Using tape as a backup target
Post Reply
Novox
Enthusiast
Posts: 71
Liked: 17 times
Joined: Jul 12, 2016 12:51 pm
Contact:

Feature Request: Veeam VTL to Fight Ransomware!

Post by Novox »

It's my understanding that most (all?) ransomware tunnels through one's network to encrypt files via SMB or CIFS, etc... I don't believe haxors out there have mastered overwriting tapes "ejected" from a tape drive.

With a Veeam VTL implementation, one assumes we could get similar protections that tape provides, with the benefit of still storing on physical hard drives.

This is basically what I'm trying to accomplish now with Amazon Storage Gateway VTL, however, that requires that all the data eventually be uploaded to Amazon (with all its associated costs).

Thinking back to Gostev's latest "The Word From Gostev:"
Apparently, [another Veeam client's] Board became so concerned with all those recent high-profile ransomware cases that they decided they could live with slower backups for now – and instead prioritized introducing air-gapped backups into their otherwise solely online disk-based backup strategy. For which they of course decided to use tape, but in a very unusual manner that I've never encountered before! Since they have plenty of backup storage capacity already, they decided to maintain copies of only the most recent backups on tape - namely last 7 days – with literally the only goal being protection of their latest backups from ransomware, cyberattacks and insider threat. So no spending millions on huge fancy robots or years of retention worth of tape media – just a single modern library coupled with the process of physically removing daily media set and storing tapes in a safe, rotating every 7 days.

In my mind, I quietly applauded to this cheap and elegant solution of blending tape right into their existing backup strategy – which is to remain largely the same, but now augmented with air-gapped copies of their latest backups. It really is brilliant, and this is also a truly universal approach - something any IT shop out there can afford implementing! Also, that explicit focus on only the latest backups was especially appealing to me, because these are exactly the backups you want that extra level of 100% bulletproof protection for. No spoilers – but we're actually working on something along the same lines that will not even require tape and is arguably better anyway - but unlike tape, it will not be suitable for everyone. Sorry for leaving you wondering, but I can promise you will be the first to hear details here once we're ready to disclose this new technology later this year.
Maybe something like a Veeam VTL is what Gostev is alluding to, but virtual air-gapped (yes, I know, a virtual air-gap is not an air-gap) tapes would work brilliantly in an all physical hard drive environment that needs ransomware protection. Maybe the solution literally disables the NIC on the destination until the scheduled time of the next run, etc... who knows what the minds at Veeam will come up with.

Just thinking out loud as I get more and more anxious every day for the eventual ransomware attack at my company. In my mind, it's not IF, but WHEN (regardless of how safe I think we are with our NGFW's and sandboxing, etc etc etc).

Thank you!
~Bill

HannesK
Veeam Software
Posts: 5889
Liked: 810 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Feature Request: Veeam VTL to Fight Ransomware!

Post by HannesK » 1 person likes this post

Hello,
nope, it will not be a VTL. ;-)

Because restore from tape as too many disadvantages.We care a lot about restore :-)

Except for the human attacker, you could simply use a Veeam repository (maybe Linux) if you want to avoid SMB / CIFS ransomware and only open the Veeam port. The Veeam components only accept commands from the backup server...

Best regards,
Hannes

Novox
Enthusiast
Posts: 71
Liked: 17 times
Joined: Jul 12, 2016 12:51 pm
Contact:

Re: Feature Request: Veeam VTL to Fight Ransomware!

Post by Novox »

Can you elaborate? How would this work? I currently have VBR running on a windows server, with all my repositories as "Network Attached Storage." Are you saying I could add a linux "server" then add "Direct Attached Storage" (pointing to the linux server), then add my storage hard drives to linux?

HannesK
Veeam Software
Posts: 5889
Liked: 810 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Feature Request: Veeam VTL to Fight Ransomware!

Post by HannesK »

Hello,
yes, that does not work with NAS. You need to use a Windows / Linux server with "Direct Attached Storage" repository mode.

Best regards,
Hannes

Novox
Enthusiast
Posts: 71
Liked: 17 times
Joined: Jul 12, 2016 12:51 pm
Contact:

Re: Feature Request: Veeam VTL to Fight Ransomware!

Post by Novox »

Sounds good, thank you!

ndb8
Lurker
Posts: 1
Liked: never
Joined: Aug 20, 2019 9:02 pm
Contact:

Re: Feature Request: Veeam VTL to Fight Ransomware!

Post by ndb8 »

Gostev wrote: No spoilers – but we're actually working on something along the same lines that will not even require tape and is arguably better anyway - but unlike tape, it will not be suitable for everyone. Sorry for leaving you wondering, but I can promise you will be the first to hear details here once we're ready to disclose this new technology later this year.
Sorry for digging up an old thread, just found this from a Google search about VTL...

I'm curious what Gostev was alluding to in the quote above? Was it disclosed last year?

HannesK
Veeam Software
Posts: 5889
Liked: 810 times
Joined: Sep 01, 2014 11:46 am
Location: Austria
Contact:

Re: Feature Request: Veeam VTL to Fight Ransomware!

Post by HannesK »

Hello,
and welcome to the forums.

The technology Gostev was talking about is immutable backups leveraging S3 Object Lock functionality.

How to configure: https://helpcenter.veeam.com/docs/backu ... ml?ver=100
Compatible systems: object-storage-f52/unoffizial-compatibi ... 56956.html

Best regards,
Hannes

Post Reply

Who is online

Users browsing this forum: No registered users and 9 guests