The new upcoming Veeam Backup & Replication 10 provides the new Cloud Tier - Immutability feature to enforce security of backups stored in AWS S3 cloud object storage.
The backup integrity became a key point in the data protection strategy since hackers and malwares focused their efforts in compromising also backup data. Keep in mind the only way to efficiently protect your business leverages in a strong backup infrastructure design.
Amazon S3 Object Lock
Veeam Cloud Tier - Immutability feature leverages a new capability provided by AWS to enforce security: the Amazon S3 Object Lock.
Amazon S3 Object Lock is based on WORM (Write Once Read Many) model and prevents stored objects from being deleted or overwritten for a specified amount of time (retention). This feature add an extra layer of security against object changes and deletion.
To protect stored objects, two retention modes are provided by Amazon S3 Object Lock:
- Governance mode - also this capability prevents an object version from being overwritten or deleted, but protection doesn't have a retention period and can be removed anytime by any user with s3:PutObjectLegalHold permission.
- Compliance mode - data stored with this retention can't be overwritten or deleted by any user including the root account in AWS. There is no way to change the retention mode or to shortener the retention period. This model ensure the protected object version availability and integrity for the duration of the retention period.
Create a new S3 Bucket
To store backups in AWS S3 a new bucket must be created. Login to the AWS console and access the S3 area.
Click Create Bucket to create a new bucket that will be used to protect backup data.
Specify the Bucket name and Region then click Next.
Under Versioning enable Keep all versions of an object in the same bucket option.
Scroll down the window to display Object Lock section. Enable Permanently allow objects in this bucket to be locked then click Next.
Enable Block all public access then click Next.
In the Review page click Create Bucket.
The AWS S3 bucket has been created successfully.
In order to automatically protect object versions stored in the bucket, you must specify the retention period.
Enable bucket retention mode
Click the new created bucket and go to Properties tab.
Under Advanced Settings click Object Lock.
To apply automatically default bucket retention to stored object versions, specify the retention mode (governance or compliance mode) and the Retention period then click Save.
Type confirm then click Confirm.
The settings have been applied successfully. Now the bucket is protected against deletion and can't be overwritten.
Configure Veeam Cloud Tier Immutability
Once the AWS S3 bucket has been created and protected, a new Veeam S3 Repository has to be created to store backups to protect.
Create a new Object Storage Repository
From Backup Infrastructure area, access the Backup Repositories section and click Add Repository.
Select Object storage as repository type.
Select Amazon S3 as object storage type.
Enter a repository Name and optionally a Description. Click Next.
Specify the Credentials to access the AWS S3 bucket and the Data center region. Click Next.
Choose the Data center region to use and the Bucket. Click Browse to specify the correct folder to use to store the backups.
Click New Folder and specify the folder name. Click OK.
You can enable the Limit object storage consumption option to keep storage costs under control. Enable Make recent backups immutable for x days to use native object storage capabilities and specify the retention in days. Click Next.
Click Finish to save the configuration.
The new S3 Repository has been created successfully.
Configure a Scale-Out repository
Veeam Cloud Tier Immutability leverages on Object Storage Repository configured as Capacity Tier Extent in the Scale-out Backup Repository providing a scalable and secured repository.
From Backup Infrastructure area, access the Scale-out Repositories section and click Add Scale-out Repository to create a new one.
Enter a Name and optionally a Description then click Next.
Click Add to specify the Performance Tier Extent. Choose the Repository to use then click OK.
When the Performance Tier has been selected, click Next.
Select Data locality as Placement Policy then click Next.
Enable the Extend Scale-out repository capacity with object storage option and specify the S3 Repository previously created. Define the time/age when old backups can be moved to the object storage for long-retention archival purposes. This value is set as 30 days by default. You have also the option Encrypt data uploaded to object storage to enforce security. Click Apply.
Click Finish to create the Scale-out Repository.
The created Scale-out Repository.
Create a Backup Job
Create a new Backup Job to take advantage of the Immutability feature. In the configuration wizard select from the Backup repository drop-down menu the just created Scale-out Repository and click Next. Just follow the instructions and finalize the Backup Job configuration.
When the configuration has been saved, right click the created Backup Job and select Start to start the backup immediately.
During the first execution, a Full Backup is being performed.
If you are willing to test the archival process to the protected bucket, after the initial Full Backup you should perform some additional backups. At least three additional Incremental Backups and another Active Full Backup.
Move backups to the Cloud Tier Immutability
To move backups immediately to the selected Object Storage (S3), access the Backup Infrastructure area and expand the Scale-out Repositories section. Edit the Scale-out Repository previously configured and set the Move backup files older than field to 0 in the Capacity Tier section. Click Finish to save the configuration.
Hold CTRL and right click the Scale-out Backup Repository and select Run tiering job now.
The offload process is executed and backups are moved to the S3 Object Storage.
When the process has been completed, you can find the available restore points in the Object Storage under Backups.
The backup can be also found in the specified AWS S3 bucket.
Test the Immutability feature
To test if the Immutability feature works as expected, right click the available backup and select Delete from disk option.
Click Yes to confirm deletion.
The backup shoul be deleted from the disk but because the Immutability capability as well as a specific retention have been enabled, the backup can't be deleted and an error message is displayed.
Since the retention mode has been enabled and applied to the selected bucket in AWS S3, not only stored data are protected against deletion but also the bucket itself can't be deleted.
Cloud Tier Immutability feature is definetively an interesting function to enfore security and keep backup data "untouchable" until the retention period expires.
Veeam Backup & Replication 10 is expected to be released within the end of the year.
