Options for protection from Ransomware

[kins]

We are designing a solution to protect Azure VMs and Azure Files. We want to understand what the options are to safe guard from Ransomware or an Insider attack.

If we used GRS on the storage account, encrypted/corrupt backups would be replicated to the secondary region with an RPO of 15 minutes so both targets would be useless.

What is the Veeam recommended approach to protect the backed up data sitting in Blob storage?

How can we protect the data?

Thanks.

[Mildur]

One way is using a backup copy job to your on premise backup repo.
This way, the restore points of your azure backups are on a secondary storage.
A ransomware attack in your azure tennant will not have access to your onpremise backup repo.

Veeam doesnt have something like S3 object lock for azure Blob storage.

[nielsengelen]

Immutability for Azure is still on Microsoft’s roadmap hence why we can’t provide the feature in general yet. We do monitor and follow this closely to provide and support the feature once possible.

For now, backup copy as described is a good option.

[kins]

thank you, appreciate it.

Is it possible to configure a Veeam Cloud Connect service provider so we could send data to the SP and have Insider protection turned on ?

[Mildur]

I‘m not sure about that.
In The guide, veeam writes nothing about Azure Backups to use a source for a backup copy Job to veeam Cloud Connect Repo:

https://helpcenter.veeam.com/docs/backu ... ml?ver=100

On the Home tab, click Backup Copy and select one of the following options:

Virtual machine > VMware vSphere backup
Virtual machine > VMware vCloud director backup
Virtual machine > Microsoft Hyper-V backup
Windows computer backup
Linux computer backup

It is also not supported to restore to azure directly from Cloud Connect Repo:

https://helpcenter.veeam.com/docs/backu ... ml?ver=100

Instant VM Recovery, multi-OS file-level restore, restore to Microsoft Azure, Amazon EC2 and Nutanix AHV from backups in the cloud repository are not supported.

[nielsengelen]

Correct, if you are going to use VCC as a target (even though I don't think it isn't supported but we'll need to confirm) - you can't restore to the public clouds but only to a VMware/Hyper-V infrastructure. It may be better to wait for VBR v11 which allows immutability on local repositories (see https://vnote42.net/2020/11/23/new-in-v ... ps-part-1/).