Backup Security

Posted byEdward L. Haletky, aka Texiwill,

When you think of backup security, many people think of ensuring tapes are off-site or even encryption on media, but what is really required for backup security? There is quite a bit going on when someone performs a backup within the virtual environment, so where does security begin and end for making a single or multiple backups?

The following image is an example set of backup paths. When we talk about backup security we are discussing more than placing the backup on secure media for storage, but how the data moves around the virtual environment.

Backup Paths
Backup Paths
This set of backup paths has 5 distinct backup paths.

  1. From VM Storage to Backup Server to  Backup Disk to Tape (Green path)
  2. From Backup Disk through a gateway to a remote VM Storage (Blue path — Replication)
  3. From VM Storage to Virtualization Host local storage (leftmost orange path)
  4. From Remote VM Storage to Remote Virtualizaiton Host local storage (rightmost top orange path)
  5. From Remote VM Storage to Remote Tap (rightmost bottom orange path)

The green to blue paths are pretty normal within the backup community, which implies that the backup or replication will travel through at least 7 devices. These 7 devices provide attack surfaces that need to be protected. So do we:

  • Protect the device
  • Encrypt the data moving through the device with the end points not being the intermediary devices
    • Encryption from start of path and end of path.
  • Do both

My suggestion is to do both as defence in depth is very important. However, where to start and end encryption is very important for data transfer. As is where the date being backed up ends. In the above diagram the data ends up in several places.

  • On the Local VM Storage Device (the original)
  • On the Local Virtualization Host
  • On the Backup Server
  • On the Backup Disk
  • On the Local Tape Device
  • On the Remote Storage Device
  • On the Remote Virtualization Host
  • On the Remote Tape Device

So how would you encrypt the data moving through the system?

  • Encrypt the transport using tunnels
  • Encrypt the transport using protocols built into the backup software
    • Veeam, Vizioncore, and PhD Virtual have solutions that encrypt from the ESX host to the backup server, but no other backup paths.
    • Vizioncore vReplicator can encrypt from ESX host to ESX host but not the other backup paths.
  • Encryption protocols built into the tape device
    • These protocols only encrypt the data as it is written to the device not before the data gets to the device.
  • Encrypt the Original

In my ‘Virtual Disk Encryption‘ article I discussed some ways to create encrypted virtual disks and the requirements for virtual disk encryption within the data center. If the virtual disk was encrypted, then it would be possible to bypass all the other layers of encryption possibilities and still maintain data integrity and encryption throughout the process and no matter where the virtual disk image lands. Without virtual disk encryption, encryption of your backup paths depends too heavily on what is available at the source, the tools in use, and the quantity of tools in use. Some tools have poor encryption while others have better encryption.
Encrypting Virtual Disks at the source seems like the best way to ensure the backup data is transferred safely through each device, and ensure the data is secured when it finally lands at its resting spot, and all intermediary locations. However, remember to harden all those intermediary devices!