ExaGrid/Veeam off-site security

DougLowe
DougLowe used Ask the Experts™
on
We are a small company (150 users) with about 6TB of data on a dozen VMware servers. We currently use Veeam for on-site backups to NAS (nightly) and tape for weekly off-site. We are considering moving to ExaGrid for both on-site and off-site, replacing the tape.

My question is: how vulnerable are we to losing everything...both the on-site and off-site ExaGrid data should the right creds be compromised?   It would be game over to  discover that all of the server data was gone and the backup files on both targets had been deleted as well.

Is this a legitimate concern?  The thought of it makes me want to keep the tape in place in addition to the off-site ExaGrid.
Comment
Watch Question

Do more with

Expert Office
EXPERT OFFICE® is a registered trademark of EXPERTS EXCHANGE®
Exec Consultant
Distinguished Expert 2018
Commented:
Exagrid encyption via SED will keep data confidential so stealing the appliance or losing the disk will deter unauthorized access to data in plain. However, in compromised the login id and password, the data is no longer safe as long as the intruder or insider attempts to access it or steal it or even worst reported lost. It is transparent on the fly access the moment login is authenticated correctly.

I see if the authentication can be of or support second factor then those threats will be mitigated since the token or smartcard as second factor need to be present besides the password. So far I do not know they supprted that. As whole it is secure but compromised credential open the can of worms...all other technology suffers in such use case.

Another means is to have data itself be encrypted as the source and the backup is containing encrypted data on top of the disk encryption. The login will not reveal the actual data though there is full access. This forms another layer of protection that adversary must overcome..this is likely a separate efforts to enforce the additional encryption...

Just my few cents worth

Author

Commented:
Thanks...my biggest concern really is complete loss of the data making restore impossible. End of game for the company. Tape has the advantage of not being online anywhere...very difficult for an intruder to delete the contents of a tape sitting in a bank vault.

Multifactor auth seems like perhaps the only real solution.
btanExec Consultant
Distinguished Expert 2018
Commented:
Going from tape to disk is a need to not only for longer data retention lifespan  but also for the cost effective long term optimised storage strategy. Good that we are on the same page.

For the restoration part, in ideal case without compromises, the solution will be fine. The MFA and additional data encryption is a means to the end for overall trust and data protection. I see it a must in fact for critical data protection.

Actually another need to is the audit log for investigation to facilitate the access and account review esp to privileged user - there is internal threats which we must guard and not taken into complacency that it will not exist.

Overall I do also recommend passphrase compared to password. Here is an EE talking about it and how to strengthen those.
http://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html

Do more with

Expert Office
Submit tech questions to Ask the Experts™ at any time to receive solutions, advice, and new ideas from leading industry professionals.

Start 7-Day Free Trial