02 pm
Full Name: Dimitris Aslanidis
Contact:

Re: encryption possible?

Post by dimaslan »

What do you mean encryption for data at rest though? The same as with encrypted backups, so Veeam Backup for O365 would need a key to open the VBO database?
So, if someone would copy the Jet Blue database to another machine and install VBO would not be able to read it?
Mike Resseler
Product Manager
Posts: 8044
Liked: 1263 times
Joined: Feb 08, 2013 3:08 pm
Full Name: Mike Resseler
Location: Belgium
Contact:

Re: encryption possible?

Post by Mike Resseler »

Hi dimaslan,

Correct. Even if you copy the Jet Blue config database, to another machine, your "vault" with keys is not readable anymore.
HolgerE
Influencer
Posts: 11
Liked: 2 times
Joined: Mar 11, 2014 8:37 am
Full Name: Holger Ernst
Contact:

Re: encryption possible?

Post by HolgerE »

There is VBO 5.0 out there.
Is it still correct that VBO encrypts only data at "Object Storage Repositories", not at regular onPremise "Backup Repositories"?
I even see this information in the user guide concerning encryption in VBO 5.0: "Backups in backup repositories must not be encrypted by 3rd party encryption software as it leads to unpredictable system behavior and inevitable data loss."
Any hints or workarounds to enable encryption onPremise also?
Post Reply

Who is online

Users browsing this forum: No registered users and 14 guests