We started Green Cloud Defense almost exactly 10 years ago and, from day one, we have been running our shared (public) cloud infrastructure on VMware’s hypervisor. Our 800 partners across North America utilize VMware’s vCloud Director to deploy, automation and manage virtual infrastructure resources in these multi-tenant cloud environments. A couple of years ago, Green Cloud was designated as a VMware Cloud Verified provider meaning the services we offer are based on the most complete VMware cloud infrastructure technologies available.
Today, 10 years later, with six data centers located across the county and with thousands of virtual machines (VMs) in production, we are launching a fully functional disaster recovery product built within the VMware vCloud Director footprint.
What does this mean for our partner community? They now have the ability to recover protected workloads – both on-premise and in the cloud – into a second Green Cloud data center through a self service portal within the vCloud Director interface. For those not comfortable managing this on your own, feel free to call us. Our dedication to service and support to our network of partners remains the same.
Like all disaster recovery solutions sold by Green Cloud, we will still assist the partner in setting up the secondary site, pre-building IP schemes and setting up firewalls on the recovery site to ensure there are no “gotchas” when the partner/end user needs to failover in an unpredictable disaster scenario.
Why is this disaster recovery solution different? Disaster Recovery powered by VMware allows you to manage your workloads on per VM basis. You can choose different Service Level Agreement (SLA) profiles on a per VM basis. With Recover Point Objectives (RPOs) as fast as one hour, this solution allows our partners to talk about specific recovery times and retention policies on a per VM basis – all while effectively managing the solution and the budget.
We have priced this solution very, very aggressively. You pay a small fee on a per VM basis and reserve the necessary compute and storage on the target side. This is lockstep with our goal: to deliver the cloud solutions you want, with the support you deserve and at a price point that you can afford.
While some disaster recovery solutions are unreliable, complex and expensive, and many not scale at the required levels of protection or expectation, Disaster Recovery powered by VMware is reliable and effective while remaining extremely affordable. We truly believe this solution is a win/win for our partners and their end users.
AUTHOR: Charles Houser
In today’s mobile and multi-cloud world, the need to be able to protect any workload running anywhere with a single solution has never been more important. In this post, I’ll cover how you can protect your workloads with Green Cloud’s Secure BaaS service using the Veeam Agent and the Veeam Service Provider Console (VSPC). I’ll focus on protecting workloads running in Green Cloud’s IaaS infrastructure, but the process can apply to any workload running anywhere.
The focus will be on deploying, configuring and managing the Veeam agent using the Veeam Service Provider Console. If you have questions on access to the VSPC console, please reach out to Green Cloud’s support team. If you want to signup for Green Cloud’s Secure BaaS solution, please reach out to our sales team.
Before we get started on protecting workloads, first lets review Green Cloud’s Secure BaaS offering. This solution is powered by Veeam and Cloudian delivering ransomware protection for Veeam backups. Veeam and Cloudian created the industries first solution leveraging the S3 object lock feature to make backups immutable. This makes the backup unchangeable by anything. As a result, they cannot be encrypted by ransomware. With this solution, you can now offer ransomware protection to any workload running anywhere.
In this demo scenario, all workloads reside in Green Cloud’s IaaS infrastructure powered by VMware Cloud Director. I’m going to follow the Veeam recommended method for agent deployment using discovery rules. This will be done by logging into the VSPC as the partner or ‘Reseller’. For information on managing the Veeam agents as a partner or ‘Reseller’, please refer to the VSPC reseller Veeam documentation.
Before beginning the process of protecting my workloads, I’d like to provide a brief overview of the source environment. I previously built a small Remote Desktop Services environment. There are 5 total servers spread across a LAN and DMZ. The NSX Edge is providing network firewalling while the Windows firewall is also enabled. Below is a screen shot of the virtual machines that will be protected by the end of this post.
The first step in the process is to deploy a master management agent. This agent will be used to ‘discover’ other workloads running in your environment.
From the workload designated to be the master, log into the VSPC with your reseller credentials. These credentials can be retrieved / set in the Green Cloud partner portal or by contacting support. The format of the login is <Reseller><Reseller Admin> / <password>.
Once signed in, navigate to Discovery in the left navigation pane. Then locate Discovered Computers on the tab across the top. Finally, click the Download Agent link. Save the file to the local system.
Once the download completes, run the installer as administrator. Accept the EULA and click Next through the menus to complete the installation.
With the installation completed, the next step is to configure the management agent to communicate with the VSPC. Locate the management agent icon in the system tray, right-click and click Agent Settings.
This will open a window where you will enter the company (end user) account information. This information was provided during provisioning. Should you need this information please contact support.
The user name must be provided in the <Company NameUser> format.
With the management agent successfully communicating, we can now shift our focus to discovering the workloads so we can automatically deploy the Veeam Backup Agent. Discovery can be done via one of the following methods: Active Directory or network (IP). Optionally, you can also import a list from a CSV. For the this post, I will focus on Active Directory discovery.
In the demo environment, the Window firewall is enabled. As such, I need configure it to allow the management agent to discover systems and push the Veeam Backup Agent installation. For the sake of this post, I have pre-configured the firewall. Below is a list of the port requirements for successful discovery and Veeam Backup Agent installation.
In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and click New to create a new discovery rule.
In the pop-up, go through the items. In this example, I will be going through Active Directory based discovery since the demo environment is an Active Directory domain. For the sake of time, I have pre-configured an Active Directory account that has been applied as a local administrator to each workload via Group Policy.
Be sure to clear the check box for using the account defined in the master agent. This is because we did not specify an account in the master agent setup.
In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and verify your rule is running.
The deployment process will take a few minutes or more depending on the size and scope of the discovery rule. You can check the status by navigating to Discovery in the left navigation pane and locate Discovered Computers across the top. Here you will see the discovered computes and the status of the Veeam Backup Agent installation.
The two most common reasons for failed agent installations are:
To check the status of the Veeam Backup Agent and view what policy is applied, navigating to Discovery in the left navigation pane and locate Discovered Backup Agents across the top.
Alternatively you can log into the protected workload and launch the Veeam Backup Agent. Using the Start Menu, locate the Veeam folder and the Veeam Agent for Microsoft Windows. At the top of the Agent application, you will see the VSPC reseller name and the backup policy applied.
At this point you have successfully setup the Veeam Backup Agent to protect your workloads by backing up to a Green Cloud Secure BaaS repository. This was done using the Veeam Service Provider Console. Through this console you can centrally manage and monitor the backups of your workloads. If you are an existing partner interested in protecting your customers workloads with Green Cloud’s Secure BaaS service please reach out to your channel manager. If you are interested in becoming a Green Cloud partner, please complete the form on our contact us webpage.
Today’s biggest challenge is data security. Ransomware (as well as other security threats) is on the rise as the workforce has been dispersed due to the global pandemic. Empowering IT with the a solution protect data on any workload running anywhere is priceless. And it can all be managed through the Veeam Service Provider console.
The single most critical aspect of being a Cloud Service Provider is the security of our customers’ businesses. Delivering Cloud Service means enabling our customers to conduct business on a safe, secure platform. Malware attackers are in direct opposition to this goal; they rely on disrupting businesses in order to extort money from them. That means that as malware attackers develop new vectors of disruption, Cloud Service Providers have a responsibility to adapt.
Security is a back-and-forth between threat and protection. Antivirus software was developed as a response to the first wave of Trojan Horse and Worm attacks on business infrastructure. As malware attacks became more sophisticated, so too did anti-malware, leading to the development of AI-driven malware recognition and Sandbox technology.
The most recent adaptation for Service Providers is Ransomware Protection through WORM (Write Once, Read Many), also known as Storage Immutability. Green Cloud’s new Secure BaaS offering incorporates Ransomware Protection through a Cloudian storage back-end. Combined with Veeam’s industry-leading Backup and Replication solutions, we are excited to offer our partners a proven way to protect their customers against ransomware.
Due to the nature of their work, Service Providers must be familiar with malware in its many forms. It can infiltrate a network through any number of vectors: email attachments, malicious thumb drives, social engineering, or even hand-crafted false web pages. Ransomware isn’t that different from traditional malware in this sense; it still uses all of these same vectors to achieve access to a target network.
Ransomware distinguishes itself from common malware by turning encryption, a tool generally used to secure data, into an attack. Encryption is a process by which data is transformed into a different form, a code, after which the original data can only be accessed with a specific key. The ransomware randomly generates a key, encrypts all data available to it, and then sends that key back to the attacker. That way, only the attacker has access to business-critical data, which lets them hold it for ransom.
After it became evident that ransomware was a critical threat, Service Providers began instituting rigorous backup requirements. Attackers have answered with a simple strategy: encrypt or destroy backups first. Once malware has made its way onto a network, the attacker can delay encryption (referred to as an Incubation Period) until they have located and destroyed any backups. That means the Service Provider will be in for a nasty surprise when they attempt to restore that client’s data.
WORM is the latest response from the security community against ransomware attacks, and it stands for Write Once, Read Many. In order to prevent backups from being destroyed or overwritten, security researchers defined a new standard for storage systems that prevented anyone, even system-level administrators, from modifying backup data. This may sound simple in principle, but is quite difficult to design and execute. Additionally, it is not a simple plug-and-play software implementation – WORM must be supported on the storage array itself.
Access to data on the storage array must be limited to a highly restricted, security-hardened account. No remote account or utility is allowed access to write data to the array. Once this feature is enabled, data is written once to the disk, and then locked for a pre-determined period of time. In order to interact with this storage, users send and retrieve data through a management utility such as an Object Storage API.
During our search for a comprehensive ransomware solution, Green Cloud came across Cloudian. Already a proven storage provider, Cloudian’s implementations of WORM and Data Immutability on their storage array drew our attention because of their strict compliance with governmental regulations. Cloudian’s integration with Veeam made it a natural fit for Green Cloud’s BaaS offering.
Let’s take a look at how WORM-enabled storage performs during a ransomware attack, in contrast with standard storage. When an attacker first infiltrates a network, they will make sure they have repeatable access to that network. Then begins the Incubation Period, where the attacker lays low on the network while collecting data.
Backups are the primary target. If possible, the attacker will locate and modify backup data. This can be in the form of encryption, configuration changes to remove drives from the backup job, or outright deletion. Traditional storage offers no protection against this type of attack. If the attacker gains access to the backup storage medium, they can wipe out months or years of user data to ensure that their ransom attack is successful.
In contrast, when the attacker attempts to write over backups on WORM-enabled storage, they find that the data cannot be modified in any way. Even modifying the backup job to contain bunk data will not destroy or overwrite the existing backups. This greatly extends the incubation period, which means more time where the malware can be detected and removed by Endpoint Protection or other anti-malware solutions.
Enabling our partners to deliver a safe, secure platform on which customers can do business is a priority for Green Cloud. Veeam emphasizes that Service Providers should follow the “3-2-1 Rule” when designing their backup infrastructure:
Have at least three copies of your data.
Store the copies on two different media.
Keep one backup copy offsite.
Green Cloud’s BaaS has allowed us to fill a critical data protection role as a remote repository for on-site backups. Secure BaaS, our new offering powered by Veeam Cloud Connect and Cloudian Storage, offers a Veeam Repository that is fully protected against ransomware and malicious deletion.
For more information on Secure BaaS and Ransomware Protection, feel free to contact your Account Manager, or visit https://greenclouddefense.com/contact-us/.
We are living through a fundamental shift in how – and where – work gets accomplished. Spurred by COVID-19, employees have mass-migrated from offices and coworking spaces into their homes. For the time being, whether we like it or not, working from home is a necessity. As more businesses look to remote work solutions, it is important for network and IT engineers to take this new set of design requirements into consideration. Green Cloud is here to help our partners take on these challenges together.
A smooth transition to remote work is all about access. If your architecture is designed for remote access, your employees can work from anywhere. This is a natural use case for cloud hosting. Green Cloud recommends the following:
Want to read more? Download our ebook: 3 Keys to Remote Work Cloud Solutions
Multi-Factor Authentication (MFA) allows you to add an additional layer of security to your authentication process. There are two parts to a traditional authorization setup: A username and a password. We generally assume that your username is known to an attacker, since it is the most public piece of information. Many usernames are displayed by default, such as users on forums, or can be derived by combining a target’s first and last names. That means that the password is the first piece of private information by which a user’s identity can be confirmed.
MFA adds another piece of private information (another factor) to the authentication process. There are a handful of different secondary security factors:
So, when you enter your username and password, your MFA service prompts you to check for one of those additional factors. If you do not respond, or provide an incorrect response, it will not allow you to move on. That’s why for many users, MFA just means “another button I have to click to log in.”
By requiring you to verify your identity every time you log in, MFA puts another obstacle in the path of an attempted attack. Combining two pieces of information is difficult enough; finding a third makes the task even harder. When the third is also a piece of private information to which no one else has access, it means that every time you log in you prove your identity beyond the ability of most attackers.
The strength of a factor relies on how difficult it is for an attacker to acquire it. The most basic second factor includes PINs, passwords and one-time use codes that you know or retrieve. Since they are just information (something you know), all an attacker has to do is learn that information. A device or physical key (something you have) is more difficult to acquire, since the attacker would not be able to simply learn them. They are still vulnerable to theft or loss though, which makes biometrics (something you are) the most secure factor. While it is still possible for an attacker to overcome biometric security, it is the most difficult type of factor to acquire.
The goal of improving security is to make a successful attack harder, not impossible. Like any security measure, there are ways in which MFA can be defeated. It is important to keep these potential flaws in mind when utilizing MFA in order to mitigate them and stay as secure as possible.
Many MFA providers use the SMS network to send one-time codes to the customer’s phone on login. The SMS system has several vulnerabilities that a would-be attacker could use to redirect that message to another phone. Attacks can exploit issues with the SS7 network or simply attack the user’s phone company account to change the SIM destination of their phone number. To combat this, switch to a different factor wherever possible and keep a close eye on your cell service to prevent fraud.
If your second factor is a physical device, there is a risk associated with losing that device. In some cases, a cell phone will both be a physical factor and store a digital password. This means that if an attacker were to gain root access to the phone, they would have access to the entire account. Using cell phones as a second factor works best for services or accounts that are not directly stored on the phone.
Even the most secure MFA installation can be breached through Phishing attacks. The most common attack uses a fake version of the target website that attempts to trick users into entering their username, password and MFA token. When the login attempt is forwarded to the actual version of the website, the phishing site picks up the user’s session token. This enables the attacker to access the user’s account without the need to have their actual username, password or other factors.
Keeping users educated on security risks is crucial to maintaining a good security posture. Employees who are less knowledgable about the basics of virtual security are more vulnerable to social engineering and phishing attacks, which are still the most common threat to large infrastructures. Education that results in more competent users also improves security hygiene and decreases operational costs.
Make sure your infrastructure has been evaluated for security risks. This may include penetration testing (or pen test) or other security services from an accredited security firm. Pen tests will evaluate the overall security posture of a corporation, including the design of its infrastructure and the vulnerability of its users. Most security organizations will include a plan of action with the result of a pen test to improve security and make sure your MFA (or other authentication scheme) is adequately protecting your business.
Many popular service accounts allow users to add a second factor to their account (see TwoFactorAuth.org for a list). The most common factors are one-time passwords delivered through SMS, email or authenticator apps. When you add a second factor you will usually receive recovery codes for use if you can’t access your one-time code. These codes should be kept in “cold storage” (a thumb drive or written down in a notebook) in order to make sure you can always access your account. Unfortunately, there isn’t a good way to use MFA with a vendor who does not explicitly support it. That’s why it’s important to keep your primary points of access (such as logging in to your computer) secure as well.
Your options for MFA improve for business accounts since your company has full control over your environment. Microsoft Server supports RADIUS authentication, which administrators can configure to use an MFA server. Services such as Duo MFA provide a central point of management for your domain’s authentication. It is also possible to enforce policies for physical or biometric factors.
Green Cloud enforces mandatory MFA on the Partner Portal. We support SMS, E-mail and Domain authentication for both Microsoft AD and Google Domains. Beyond that, there are various ways Green Cloud services can be configured to implement MFA, such as using a SAML Active Directory provider to authenticate logins to vCloud Director. DaaS also supports the use of RADIUS authentication.
Resoundingly, yes. MFA is a more secure way to authenticate users, and it is widely supported on a variety of platforms. While it has its weaknesses, when implemented by itself it solves many issues associated with password-only authentication. Supplemented by a properly-designed infrastructure and user education, MFA is a great tool to improve security posture.
LEARN MORE: Check out our Knowledge Base
Green Cloud Technologies (“Green Cloud”), a 100% channel-only cloud technology solutions provider, achieved Gold status as a Zerto Alliance Partner (ZAP). This provides Green Cloud even greater access to Zerto’s next-generation Disaster Recovery (DR) solutions and services.
Zerto, a pioneer in the field of ‘IT Resiliance’, offers a software platform that delivers continuous availability for an always-on customer experience. They do this while simplifying workload mobility to protect, recover and move applications freely across hybrid and multi-clouds, eliminating the risks and complexity of modernization and cloud adoption.
Green Cloud, one of the largest independent channel-only cloud IaaS (Infrastructure-as-a-Service) providers in the country, sells an expansive suite of Cisco Powered, cloud-based products, services, and support that are scalable to applications of any size — from SMBs to enterprise-class organizations.
“Green Cloud partners with Zerto because of their stellar reputation and proven leadership in disaster recovery,” said Eric Hester, Co-Founder and Chief Technology Officer of Green Cloud. “Zerto is trusted by over 6,000 customers globally and as their partner, Green Cloud has direct access to Zerto’s award-winning products for data recovery and business continuity so we can deliver the most advanced and secure turn-key, cloud-based infrastructure solutions to our channel partners.”
Headquartered in Greenville, SC, Green Cloud was founded in 2011, and today, the company has 70 employees and operates six world-class data centers in Atlanta, GA, Greenville, SC, Houston, TX, Minneapolis, MN, Nashville, TN and Phoenix, AZ.
READ MORE: Green Cloud Named to Inc. 5000 for Four Consecutive Years