Does Veeam grantees the integrity of restore points?

Availability for the Always-On Enterprise

Does Veeam grantees the integrity of restore points?

Veeam Logoby samifarhat » Tue Jun 20, 2017 1:20 pm

Hi all,
Due to SoX requirement, we have been asked an interesting question.
What if someone replaces a restore point data by another restore point (Physically remove the files and replace them by other files) ?
Does Veeam have a repository of the checksums of the stored restore points ?

Thanks
samifarhat
Novice
 
Posts: 3
Liked: never
Joined: Tue Jun 20, 2017 1:15 pm
Full Name: samifarhat

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby Shestakov » Tue Jun 20, 2017 1:41 pm

Hi and welcome to the community!
If you physically change a file from backup chain, restore points after that backup will not be restorable, however rest of the chain will remain restorable.
Restore points info contained in metadata.
Thanks!
Shestakov
Veeam Software
 
Posts: 4946
Liked: 407 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby samifarhat » Tue Jun 20, 2017 1:46 pm

Hi Shestakov,
Thanks for your reply.
I just need an answer 'understandable' by the SoX auditors like: Veeam stores metadata information about the restore points, and thus, if someone replaces the restore points files, it will detect that behavior and will not restore data (Or mark the restore point as broken or corrupted). Is this documented anywhere ?.
I really appreciate your help,
Thanks
Samir Farhat
samifarhat
Novice
 
Posts: 3
Liked: never
Joined: Tue Jun 20, 2017 1:15 pm
Full Name: samifarhat

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby Shestakov » Tue Jun 20, 2017 2:42 pm

Right, absence of the restore point will be defined either during restore or synthetic transformation (if any is scheduled), whatever happens first.
The best source of such information is the product user guide.
Shestakov
Veeam Software
 
Posts: 4946
Liked: 407 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby samifarhat » Tue Jun 20, 2017 2:54 pm

Thanks. So to be simple : During restore operation, Veeam checks the consistency of the restore point, by making a check against the metdata information.
samifarhat
Novice
 
Posts: 3
Liked: never
Joined: Tue Jun 20, 2017 1:15 pm
Full Name: samifarhat

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby Shestakov » Tue Jun 20, 2017 2:58 pm

Correct, Backups Server uses metadata to take data blocks from several backup files and if some file is missing restore will not happen.
By the way, if restore point is deleted not manually but via Backup Console, corresponding event is to be logged. And if you use Veeam ONE, you may customize alarm to be notified immediately, not waiting for restore or synthetic operation.
Shestakov
Veeam Software
 
Posts: 4946
Liked: 407 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby nismoau » Mon Jun 26, 2017 1:12 am

You can use SureBackup to test the integrity of your backups at a point-in-time.
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

If you're worried about someone replacing backup files with other data, just make sure your target repositories are locked down via NTFS permissions to only those who know what they're doing!
nismoau
Novice
 
Posts: 8
Liked: never
Joined: Wed Jul 06, 2016 1:29 am

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby npitacco » Mon Jun 26, 2017 7:25 am

As someone who has a very similar regulatory requirement, and very interested in the subject of data integrity, I would like a more detailed answer
For example, we have to evaluate risks for 5 cases:
Omission: This would be the case if the restore point is not created because the job didn't run and we can discard this case, there is nothing Veeam can do to prevent this, monitoring backup execution is an IT task
Deletion & Destruction: Again, I believe that Veem cannot prevent this, you need proper permission control and auditing to address this risk
Error: Something went wrong during the backup, and was not detected immediately. I believe that the option "Perform backup files health check" and SureBackup can address this case
Alteration : This is the subject of the original question. It is true that restricting access to the repository may mitigate the issue, but the problem is also with deliberated alteration of data by people with the correct access level (bad guys can be internal IT people).
The only mention I remember about checksum in Veeam is about the data block checksum in the backup file, but I believe this is used to assure internal file integrity, not that the file has not been altered or replaced.
I believe that encryption would have the side effect to prevent this case, but I am not sure.
Anyone already addressed this or want to correct my list?

Thanks
npitacco
Influencer
 
Posts: 12
Liked: never
Joined: Tue Jan 12, 2010 3:33 pm
Full Name: Nadia Pitacco

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby tdewin » Mon Jun 26, 2017 8:32 am

On the omission part, you might consider Veeam One which is part of the availability suite. It has some good reports concerning missed backups but I always loved the protected vm report:
https://helpcenter.veeam.com/docs/one/r ... tml?ver=95

As for the checksums, during surebackup, you can ask to validate the checksums explictely (backup file integrity check):
https://helpcenter.veeam.com/docs/backu ... tml?ver=95

There is also a small tool that allow you to execute the checksum validation manually:
https://www.veeam.com/kb2086
https://www.virtualtothecore.com/en/vee ... kup-files/ (includes some screenshots)
tdewin
Veeam Software
 
Posts: 1081
Liked: 372 times
Joined: Fri Mar 02, 2012 1:40 pm
Full Name: Timothy Dewin

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby npitacco » Mon Jun 26, 2017 9:39 am

I inherited VeeamOne with an already existing infrastructure, and I appreciate it more every day :D
About the checksum, I have read "When writing each data block to the disk, we also write a checksum of this block to the designated area of the backup file (actually, we write the checksum twice for redundancy). When restoring, we verify the data obtained from disk against that checksum." in an older post.
This allows to detect errors., but I am curious about deliberate manipulation/alteration of the backup file. I am certain they are not likely, but are they "theoretically" possible?

Thanks
npitacco
Influencer
 
Posts: 12
Liked: never
Joined: Tue Jan 12, 2010 3:33 pm
Full Name: Nadia Pitacco

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby Shestakov » Mon Jun 26, 2017 2:16 pm

Theoretically everything is possible. There are also hardware errors, network errors etc, but with Surebackup and checksum you will be much more protected.
Shestakov
Veeam Software
 
Posts: 4946
Liked: 407 times
Joined: Wed May 21, 2014 11:03 am
Location: Saint Petersburg
Full Name: Nikita Shestakov

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby Gostev » Mon Jun 26, 2017 9:38 pm

Protection against deliberate modification of the backup file is very simple: you just enable backup file encryption, and this will make it impossible to modify without rendering one unusable.
Gostev
Veeam Software
 
Posts: 21442
Liked: 2362 times
Joined: Sun Jan 01, 2006 1:01 am
Location: Baar, Switzerland

Re: Does Veeam grantees the integrity of restore points?

Veeam Logoby npitacco » Tue Jun 27, 2017 7:36 am

Thank you very much.
I have now answer for all possible questions from inspectors :-D
npitacco
Influencer
 
Posts: 12
Liked: never
Joined: Tue Jan 12, 2010 3:33 pm
Full Name: Nadia Pitacco


Return to Veeam Backup & Replication



Who is online

Users browsing this forum: Google [Bot] and 32 guests