Encryption and security in the Cloud

[ruidc]

I'd like to clarify two questions:
1. A representative from our cloud service provider has told me that despite having encryption turned on for our backup job, upon replicating to the cloud, the data stored on their side is in the clear, this is contradictory to what i see in the encryption white paper, can anyone confirm the truth?

2. The only thing keeping us from accessing our backups in the cloud is a username+password pair, again the cloud service provider suggested that something like two-factor authentication (eg. a one-time-password) would need to be incorporated by Veeam as a future feature, is this correct?

Thanks in advance,
R

[foggy]

Hi Rui, how do you replicate data to the cloud? If you're using backup copy job, you can enable encryption on them.

[Vitaliy S.]

Cannot comment on the future releases, but two-factor authentication is, indeed, would be a good feature to have.

[ruidc]

thanks for the replies:
1. No, job is implemented via replication so VMs can be started in partial or full failover on cloud infrastructure. Given this setup, what would be the encryption status of my replicas?
2. but is it something that can be implemented by the cloud provider or does it need to be by the Veeam product?

Regards,
R

[foggy]

Replication jobs do not use encryption and replicas are stored in their native format (otherwise hypervisor will not be able to access/manage this VM), so unencrypted. You should look at some datastore encryption solution or enable permissions control to the datastore.

[Vitaliy S.]

but is it something that can be implemented by the cloud provider or does it need to be by the Veeam product?

It depends. For example, if service provider has its own portal, then he might already have this feature. If not, then it has to be done on Veeam side.

[ruidc]

You should look at some datastore encryption solution or enable permissions control to the datastore.

Can you elaborate or point me at some relevant documentation?

[ruidc]

It depends. For example, if service provider has its own portal, then he might already have this feature. If not, then it has to be done on Veeam side.

but if i connect from veeam console to set up the service provider, the service provider could theoretically add 2FA there?

[foggy]

Can you elaborate or point me at some relevant documentation?

I cannot elaborate on the particular solution, but Google says there're some that implement VMs encryption that is transparent both to the hypervisor and VM itself.

[Vitaliy S.]

but if i connect from veeam console to set up the service provider, the service provider could theoretically add 2FA there?

Theoretically - yes, that's a possibility.

[dellock6]

but if i connect from veeam console to set up the service provider, the service provider could theoretically add 2FA there?

If you are talking about Veeam Cloud Connect (it seems so by reading the thread...) then native accounts in VCC only have username and password. 2FA can be applied to a custom portal for self-service, but as of today the account login to Veeam Cloud Connect is username/password.

Luca