Feature Request: Native “Cyber Vault” Capability in Veeam (Air-Gapped, Invisible Backup Copy)

[wgys]

I would like to propose a feature enhancement inspired by the concept of a “Cyber Vault,” similar to implementations seen in other ecosystems.

The core idea is to introduce a native, fully isolated backup vault within Veeam that provides an additional layer of protection against sophisticated cyber threats, including ransomware and insider attacks.

Key Requirements:
1. True Air-Gap Isolation
- The backup copy should be logically and/or physically isolated from the primary Veeam Backup & Replication environment.
- No direct network connectivity during normal operations.
- Access only via controlled, time-bound mechanisms.
2. Immutability
- Data stored in the vault must be immutable (WORM-based or equivalent).
- Protection against deletion, modification, or encryption—even from privileged accounts.
3. Invisibility from Veeam Environment
- The vault should not be visible, mountable, or addressable from the primary Veeam infrastructure.
- No persistent credentials or trust relationships stored in the main backup environment.
- Ideally, a “pull” mechanism from the vault rather than “push” from Veeam.
4. Secure Transfer Mechanism
- Controlled data transfer (e.g., scheduled synchronization windows).
- One-way communication enforced (data diode–like behavior if possible).
5. Independent Authentication & Access Control
- Separate identity domain or authentication mechanism.
- MFA enforced for any administrative access to the vault.
6. Recovery Workflow
- Clearly defined and secure process to restore data from the vault.
- Ability to validate backup integrity (e.g., malware scanning, sandbox restore) before reintroduction.

Use Case:

In high-security environments, existing hardened repositories and object storage immutability are valuable but still part of the same administrative domain. A dedicated cyber vault would provide:
• Isolation from backup infrastructure breaches
• A last-resort recovery option with guaranteed integrity

Why This Matters:

With the increasing sophistication of ransomware targeting backup systems directly, a completely isolated and invisible backup tier is becoming a requirement rather than a luxury—especially in regulated or enterprise environments.

Suggested Approach:

This could be implemented as:
• A dedicated vault appliance or hardened repository mode
• Integration with object storage + strict isolation controls
• A Veeam-managed but independently secured “vault domain”

Curious to hear if others have similar requirements or have implemented workarounds for this today.

[Mildur]

Hi guys,

Since this topic got no answers from other customers, let me share my personal opinion.

In high-security environments, existing hardened repositories and object storage immutability are valuable but still part of the same administrative domain. A dedicated cyber vault would provide:

I’d argue that in a high-security environment, administrative access to the hardened repository and administration of the object storage are typically handled by separate teams than the backup administrators; each with their own user accounts (local users or separate management domains).

If we also assume a dedicated network/security team that can restrict management access (for example, blocking SSH/HTTPS management paths from the backup admin network), then the existing approach can already provide a very strong level of isolation. Backup admins wouldn’t be able to access a hardened repository or Object Storage at the operating system level.

Of course, if administrative credentials (for example, firewall/admin accounts) are documented or stored in a single place and an attacker gains access to both those credentials and the firewalls, then many of these controls can be bypassed.

Best,
Fabian