ExaGrid/Veeam off-site security

We are a small company (150 users) with about 6TB of data on a dozen VMware servers. We currently use Veeam for on-site backups to NAS (nightly) and tape for weekly off-site. We are considering moving to ExaGrid for both on-site and off-site, replacing the tape.

My question is: how vulnerable are we to losing everything...both the on-site and off-site ExaGrid data should the right creds be compromised? It would be game over to discover that all of the server data was gone and the backup files on both targets had been deleted as well.

Is this a legitimate concern? The thought of it makes me want to keep the tape in place in addition to the off-site ExaGrid.

Exagrid encyption via SED will keep data confidential so stealing the appliance or losing the disk will deter unauthorized access to data in plain. However, in compromised the login id and password, the data is no longer safe as long as the intruder or insider attempts to access it or steal it or even worst reported lost. It is transparent on the fly access the moment login is authenticated correctly.

I see if the authentication can be of or support second factor then those threats will be mitigated since the token or smartcard as second factor need to be present besides the password. So far I do not know they supprted that. As whole it is secure but compromised credential open the can of worms...all other technology suffers in such use case.

Another means is to have data itself be encrypted as the source and the backup is containing encrypted data on top of the disk encryption. The login will not reveal the actual data though there is full access. This forms another layer of protection that adversary must overcome..this is likely a separate efforts to enforce the additional encryption...

Just my few cents worth

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

LVL 70

btanExec ConsultantCommented: 2016-03-03

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial

DougLoweAuthor Commented: 2016-03-03

Thanks...my biggest concern really is complete loss of the data making restore impossible. End of game for the company. Tape has the advantage of not being online anywhere...very difficult for an intruder to delete the contents of a tape sitting in a bank vault.

Multifactor auth seems like perhaps the only real solution.

Going from tape to disk is a need to not only for longer data retention lifespan but also for the cost effective long term optimised storage strategy. Good that we are on the same page.

For the restoration part, in ideal case without compromises, the solution will be fine. The MFA and additional data encryption is a means to the end for overall trust and data protection. I see it a must in fact for critical data protection.

Actually another need to is the audit log for investigation to facilitate the access and account review esp to privileged user - there is internal threats which we must guard and not taken into complacency that it will not exist.

Overall I do also recommend passphrase compared to password. Here is an EE talking about it and how to strengthen those.
http://www.experts-exchange.com/articles/18309/Choosing-an-easy-to-remember-strong-password.html

ExaGrid/Veeam off-site security

Who is Participating?