Backup Security

When you think of backup security, many people think of ensuring tapes are off-site or even encryption on media, but what is really required for backup security? There is quite a bit going on when someone performs a backup within the virtual environment, so where does security begin and end for making a single or multiple backups?

The following image is an example set of backup paths. When we talk about backup security we are discussing more than placing the backup on secure media for storage, but how the data moves around the virtual environment.

Backup Paths

Backup Paths

This set of backup paths has 5 distinct backup paths.

  1. From VM Storage to Backup Server to  Backup Disk to Tape (Green path)
  2. From Backup Disk through a gateway to a remote VM Storage (Blue path — Replication)
  3. From VM Storage to Virtualization Host local storage (leftmost orange path)
  4. From Remote VM Storage to Remote Virtualizaiton Host local storage (rightmost top orange path)
  5. From Remote VM Storage to Remote Tap (rightmost bottom orange path)

The green to blue paths are pretty normal within the backup community, which implies that the backup or replication will travel through at least 7 devices. These 7 devices provide attack surfaces that need to be protected. So do we:

  • Protect the device
  • Encrypt the data moving through the device with the end points not being the intermediary devices
    • Encryption from start of path and end of path.
  • Do both

My suggestion is to do both as defence in depth is very important. However, where to start and end encryption is very important for data transfer. As is where the date being backed up ends. In the above diagram the data ends up in several places.

  • On the Local VM Storage Device (the original)
  • On the Local Virtualization Host
  • On the Backup Server
  • On the Backup Disk
  • On the Local Tape Device
  • On the Remote Storage Device
  • On the Remote Virtualization Host
  • On the Remote Tape Device

So how would you encrypt the data moving through the system?

  • Encrypt the transport using tunnels
  • Encrypt the transport using protocols built into the backup software
    • Veeam, Vizioncore, and PhD Virtual have solutions that encrypt from the ESX host to the backup server, but no other backup paths.
    • Vizioncore vReplicator can encrypt from ESX host to ESX host but not the other backup paths.
  • Encryption protocols built into the tape device
    • These protocols only encrypt the data as it is written to the device not before the data gets to the device.
  • Encrypt the Original

In my ‘Virtual Disk Encryption‘ article I discussed some ways to create encrypted virtual disks and the requirements for virtual disk encryption within the data center. If the virtual disk was encrypted, then it would be possible to bypass all the other layers of encryption possibilities and still maintain data integrity and encryption throughout the process and no matter where the virtual disk image lands. Without virtual disk encryption, encryption of your backup paths depends too heavily on what is available at the source, the tools in use, and the quantity of tools in use. Some tools have poor encryption while others have better encryption.

Encrypting Virtual Disks at the source seems like the best way to ensure the backup data is transferred safely through each device, and ensure the data is secured when it finally lands at its resting spot, and all intermediary locations. However, remember to harden all those intermediary devices!

Edward Haletky (363 Posts)

Edward L. Haletky, aka Texiwill, is the author of VMware vSphere(TM) and Virtual Infrastructure Security: Securing the Virtual Environment as well as VMware ESX and ESXi in the Enterprise: Planning Deployment of Virtualization Servers, 2nd Edition. Edward owns AstroArch Consulting, Inc., providing virtualization, security, network consulting and development and The Virtualization Practice where he is also an Analyst. Edward is the Moderator and Host of the Virtualization Security Podcast as well as a guru and moderator for the VMware Communities Forums, providing answers to security and configuration questions. Edward is working on new books on Virtualization. [All Papers/Publications...]

Connect with Edward Haletky:

Tags: , , , , , , , ,

Leave a Reply

Your email address will not be published. Required fields are marked *

Please Share

Featured Solutions