[FEATURE REQUEST] Secondary password for delete operations

[lemtargatwing]

I'm sure this has been requested before, and I had found a couple that looked like they had just been abandoned or shoved off as "not a necessity".

The challenge: Protecting backups by any means necessary.

Obviously there are many ways to protect your backups. Whether it's by read only means (tape backups), using a 3rd party service provider with Cloud Connect, using storage that has separate credentials, or any other of a myriad of ways. But there are several problems with these approaches. As an MSP employee who monitors and manages backups across hundreds of clients, there are certain security aspects we are unable to provide. Tape backups being one of them, as well as separate storage devices requiring different credentials.

We have several clients who have offices far too small for a separate storage device, and providing tape backups costs us as the provider even more money. So we implemented a Cloud Connect solution offsite. This is effective in that if a Veeam instance at a client gets compromised, the cloud connect servers themselves are not. However, if the Veeam instance is compromised, an attacker can still delete anything they want from the Veeam Console. They can either delete it from the files menu, or just delete the chain from the backups menu, with no authentication required.

Proposal: Secondary authentication for deletion or modification

The idea would be to add a secondary authentication method to be able to delete or modify data/jobs. This could be either a password or 2FA mechanism. This would prevent an attacker from deleting data from the Veeam Console or modifying jobs to reduce retention.

I'm well aware that if you are using local disk for storage that all they need to do is delete the data from windows. Since we do have offsite copies as well, they would not be affected by this, as that storage is not presented to the local OS in such a way that it could be deleted from within Windows without the Veeam Console.

Obviously this would not prevent other forms of malice (deleting source data then running the jobs multiple times), but that is for another feature request and outside the scope of what I'm requesting.

[Dima P.]

Hello Kyle.

Thank you for sharing your idea. Unfortunately, password prompt would save your B&R console but won’t save from actual backup file deletion for example via windows explorer. Moreover, for regular user this would become a very annoying prompt for a day-to-day activity. The best way to protect your backup files from deletion is to make sure that you delegate access permissions to the right person (at least the best way I’ve seen). Cheers!

[bdufour]

outside of permission delegation, make sure auditing/syslogging and alerting are in placing everywhere possible - i work for a FI and we too have similar concerns. alerting is very important - which goes without saying, but its something we harp. it would at least raise your attention to the fact that something is going on in your environment. a secondary auth method upon deleting backups/replicas from the console wouldnt be very annoying imo - but i wonder how that would affect jobs needing to delete restore points against the retention policy. one thing i could suggest is that veeam set up some type of email alert - to send an email when a user deletes backups or replicas from the console itself. again, u dont want to get alerted every time something is deleted against the retention policy - that would be annoying. but im sure an alert could be something that wouldnt be very hard to implement or figure out for this particular need.

[bdufour]

Also, look at veeamone for your alerting. We use it and it gets very granular.

[lemtargatwing]

Hello Kyle.
Unfortunately, password prompt would save your B&R console but won’t save from actual backup file deletion for example via windows explorer.

I'm already aware of that, as stated in my post.

Moreover, for regular user this would become a very annoying prompt for a day-to-day activity.

I manage almost 100 B&R instances day to day, the annoyance is worth it. Perhaps an optional feature? The goal of extra security isn't to reduce annoyance, it's to add annoyance. The more layers a malicious attack has to go through, the more likely it is to give up.

The best way to protect your backup files from deletion is to make sure that you delegate access permissions to the right person (at least the best way I’ve seen).

The key here still being that SOMEONE has access. All it takes is one person being compromised.

[bdufour]

the easiest solution is for veeam to implement multi-factor authentication - prior to accessing the console... which i assume they're well aware of and likely exploring.

[bdufour]

on top of MFA, add some alerts in Veaam one for delete operations - there's already a 'repository' option in alert management under backup and replication..

[Dima P.]

Folks,

Thank you for your time and sharing your ideas. We will discuss all the feedback with the corresponding teams. Cheers!