In today’s mobile and multi-cloud world, the need to be able to protect any workload running anywhere with a single solution has never been more important. In this post, I’ll cover how you can protect your workloads with Green Cloud’s Secure BaaS service using the Veeam Agent and the Veeam Service Provider Console (VSPC). I’ll focus on protecting workloads running in Green Cloud’s IaaS infrastructure, but the process can apply to any workload running anywhere.

The focus will be on deploying, configuring and managing the Veeam agent using the Veeam Service Provider Console. If you have questions on access to the VSPC console, please reach out to Green Cloud’s support team. If you want to signup for Green Cloud’s Secure BaaS solution, please reach out to our sales team.

Before we get started on protecting workloads, first lets review Green Cloud’s Secure BaaS offering. This solution is powered by Veeam and Cloudian delivering ransomware protection for Veeam backups. Veeam and Cloudian created the industries first solution leveraging the S3 object lock feature to make backups immutable. This makes the backup unchangeable by anything. As a result, they cannot be encrypted by ransomware. With this solution, you can now offer ransomware protection to any workload running anywhere.

Assumptions / Requirements

• Secure BaaS Service
• Access to the Green Cloud Veeam Service Provider Console
  • Reseller credentials will be needed
  • Company (end user) credentials will be needed
• Access to your vCloud Director Organization
• Sufficient bandwidth on source to transfer backups across the WAN
• Free space on the local disk for a local cache of backup data.
• Administrative access to the source workloads

In this demo scenario, all workloads reside in Green Cloud’s IaaS infrastructure powered by VMware Cloud Director. I’m going to follow the Veeam recommended method for agent deployment using discovery rules. This will be done by logging into the VSPC as the partner or ‘Reseller’. For information on managing the Veeam agents as a partner or ‘Reseller’, please refer to the VSPC reseller Veeam documentation.

Source Workload Overview

Before beginning the process of protecting my workloads, I’d like to provide a brief overview of the source environment. I previously built a small Remote Desktop Services environment. There are 5 total servers spread across a LAN and DMZ. The NSX Edge is providing network firewalling while the Windows firewall is also enabled. Below is a screen shot of the virtual machines that will be protected by the end of this post.

Deploy VSPC Management Agent

The first step in the process is to deploy a master management agent. This agent will be used to ‘discover’ other workloads running in your environment.

Requirements:

• VSPC Reseller account information
• Secure BaaS gateway URL and port
• End customer Secure BaaS username and password

Log into VSPC

From the workload designated to be the master, log into the VSPC with your reseller credentials. These credentials can be retrieved / set in the Green Cloud partner portal or by contacting support. The format of the login is <Reseller><Reseller Admin> / <password>.

Download the Management Agent

Once signed in, navigate to Discovery in the left navigation pane. Then locate Discovered Computers on the tab across the top. Finally, click the Download Agent link. Save the file to the local system.

Install the Management Agent

Once the download completes, run the installer as administrator. Accept the EULA and click Next through the menus to complete the installation.

Configure the Management Agent

With the installation completed, the next step is to configure the management agent to communicate with the VSPC. Locate the management agent icon in the system tray, right-click and click Agent Settings.

This will open a window where you will enter the company (end user) account information. This information was provided during provisioning. Should you need this information please contact support.

• In the Cloud Gateway field, type FQDN or IP address of a cloud gateway.
• In the Port field, specify the port on the cloud gateway that is used to transfer data to Veeam Service Provider Console.
  • In the Username and Password fields, type user credentials of a Company Owner.

The user name must be provided in the <Company NameUser> format.

• Click Apply
• Should you be presented with any certificate warnings, click Save to save the certificate.
  • Finally, Restart the management agent
    

• • The Agent should now show Connected
    
    
    

Configure Discovery Rule(s)

With the management agent successfully communicating, we can now shift our focus to discovering the workloads so we can automatically deploy the Veeam Backup Agent. Discovery can be done via one of the following methods: Active Directory or network (IP). Optionally, you can also import a list from a CSV. For the this post, I will focus on Active Directory discovery.

Requirements

• For AD discovery, the master agent should be installed on a domain joined system.
• The master agent system must have internet access and network access to the workloads you wish to discover and protect
• Local admin rights to the workloads you wish to discover and protect.
• Proper Local firewall configuration to allow discovery and agent installation

Configure (Windows) Firewall

In the demo environment, the Window firewall is enabled. As such, I need configure it to allow the management agent to discover systems and push the Veeam Backup Agent installation. For the sake of this post, I have pre-configured the firewall. Below is a list of the port requirements for successful discovery and Veeam Backup Agent installation.

• Remote Scheduled Tasks Management (RPC and RPC-EPMAP) (for discovery)
• Windows Management Instrumentation (WMI-In) (for desktop operating systems)
• File and Printer Sharing (SMB-In) (for Veeam Backup Agent installation)

Create a Discovery Rule

In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and click New to create a new discovery rule.

In the pop-up, go through the items. In this example, I will be going through Active Directory based discovery since the demo environment is an Active Directory domain. For the sake of time, I have pre-configured an Active Directory account that has been applied as a local administrator to each workload via Group Policy.

• Enter a rule name
• Select a company to apply the discovery rule
  • NOTE: As a Reseller, it’s likely you will have multiple companies from which to chose. A discovery can apply to one or more companies.
• Select a Discovery method (this post is Active Directory)
• Select the Active Discovery Method
  • In this post, I will target specific OUs

• Enter the account to be used for discovery and Veeam Backup Agent installation
  • This can be a pre-defined local account or a domain account.
  • In this post, I am using a domain account. I have added this domain account as a local admin to each workload using group policy.

Be sure to clear the check box for using the account defined in the master agent. This is because we did not specify an account in the master agent setup.

• Organizational Unit selection
  • click Select Location…
    • NOTE: Locations can be leveraged when you have a client with multiple locations. In this post, I will be using the default location.
      
  • In the next window, click on Select Unit…
    

• • • Pick the OUs where the protected workload Active Directory computer accounts are located
      

• • • Click OK twice to return to the configuration menu and click Next

• Optionally, set any discovery filters
  • Discovery filters can be set by OS, Application or platform. These can be used individually or combined for greater granularity.
• Optionally, enable email notification.
  • This requires that you have configured your VSPC SMTP settings.
  • The email notification will send you notifications of discovery rule results.
• Veeam Backup Agent deployment
  • Select the option to discovery the system and install the Veeam Backup Agent.
  • For the sake of this post, I will use the default Servers policy. For more information on backup policies see the Veeam documentation. If you want to see the settings for the default servers policy click Show
  • Enable Read-only mode
    • This will restrict local users from changing backup job settings while still allowing them to perform tasks such as restoring individual files. For more on read-only mode see the Veeam documentation.
      

• • Click Configure to adjust the default settings for the Veeam Backup Agent
    • Select the setting shown in the screen shot below. For more on these settings please refer to the Veeam documentation.
      

• • • Be sure to set the appropriate bandwidth based on the source. In the demo environment, there is 50Mbps available. To backup as fast as possible yet still leave room for other communication, I set the limit to 40Mbps.
    • Click Apply then Next

• • Summary
    • Review the summary of the settings
    • Check the box to Launch the discovery rule when I click finish.
      

• • • Click Finish

In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and verify your rule is running.

The deployment process will take a few minutes or more depending on the size and scope of the discovery rule. You can check the status by navigating to Discovery in the left navigation pane and locate Discovered Computers across the top. Here you will see the discovered computes and the status of the Veeam Backup Agent installation.

The two most common reasons for failed agent installations are:

1.  A firewall is preventing the installation. Confirm you have all the necessary ports open on your firewall.
2.  The account specified in the discovery rule does not have local administrative rights to the discovered system.

To check the status of the Veeam Backup Agent and view what policy is applied, navigating to Discovery in the left navigation pane and locate Discovered Backup Agents across the top.

Alternatively you can log into the protected workload and launch the Veeam Backup Agent. Using the Start Menu, locate the Veeam folder and the Veeam Agent for Microsoft Windows. At the top of the Agent application, you will see the VSPC reseller name and the backup policy applied.

At this point you have successfully setup the Veeam Backup Agent to protect your workloads by backing up to a Green Cloud Secure BaaS repository. This was done using the Veeam Service Provider Console. Through this console you can centrally manage and monitor the backups of your workloads. If you are an existing partner interested in protecting your customers workloads with Green Cloud’s Secure BaaS service please reach out to your channel manager. If you are interested in becoming a Green Cloud partner, please complete the form on our contact us webpage.

Final Thoughts

Today’s biggest challenge is data security. Ransomware (as well as other security threats) is on the rise as the workforce has been dispersed due to the global pandemic. Empowering IT with the a solution protect data on any workload running anywhere is priceless. And it can all be managed through the Veeam Service Provider console.

The single most critical aspect of being a Cloud Service Provider is the security of our customers’ businesses. Delivering Cloud Service means enabling our customers to conduct business on a safe, secure platform. Malware attackers are in direct opposition to this goal; they rely on disrupting businesses in order to extort money from them. That means that as malware attackers develop new vectors of disruption, Cloud Service Providers have a responsibility to adapt.

Security is a back-and-forth between threat and protection. Antivirus software was developed as a response to the first wave of Trojan Horse and Worm attacks on business infrastructure. As malware attacks became more sophisticated, so too did anti-malware, leading to the development of AI-driven malware recognition and Sandbox technology.

The most recent adaptation for Service Providers is Ransomware Protection through WORM (Write Once, Read Many), also known as Storage Immutability. Green Cloud’s new Secure BaaS offering incorporates Ransomware Protection through a Cloudian storage back-end. Combined with Veeam’s industry-leading Backup and Replication solutions, we are excited to offer our partners a proven way to protect their customers against ransomware.

The Problem of Ransomware

Due to the nature of their work, Service Providers must be familiar with malware in its many forms. It can infiltrate a network through any number of vectors: email attachments, malicious thumb drives, social engineering, or even hand-crafted false web pages. Ransomware isn’t that different from traditional malware in this sense; it still uses all of these same vectors to achieve access to a target network.

Ransomware distinguishes itself from common malware by turning encryption, a tool generally used to secure data, into an attack. Encryption is a process by which data is transformed into a different form, a code, after which the original data can only be accessed with a specific key. The ransomware randomly generates a key, encrypts all data available to it, and then sends that key back to the attacker. That way, only the attacker has access to business-critical data, which lets them hold it for ransom.

After it became evident that ransomware was a critical threat, Service Providers began instituting rigorous backup requirements. Attackers have answered with a simple strategy: encrypt or destroy backups first. Once malware has made its way onto a network, the attacker can delay encryption (referred to as an Incubation Period) until they have located and destroyed any backups. That means the Service Provider will be in for a nasty surprise when they attempt to restore that client’s data.

How WORM Works

WORM is the latest response from the security community against ransomware attacks, and it stands for Write Once, Read Many. In order to prevent backups from being destroyed or overwritten, security researchers defined a new standard for storage systems that prevented anyone, even system-level administrators, from modifying backup data. This may sound simple in principle, but is quite difficult to design and execute. Additionally, it is not a simple plug-and-play software implementation – WORM must be supported on the storage array itself.

Access to data on the storage array must be limited to a highly restricted, security-hardened account. No remote account or utility is allowed access to write data to the array. Once this feature is enabled, data is written once to the disk, and then locked for a pre-determined period of time. In order to interact with this storage, users send and retrieve data through a management utility such as an Object Storage API.

During our search for a comprehensive ransomware solution, Green Cloud came across Cloudian. Already a proven storage provider, Cloudian’s implementations of WORM and Data Immutability on their storage array drew our attention because of their strict compliance with governmental regulations. Cloudian’s integration with Veeam made it a natural fit for Green Cloud’s BaaS offering.

Ransomware Protection In Action

Let’s take a look at how WORM-enabled storage performs during a ransomware attack, in contrast with standard storage. When an attacker first infiltrates a network, they will make sure they have repeatable access to that network. Then begins the Incubation Period, where the attacker lays low on the network while collecting data.

Backups are the primary target. If possible, the attacker will locate and modify backup data. This can be in the form of encryption, configuration changes to remove drives from the backup job, or outright deletion. Traditional storage offers no protection against this type of attack. If the attacker gains access to the backup storage medium, they can wipe out months or years of user data to ensure that their ransom attack is successful.

In contrast, when the attacker attempts to write over backups on WORM-enabled storage, they find that the data cannot be modified in any way. Even modifying the backup job to contain bunk data will not destroy or overwrite the existing backups. This greatly extends the incubation period, which means more time where the malware can be detected and removed by Endpoint Protection or other anti-malware solutions.

Ransomware Protection and Secure BaaS

Enabling our partners to deliver a safe, secure platform on which customers can do business is a priority for Green Cloud. Veeam emphasizes that Service Providers should follow the “3-2-1 Rule” when designing their backup infrastructure:

• Have at least three copies of your data.

• Store the copies on two different media.

• Keep one backup copy offsite.

Green Cloud’s BaaS has allowed us to fill a critical data protection role as a remote repository for on-site backups. Secure BaaS, our new offering powered by Veeam Cloud Connect and Cloudian Storage, offers a Veeam Repository that is fully protected against ransomware and malicious deletion.

For more information on Secure BaaS and Ransomware Protection, feel free to contact your Account Manager, or visit https://greenclouddefense.com/contact-us/.

What is Multi-Factor Authentication (MFA or Cloud MFA)?

Multi-Factor Authentication (MFA) allows you to add an additional layer of security to your authentication process. There are two parts to a traditional authorization setup: A username and a password. We generally assume that your username is known to an attacker, since it is the most public piece of information. Many usernames are displayed by default, such as users on forums, or can be derived by combining a target’s first and last names. That means that the password is the first piece of private information by which a user’s identity can be confirmed.

How does MFA work?

MFA adds another piece of private information (another factor) to the authentication process. There are a handful of different secondary security factors:

• Something you know, such as a password or PIN
• Something you have, such as a device
• Something you are, such as biometric information

So, when you enter your username and password, your MFA service prompts you to check for one of those additional factors. If you do not respond, or provide an incorrect response, it will not allow you to move on. That’s why for many users, MFA just means “another button I have to click to log in.”

How does that make my account more secure?

By requiring you to verify your identity every time you log in, MFA puts another obstacle in the path of an attempted attack. Combining two pieces of information is difficult enough; finding a third makes the task even harder. When the third is also a piece of private information to which no one else has access, it means that every time you log in you prove your identity beyond the ability of most attackers.

Not All Factors Are Equal

The strength of a factor relies on how difficult it is for an attacker to acquire it. The most basic second factor includes PINs, passwords and one-time use codes that you know or retrieve. Since they are just information (something you know), all an attacker has to do is learn that information. A device or physical key (something you have) is more difficult to acquire, since the attacker would not be able to simply learn them. They are still vulnerable to theft or loss though, which makes biometrics (something you are) the most secure factor. While it is still possible for an attacker to overcome biometric security, it is the most difficult type of factor to acquire.

What Are the Weaknesses of MFA?

The goal of improving security is to make a successful attack harder, not impossible. Like any security measure, there are ways in which MFA can be defeated. It is important to keep these potential flaws in mind when utilizing MFA in order to mitigate them and stay as secure as possible.

SMS Hijacking

Many MFA providers use the SMS network to send one-time codes to the customer’s phone on login. The SMS system has several vulnerabilities that a would-be attacker could use to redirect that message to another phone. Attacks can exploit issues with the SS7 network or simply attack the user’s phone company account to change the SIM destination of their phone number. To combat this, switch to a different factor wherever possible and keep a close eye on your cell service to prevent fraud.

Stolen Devices

If your second factor is a physical device, there is a risk associated with losing that device. In some cases, a cell phone will both be a physical factor and store a digital password. This means that if an attacker were to gain root access to the phone, they would have access to the entire account. Using cell phones as a second factor works best for services or accounts that are not directly stored on the phone.

Social Engineering (Phishing)

Even the most secure MFA installation can be breached through Phishing attacks. The most common attack uses a fake version of the target website that attempts to trick users into entering their username, password and MFA token. When the login attempt is forwarded to the actual version of the website, the phishing site picks up the user’s session token. This enables the attacker to access the user’s account without the need to have their actual username, password or other factors.

So How Do I Stay Secure?

Education

Keeping users educated on security risks is crucial to maintaining a good security posture. Employees who are less knowledgable about the basics of virtual security are more vulnerable to social engineering and phishing attacks, which are still the most common threat to large infrastructures. Education that results in more competent users also improves security hygiene and decreases operational costs.

Infrastructure

Make sure your infrastructure has been evaluated for security risks. This may include penetration testing (or pen test) or other security services from an accredited security firm. Pen tests will evaluate the overall security posture of a corporation, including the design of its infrastructure and the vulnerability of its users. Most security organizations will include a plan of action with the result of a pen test to improve security and make sure your MFA (or other authentication scheme) is adequately protecting your business.

How Do I Add MFA to My Accounts?

MFA and Personal Accounts

Many popular service accounts allow users to add a second factor to their account (see TwoFactorAuth.org for a list). The most common factors are one-time passwords delivered through SMS, email or authenticator apps. When you add a second factor you will usually receive recovery codes for use if you can’t access your one-time code. These codes should be kept in “cold storage” (a thumb drive or written down in a notebook) in order to make sure you can always access your account. Unfortunately, there isn’t a good way to use MFA with a vendor who does not explicitly support it. That’s why it’s important to keep your primary points of access (such as logging in to your computer) secure as well.

MFA and Business Accounts

Your options for MFA improve for business accounts since your company has full control over your environment. Microsoft Server supports RADIUS authentication, which administrators can configure to use an MFA server. Services such as Duo MFA provide a central point of management for your domain’s authentication. It is also possible to enforce policies for physical or biometric factors.

MFA and Green Cloud

Green Cloud enforces mandatory MFA on the Partner Portal. We support SMS, E-mail and Domain authentication for both Microsoft AD and Google Domains. Beyond that, there are various ways Green Cloud services can be configured to implement MFA, such as using a SAML Active Directory provider to authenticate logins to vCloud Director. DaaS also supports the use of RADIUS authentication.

Bottom Line: Is Multi-Factor Authentication Worth the Trouble?

Resoundingly, yes. MFA is a more secure way to authenticate users, and it is widely supported on a variety of platforms. While it has its weaknesses, when implemented by itself it solves many issues associated with password-only authentication. Supplemented by a properly-designed infrastructure and user education, MFA is a great tool to improve security posture.

LEARN MORE: Check out our Knowledge Base

Green Cloud Technologies (“Green Cloud”), a 100% channel-only cloud technology solutions provider, achieved Gold status as a Zerto Alliance Partner (ZAP). This provides Green Cloud even greater access to Zerto’s next-generation Disaster Recovery (DR) solutions and services.

Zerto, a pioneer in the field of ‘IT Resiliance’, offers a software platform that delivers continuous availability for an always-on customer experience. They do this while simplifying workload mobility to protect, recover and move applications freely across hybrid and multi-clouds, eliminating the risks and complexity of modernization and cloud adoption.

Green Cloud, one of the largest independent channel-only cloud IaaS (Infrastructure-as-a-Service) providers in the country, sells an expansive suite of Cisco Powered, cloud-based products, services, and support that are scalable to applications of any size — from SMBs to enterprise-class organizations.

“Green Cloud partners with Zerto because of their stellar reputation and proven leadership in disaster recovery,” said Eric Hester, Co-Founder and Chief Technology Officer of Green Cloud. “Zerto is trusted by over 6,000 customers globally and as their partner, Green Cloud has direct access to Zerto’s award-winning products for data recovery and business continuity so we can deliver the most advanced and secure turn-key, cloud-based infrastructure solutions to our channel partners.”

Headquartered in Greenville, SC, Green Cloud was founded in 2011, and today, the company has 70 employees and operates six world-class data centers in Atlanta, GA, Greenville, SC, Houston, TX, Minneapolis, MN, Nashville, TN and Phoenix, AZ.

READ MORE: Green Cloud Named to Inc. 5000 for Four Consecutive Years