AWS Partner Network (APN) Blog

Data Protection and Security Best Practices with Veeam on AWS

By Desmond Lai, Sr. Partner Storage Solutions Architect – AWS
By Vishwajeeth Venkatesh, Sr. Cloud Systems Engineer – Veeam

Veeam-AWS-Partners-2023
Veeam
Connect with Veeam-1

Safeguarding sensitive information is crucial for all organizations. With the rise in data volumes from hundreds of terabytes to petabytes, and the inclusion of sensitive Personally Identifiable Information (PII), organizations are required to meet stringent regulatory requirements with respect to data security. Organizations need to protect data and their IT landscape from misconfigurations, human errors, and evolving cyber threats such as ransomware and vulnerabilities in environments. This leaves organizations susceptible to financial, reputational, and operational damage. Common customer challenges include:

  • Insecure data backups: Poorly configured backups leave gaps in your disaster recovery plan.
  • Data in transit vulnerabilities: Improper encryption during transmission opens data up to interception.
  • IAM mismanagement: Due to identity and access misconfigurations.
  • Ransomware targeting backups: Typically in ransomware attacks, backup repositories are the first target.

These concerns highlight the critical need for robust data protection and effective cyber-resiliency strategies to mitigate risks and ensure compliance.

Veeam's ransomware trends report for 2023Veeam Ransomware Trends Report 2024

Veeam Data Protection Trends Report 2024

Data Protection Security Best Practices Overview

When adopting AWS cloud, understanding the AWS Shared Responsibility Model AWS Shared is crucial. This model delineates the division of security responsibilities between AWS and the customer. While AWS manages the security of the cloud infrastructure, customers are responsible for securing their data within the cloud. This includes implementing appropriate identity and access management, encryption, and network security measures. Best practices in securing your data includes:

  • Implement multi-layered and hardened backup strategies: Ensure backups are encrypted and logically isolated from public internet avoiding exposure and risks.
  • Encrypt data in transit and at rest: Apply standards for transit and at-rest data.
  • Strengthen IAM protocols: Implement least privilege, multi-factor authentication (MFA), and regular audits.
  • Ransomware protection and backup isolation: Implement immutable repositories and isolate backup data.

Veeam assists customers comply with regional, local, and industry regulations and frameworks including (Cloud Act, HIPAA, NIST, IRAP, MTCS Tier 3, OSPAR, ISO 20000, and more). Veeam implements this by seamlessly integrating with AWS-provided mechanisms and out-of-the-box solutions, enabling customers to effectively secure their AWS cloud environments.

Veeam Backup on AWS Implementation & Configuration

To ensure customer data remains secure and protected against potential risks, it is crucial to align Veeam deployments on AWS with established security best practices.

In the following sections, we will explore how Veeam integrates these best practices, to mitigate security threats, and ensure compliance with industry standards and reduce customer risk profile.

1. Repository Immutability

Store data in a state that cannot be modified after creation. This ensures data integrity and durability to meet audit and compliance requirements by preserving historical records and transactions ensuring data cannot be deleted or overwritten during a specific retention timeframe.

Implementation and Integration by Veeam
Veeam Backup for AWS allows you to protect data stored in backup repositories from deletion by making the data immutable until it reaches its desired retention period.

Veeam Backup uses HAQM Simple Storage Service (S3) Object Lock to prevent backup data deletion or modification based on retention policies. In compliance mode, data cannot be tampered or deleted by any user including the AWS account root user, protecting against ransomware and malicious actions. For configuration details, refer to Immutability configuration guide on Veeam documentations.

Screenshot showing immutability settings for a backup repository in Veeam

Figure 1: Enabling immutability on backup repository for Veeam

2. Reducing Blast Radius / Isolation

Physically and logically isolating data, infrastructure, and applications minimizes the impact of failures. By compartmentalizing data and workloads, organizations can better segment access permissions and reduce the attack surface, making it harder for attackers to move laterally. Isolated environments allow organizations to pinpoint the source of a problem more quickly and apply targeted solutions without affecting other parts of the system.

Implementation and Integration by Veeam
Veeam allows you to create a separate backup account in which all the backup infrastructure can be deployed.

This can also be deployed in a separate AWS Region for further redundancy. This ensures availability if your AWS account gets compromised and addresses any issues in geo-level availability.Diagram showing a multi-account Veeam backup architecture on AWS.. Different Veeam components in different accounts for isolation and cross account communication.

Figure 2: Account segregation for Veeam deployed components

3. Encryption Everywhere

Protecting data in transit and at rest makes it unreadable to bad actors both internally and externally. Many regulatory standards and compliance frameworks require data encryption to safeguard sensitive information. By encrypting data in accordance with these requirements, organizations can ensure compliance and avoid potential penalties or legal issues.

Having encrypted backups and snapshots in a separate account and region allows customers to follow best practices in data protection. Veeam automatically deploys worker instances in production or backup accounts and removes it immediately after restore and backup processes are complete. These can be deployed separately from Appliance accounts where Veeam Backup for AWS is installed and Backup Repository accounts where backup data is stored in HAQM S3.

Implementation and Integration by Veeam
HAQM S3 buckets are encrypted by default using HAQM S3-managed keys (SSE-S3), providing foundational data security. For additional protection, Veeam Backup for AWS allows users to encrypt backup data stored in repositories through Veeam’s own encryption mechanisms.

Furthermore, Veeam extends this security by supporting native AWS Key Management Service (AWS KMS) encryption for HAQM Elastic Cloud Compute (HAQM EC2) and HAQM Relation Database Service (HAQM RDS) instance volumes, HAQM Elastic File System (HAQM EFS), HAQM FSx file systems, HAQM DynamoDB tables, and cloud-native snapshots. Veeam uses the 256-bit Advanced Encryption Standard (AES) for its encryption process, ensuring robust protection.

Veeam Backup for AWS uses AWS KMS keys and CMKs to encrypt backup data at rest and in transit. The encryption process secures snapshots at the block level before mounting to worker instances and maintains protection throughout the S3 backup workflow, ensuring data security and compliance.

Veeam integrates seamlessly with AWS Identity and Access Management (IAM) roles, ensuring that only authorized roles can access or manage encrypted backups. By enforcing encryption across all data points, Veeam simplifies managing encryption policies while bolstering the overall security of backup data.
Diagram showing backup workflow for encrypted HAQM EBS snapshots in production account which is then mounted for backup to HAQM S3

Figure 3: Encryption for Veeam created resources and roles when performing snapshots and backups.

4. Identity and Access Management

Correct configuration of IAM ensures the right users access the right data at the right time, with minimal levels of permission to perform a task. This provides centralized control and visibility into user access and activity across AWS services and resources, enabling organizations to monitor user behavior, detect suspicious activity, and respond to security incidents in real-time.

Implementation and Integration by Veeam
Veeam allows you to create granular IAM roles to perform backup and restore operations in multiple AWS accounts. Veeam enforces least privileged access, giving users and systems only the minimum level of access needed to perform only their necessary tasks, reducing the potential damage in the event of a compromise.

Veeam integrates with single sign-on providers and multi-factor authentication for enhanced security. Granular role assignments reduce compromise risks during AWS security audits. For details, refer to Veeam Backup for AWS IAM Permissions documentation for more information.

5. End-to-End Private Connectivity

Private network deployment reduces security risks by preventing public internet exposure, protecting against eavesdropping and interception while improving network performance and reliability.

Dedicated connections or VPNs provide predictable bandwidth, lower latency, and higher throughput, ensuring optimal performance for mission-critical applications and workloads.

Implementation and Integration by Veeam
Veeam supports private deployment of backup infrastructure to ensure core backup components are secure and do not have public-facing endpoints. Veeam allows you to deploy backup appliance in a private environment.

Additionally, Veeam can enable private network deployment functionality, allowing communication to HAQM S3 via private HAQM S3 interface endpoints. Veeam allows you to deploy workers in private environments without public IPV4 assignment which ensures backup traffic flow is secure.

If you are looking to deploy Veeam Backup for AWS in a private environment and need guidance, Veeam provides an automation script to help you get started
Diagram illustrating deoployment of Veeam components on-premises to Veeam components in AWS VPCs in a private network architecture to ensure all backup traffic is not exposed to public using VPNS, Transit Gateways and VPC endpoints.

Figure 4: Deploying Veeam backup appliance in a private AWS environment.

Conclusion

Veeam®, the global market leader in data protection and ransomware recovery, is on a mission to empower organizations to not just bounce back from a data outage or loss but to bounce forward. With Veeam, organizations achieve radical resilience through data security, data recovery, and data freedom for their hybrid cloud environments. The Veeam Data Platform delivers a single solution for cloud, virtual, physical, SaaS, and Kubernetes environments, giving IT and security leaders peace of mind that their apps and data are protected and always available. Headquartered in Columbus, Ohio, with offices in more than 30 countries, Veeam protects over 450,000 customers worldwide, including 73% of the Global 2000, who trust Veeam to keep their businesses running.

Veeam on AWS provides comprehensive data protection and ransomware recovery through security best practices, enhanced by AWS’s scalable infrastructure for backup and disaster recovery capabilities.

The Veeam-AWS partnership leverages S3 and Glacier Deep Archive for secure, cost-effective data protection and rapid recovery. Following AWS best practices, Veeam ensures data security, resilience, and regulatory compliance while protecting against ransomware and data loss.

Veeam-APN-Blog-Connect-2023

.

Veeam – AWS Partner Spotlight

Veeam is an AWS Advanced Technology Partner and AWS Competency Partner that provides an advanced monitoring solution for cloud apps and modern infrastructure that aggregates metrics across distributed services to alert you on service-wide issues and trends in real-time.

Contact Veeam| Partner Overview | AWS Marketplace