Comprehensive data protection for all workloads
Post Reply
ag611
Service Provider
Posts: 3
Liked: never
Joined: Aug 20, 2018 7:59 pm
Contact:

Help understanding GFS and Insider Protection

Post by ag611 » Aug 28, 2018 4:09 pm

We want to make sure our VCC configuration is in line with best practices, and part of that is whether we need to enable GFS for our backup copy jobs to Veeam Cloud Connect. We have Insider Protection enabled and set to 7 days for each tenant.

I know Veeam recommends enabling GFS in order to really take advantage of Insider Protection, and it even shows a warning if GFS is disabled, but I don't understand why. I can't figure out what kind of attack would be mitigated specifically by having GFS enabled.

The way I see it is this:

- If an insider manually deleted all cloud backups in one go, all the restore points, including the full backup, are recoverable from the recycle bin
- If an insider reduced retention on the backup copy job to 1 restore point, and let it run so older restore points are aged out, and then deleted off-site backups, we'd still have the original manually-deleted full + aged-out incrementals in the recycle bin
- If we enable GFS, and an attacker did everything in #2 AND disabled GFS, we'd still have the GFS full backups in recycle bin, plus everything else

So what attack or threat is addressed by enabling GFS? What am I missing here?

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Help understanding GFS and Insider Protection

Post by foggy » Aug 29, 2018 2:23 pm 1 person likes this post

Hi, I recommend reading this blog post and apply to VCSP forum user group to get access to the dedicated private forum for service providers, where similar questions are discussed. Thanks!

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Jan 19, 2019 3:22 pm

I've been getting my head around this as well and found the mentioned blog post very useful in doing so.

I can see why GFS is needed, but I still have two questions

1. Aren't forward-incremental recovery points in the recycle bin useless?

With forward incremental, 3 recovery points after 3 days the chain looks like this:

Code: Select all

            | FULL > INC1 > INC2
RECYCLE BIN | REPOSITORY
On the 4th day it looks like this:

Code: Select all

     INC1 > | FULL > INC2 > INC 3
RECYCLE BIN | REPOSITORY
Isn't INC1 now part of a different chain?! Surely only recovery points should be kept in the recycle bin where they form part of a valid chain (such as in the event of them all being deleted by an insider).

2. Do you still need GFS with a reverse incremental chain?

With reverse incremental, 3 recovery points after 3 days the chain looks like this:

Code: Select all

            | INC1 > INC2 > FULL
RECYCLE BIN | REPOSITORY
On the 4th day it looks like this:

Code: Select all

     INC1 > | INC2 > INC3 > FULL
RECYCLE BIN | REPOSITORY
As the aged-out incrementals (INC1 in this case) are part of a valid chain they can still be used, right? For an insider attack to be successful in this case (i.e. using reverse incremental) they would have to carry out the attack/damage and for that go go unnoticed for longer than deleted recovery points are retained at the service provider - meaning that GFS does not need to be enabled.

Is this right, am I missing anything?!

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Help understanding GFS and Insider Protection

Post by foggy » Jan 21, 2019 9:28 am

Hi Richard, I'm not sure I fully understand your concern in the first case - yes, restore points that were deleted according to retention form a sort of (a part of) a backup chain in the recycle bin as if they existed on disk (there's no full backup though, only incremental points).

As for the second case, your understanding seems to be correct, but having GFS in place you do not need to worry about the fact that recycle bin can be periodically cleaned up, for example.

veremin
Product Manager
Posts: 16514
Liked: 1373 times
Joined: Oct 26, 2012 3:28 pm
Full Name: Vladimir Eremin
Contact:

Re: Help understanding GFS and Insider Protection

Post by veremin » Jan 21, 2019 1:09 pm

1. Yes, mostly they are
2. No, you do not

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Jan 21, 2019 6:56 pm

Thanks foggy and v.Eremin for your responses. It appears both of my suspicions are confirmed. Two final questions:
  1. If GFS isn't needed with a reverse-incremental CC copy job do you still get the job warning on the source VBR installation about GFS not being enabled? Obviously having some sort of GFS is better, but we're talking about whether it's necessary for insider protection (which we've established it is not).
  2. Is a reverse-incremental CC copy job equivalent in terms of bandwidth to a forward-incremental one all else being equal?
The reason this is all so important is that the insider protection with CC copy jobs is a huge selling point for clients. It's undermined though if there is a massively increased storage requirement (due to FGS and the additional full backups it creates). If it works just as well with reverse-incremental backups then the only downside is reverse-incrementals and not the increased storage requirement!

Thanks!

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Help understanding GFS and Insider Protection

Post by foggy » Jan 21, 2019 8:49 pm

Will your questions still be relevant considering the fact that backup copy jobs are always forward incremental? Reverse incremental mode is available for regular backup jobs only.

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Jan 22, 2019 12:13 pm

Crikey @foggy, is that right?!

Can you confirm the minimum safe GFS configuration is 2 weekly? I think this is right as an insider attack on a Sunday could cause you to end up with a compromised GFS weekly *and* also the rest of the chain compromised too... I can't see how a 2nd GFS weekly backup could also be compromised unless your live systems were damaged for over a week without anyone noticing...

This then causes a 2-3 fold storage increase on the Cloud Connect end, right?

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Help understanding GFS and Insider Protection

Post by foggy » Jan 22, 2019 5:11 pm

Depending on what kind of attack do you mean and the moment it was performed.

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Jan 22, 2019 7:17 pm

I'm referring to an attack on a Sunday just before a recovery point is selected as that week's GFS point and after n incremental backups have been run by the attacker after where n is the number of recovery points retained by the copy job.

foggy
Veeam Software
Posts: 17931
Liked: 1512 times
Joined: Jul 11, 2011 10:22 am
Full Name: Alexander Fogelson
Contact:

Re: Help understanding GFS and Insider Protection

Post by foggy » Jan 23, 2019 2:36 pm

In this case yes, if you have 2 weekiles configured, you will have an additional GFS restore point safe.

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Jan 23, 2019 5:00 pm

Thanks foggy. It's a real bitch a client has to pay for 2-3x the storage though...

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Apr 11, 2019 12:37 pm

I had an idea...

If you could configure a maximum copy job frequency on the CC server (e.g. once per day) then it would mean an attacker *cannot* purge the clients "good" data out of the chain by continuously running copy jobs... it would take the attacker x days achieve it by which time you'd know about the attack...

Any chance we can get a viewpoint on this from @Gostev ? Sounds to me like an easy thing to implement that would reduce CC storage requirements by a factor of 2-3...

Thanks!

Gostev
SVP, Product Management
Posts: 24300
Liked: 3331 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Help understanding GFS and Insider Protection

Post by Gostev » Apr 11, 2019 1:54 pm

Not if you use ReFS.

wessexit
Influencer
Posts: 13
Liked: never
Joined: Oct 13, 2017 5:27 pm
Full Name: Richard Maynard
Contact:

Re: Help understanding GFS and Insider Protection

Post by wessexit » Apr 11, 2019 2:21 pm

Interesting... presumably you're referring to dedpupe functionality within ReFS?

Also wouldn't the client's quota still need to be 2-3x despite dedupe savings within the filesystem or does ReFS report the size of a given folder including dedupe savings?

Gostev
SVP, Product Management
Posts: 24300
Liked: 3331 times
Joined: Jan 01, 2006 1:01 am
Location: Baar, Switzerland
Contact:

Re: Help understanding GFS and Insider Protection

Post by Gostev » Apr 11, 2019 4:31 pm

wessexit wrote:
Apr 11, 2019 2:21 pm
Interesting... presumably you're referring to dedpupe functionality within ReFS?

Also wouldn't the client's quota still need to be 2-3x despite dedupe savings within the filesystem or does ReFS report the size of a given folder including dedupe savings?
Yes, that's exactly what I am referring to.

ReFS reports actual size of all files in the given folder (as opposed how much disk space this folder consumes). So, "dedupe savings" is something you benefit from as the service provider, which in the end allows you to provide a lower price per TB for your customers.

Post Reply

Who is online

Users browsing this forum: gummett, StefanZ, wishr and 62 guests