Top 5 Veritas Backup Exec Security Features You Can't Do Without

How can you protect your Backup Exec? Media Server and backed up data from a ransomware attack? Learn about five easy steps to better your Backup Exec security.

Today is the National Computer Security Day and I rather like this reminder that Security is everyone's responsibility, especially when a bulk of all cyberattacks are caused by negligence.

This article/blog is another one I’ve been thinking about for quite a while, so I’m happy to bring it to you on a day that is dedicated to security! ??

Customers and partners have always asked me, especially in the last five years, “how exactly does Backup Exec (BE) helps organisation get resilient against ransomware?” or “what should I do with my Backup Exec deployment to reduce risk, eliminate uncertainty, and maintain control?” It’s something that I answer a lot, either when I discuss 1:1 or through my virtual events.

BE is a leading data protection solution and was developed with resiliency at top of mind, so we could provide our customers with a dependable and trustworthy solution. Backup Exec protects systems and data integrity with a wide range of security controls to suit your different needs.

The most recent version of BE uses the most secure and latest SSL v3 (TLS) communication protocol for backup and restore operation. BE allows TLSv1, TLSv1.1 and TLSv1.2 protocols. The actual protocol version used for the control connection is negotiated?to the highest version mutually supported by the client and the media server.

It’s important to note that this article is not intended to be all-encompassing. You MUST implement a comprehensive strategy by adding firewalls, email and spam filters, anti-malware and point protection software to your organisation’s defensive strategy.

Now, let’s get straight to the 'top five' BE security features that I personally recommend you configure in your environment:

1. BE Lockdown Server/Ransomware Resilience
2. Two-factor authentication (2FA)
3. Secure Console
4. Data Encryption & Firewall rules
5. Simplified Disaster Recovery (SDR)

1. Backup Exec Lockdown Server/Ransomware Resilience ??

BE focuses on data integrity to help ensure backup files remain safe and untouched from malicious invaders. We know how vital it is for our customers to protect their data, which is why we’ve placed BE and key functionality around data integrity at the heart of platform.

Since BE 20.4, we have strengthened defences on backup storage and processes with a new and popular feature known as Ransomware Resilience. This This tool protects your backup storage from external attacks where unauthorised processes attempt to modify data hosted on a Media Server. This tool blocks any write requests from sources that aren't trusted. This means that only trusted and approved contributors can upload data to your BE account.

It's impossible to overstate how important this tool is for organisations to protect their data.

2. Two-factor authentication (2FA) ??

Strong authentication, especially 2FA is the foundational element of a zero-trust model. Starting with release 21, BE offer the ability to configure 2FA for the RAC (Remote Administration Console).

In order to protect sensitive data, BE supports SSO, PKI proxy-based authentication (for smart card users) and pure Kerberos environments. When installing the RAC on your workstation, check the box for “Use the logged-on user’s credentials as default authentication (also applicable for Multi-Factor Authenticated users).

3. Secure Console ??

With backups being a popular target, BE introduced a Secure Console Management in version 20.1, which ensures that only authorised users have access to the BE console and management.

This option lets you lock the BE session that you are working on and secure the Backup Exec console from unauthorised access. Unless you unlock the BE console, you cannot perform any tasks in the user interface.

4. Data Encryption and Firewall Rules ??

You must implement in-transit encryption to protect your data from being compromised within the network. Also, implement at-rest encryption to prevent ransomware or bad actors from stealing your data and threatening to make it public or take other malicious actions.

In-transit: Ensure your data is being sent to authenticated target and is protected while in transit. This solution leverages TLS 1.2 certificates, with 2048-bit key support to ensure data encryption during transit. The agent on the client being backed up encrypts the data and sends it over the wire to the Media Server where it is stored in an encrypted form.

Note that to turn on encryption, you must enable it in the backup Job.

At-rest—If hackers are successful in getting to the data, having it encrypted protects it from being exploited. BE (starting with 21.1) supports data encryption using 256-bit AES encryption key generated using enhanced password-based Key Derivation Function 2 (PBKDF2) algorithm along with the FIPS 140-2 cryptography with our own key management.

Hardware encryption: By using hardware encryption, the data is transmitted from the host computer to the storage device and then encrypted on the device. BE manages the encryption keys that are used to access the encrypted data. Hardware encryption using the T10 standard requires 256-bit AES.

While at this, it’s important to note that BE can be installed for data protection in an environment configured to use TLS 1.2 that helps to comply with the Payment Card Industry Data Security Standard (PCI DSS) 3.1/3.2 requirements. ??

Database Encryption Key (DEK) ??

BE 15 and later stores sensitive information in the BE Database using encryption. A database encryption key is used to encrypt information such as login account credentials and the keys that are used for encrypted backup jobs, for example.

I will highly recommend that you employ this as also back up the DEK by exporting it to a secure location, so that you can access it later if it is needed.

Firewall Rules

Backup Exec has enhanced the existing inbound firewall rules to provide access for only the required ports and restrict access to all other ports. This helps to minimise probability of a security lapse or violation.

5. Simplified Disaster Recovery (SDR) ??

If a ransomware recovery needs to leverage infected hardware, BE SDR can be a valuable solution when you have limited resources. SDR automates the server recovery process, making it unnecessary to reinstall operating systems or configure hardware manually.

When systems are corrupted and must be completely overwritten, SDR allows you to rebuild systems quickly from scratch, restoring the OS and the application data with a single operation.

BONUS: Easy Update/Upgrade ??

From a functionality perspective there are number of reasons why BE should be kept up to date with the latest version. That said there are very specific reasons from a security perspective, several of which are mentioned above.

Not upgrading to the latest version means not being able to enable several key security features such as Ransomware Resiliency, Multi-factor authentication, and Secure Console. Having a Media Server with older versions of BE is actually quite a bit scarier. There are exploits that are documented and actively used by attackers to compromise a backup servers with an old software versions.

For example, if your organisation has BE operating with a version older than 20.4, all of the data backed up by these Media Servers won’t have BE Ransomware Resilience, that provides enhanced protection of business-critical data against ransomware attacks.

Sounds bad right?

CONCLUSION

BE is a solution designed with uncompromising security at its heart. These and the many other new features continue to make the tool more efficient, more secure. While there are other security features that could merit mention, this article was not intended to be a complete list of all BE security, or a white paper on the subject.

Instead, these are features that I quite frequently see in my interaction with customers and partners. Highlighting these five security features that organisations leveraging Backup Exec should be aware of and plan to configure was the goal.

Additionally, the Veritas BE Engineering reviews CVEs (common vulnerabilities and exposures) that are reported and affect product security stability or hampers data integrity and continue to upgrade the protocols and algorithms used within BE.

Remember to stay safe and backup.

Questions, concerns, or feedback? Put a comment below.?For more information on BE, including trialware, please visit www.backupexec.com. If you want to discuss this further, please feel free to reach out to me via a DM.