"cloud connect" usage onpremise, against ransomware

[alesovodvojce]

These are good ideas to protect the backups against ransomware attack:
a) air gapped backups (tape / secondary linux machine ingesting backups etc)
b) backups to Veeam cloud connect backups (Insider protection works for ransomware scenarios)

The solution simplier in case b), but it is also more expensive, as we need to pay the storage of provider.
If we can get nearly similar protection onpremise, on our own servers, it will work against malware (but not insiders). This would be sufficient for us.
Also it would be better alternative to Remote copy jobs in VBR - as the source Veeam server needs write access to remote repositories, by compromiting the source the target is lost completely too. It will be better if target would pull the backups from source (readonly), hence their security layers will be separated.

Can we install and use Veeam cloud connect onpremise and does that make sense from your standpoint?

[Gostev]

You certainly can, but despite much additional management overhead it won't give much extra protection since Cloud Connect infrastructure servers will still be a part of your environment, meaning backups in Recycle Bin still potentially accessible.

Insider protection is designed for the scenario when Cloud Connect infrastructure is installed in a completely different data center, which is controlled by another company who you pay money to take care of your data - which completely prevents an inside attack.

So, even something as simple as making periodic backup copies to a shared folder on a hardened Linux server (no remote logons), with the shared folder backed by ZFS with periodic ZFS snapshots enabled, will give you a better protection without all the extra overhead over managing your own Cloud Connect infrastructure.