In today’s mobile and multi-cloud world, the need to be able to protect any workload running anywhere with a single solution has never been more important. In this post, I’ll cover how you can protect your workloads with Green Cloud’s Secure BaaS service using the Veeam Agent and the Veeam Service Provider Console (VSPC). I’ll focus on protecting workloads running in Green Cloud’s IaaS infrastructure, but the process can apply to any workload running anywhere.
The focus will be on deploying, configuring and managing the Veeam agent using the Veeam Service Provider Console. If you have questions on access to the VSPC console, please reach out to Green Cloud’s support team. If you want to signup for Green Cloud’s Secure BaaS solution, please reach out to our sales team.
Before we get started on protecting workloads, first lets review Green Cloud’s Secure BaaS offering. This solution is powered by Veeam and Cloudian delivering ransomware protection for Veeam backups. Veeam and Cloudian created the industries first solution leveraging the S3 object lock feature to make backups immutable. This makes the backup unchangeable by anything. As a result, they cannot be encrypted by ransomware. With this solution, you can now offer ransomware protection to any workload running anywhere.
In this demo scenario, all workloads reside in Green Cloud’s IaaS infrastructure powered by VMware Cloud Director. I’m going to follow the Veeam recommended method for agent deployment using discovery rules. This will be done by logging into the VSPC as the partner or ‘Reseller’. For information on managing the Veeam agents as a partner or ‘Reseller’, please refer to the VSPC reseller Veeam documentation.
Before beginning the process of protecting my workloads, I’d like to provide a brief overview of the source environment. I previously built a small Remote Desktop Services environment. There are 5 total servers spread across a LAN and DMZ. The NSX Edge is providing network firewalling while the Windows firewall is also enabled. Below is a screen shot of the virtual machines that will be protected by the end of this post.
The first step in the process is to deploy a master management agent. This agent will be used to ‘discover’ other workloads running in your environment.
From the workload designated to be the master, log into the VSPC with your reseller credentials. These credentials can be retrieved / set in the Green Cloud partner portal or by contacting support. The format of the login is <Reseller><Reseller Admin> / <password>.
Once signed in, navigate to Discovery in the left navigation pane. Then locate Discovered Computers on the tab across the top. Finally, click the Download Agent link. Save the file to the local system.
Once the download completes, run the installer as administrator. Accept the EULA and click Next through the menus to complete the installation.
With the installation completed, the next step is to configure the management agent to communicate with the VSPC. Locate the management agent icon in the system tray, right-click and click Agent Settings.
This will open a window where you will enter the company (end user) account information. This information was provided during provisioning. Should you need this information please contact support.
The user name must be provided in the <Company NameUser> format.
With the management agent successfully communicating, we can now shift our focus to discovering the workloads so we can automatically deploy the Veeam Backup Agent. Discovery can be done via one of the following methods: Active Directory or network (IP). Optionally, you can also import a list from a CSV. For the this post, I will focus on Active Directory discovery.
In the demo environment, the Window firewall is enabled. As such, I need configure it to allow the management agent to discover systems and push the Veeam Backup Agent installation. For the sake of this post, I have pre-configured the firewall. Below is a list of the port requirements for successful discovery and Veeam Backup Agent installation.
In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and click New to create a new discovery rule.
In the pop-up, go through the items. In this example, I will be going through Active Directory based discovery since the demo environment is an Active Directory domain. For the sake of time, I have pre-configured an Active Directory account that has been applied as a local administrator to each workload via Group Policy.
Be sure to clear the check box for using the account defined in the master agent. This is because we did not specify an account in the master agent setup.
In the VSPC, navigate to Discovery in the left navigation pane. Locate Rules using the tabs across the top and verify your rule is running.
The deployment process will take a few minutes or more depending on the size and scope of the discovery rule. You can check the status by navigating to Discovery in the left navigation pane and locate Discovered Computers across the top. Here you will see the discovered computes and the status of the Veeam Backup Agent installation.
The two most common reasons for failed agent installations are:
To check the status of the Veeam Backup Agent and view what policy is applied, navigating to Discovery in the left navigation pane and locate Discovered Backup Agents across the top.
Alternatively you can log into the protected workload and launch the Veeam Backup Agent. Using the Start Menu, locate the Veeam folder and the Veeam Agent for Microsoft Windows. At the top of the Agent application, you will see the VSPC reseller name and the backup policy applied.
At this point you have successfully setup the Veeam Backup Agent to protect your workloads by backing up to a Green Cloud Secure BaaS repository. This was done using the Veeam Service Provider Console. Through this console you can centrally manage and monitor the backups of your workloads. If you are an existing partner interested in protecting your customers workloads with Green Cloud’s Secure BaaS service please reach out to your channel manager. If you are interested in becoming a Green Cloud partner, please complete the form on our contact us webpage.
Today’s biggest challenge is data security. Ransomware (as well as other security threats) is on the rise as the workforce has been dispersed due to the global pandemic. Empowering IT with the a solution protect data on any workload running anywhere is priceless. And it can all be managed through the Veeam Service Provider console.
The single most critical aspect of being a Cloud Service Provider is the security of our customers’ businesses. Delivering Cloud Service means enabling our customers to conduct business on a safe, secure platform. Malware attackers are in direct opposition to this goal; they rely on disrupting businesses in order to extort money from them. That means that as malware attackers develop new vectors of disruption, Cloud Service Providers have a responsibility to adapt.
Security is a back-and-forth between threat and protection. Antivirus software was developed as a response to the first wave of Trojan Horse and Worm attacks on business infrastructure. As malware attacks became more sophisticated, so too did anti-malware, leading to the development of AI-driven malware recognition and Sandbox technology.
The most recent adaptation for Service Providers is Ransomware Protection through WORM (Write Once, Read Many), also known as Storage Immutability. Green Cloud’s new Secure BaaS offering incorporates Ransomware Protection through a Cloudian storage back-end. Combined with Veeam’s industry-leading Backup and Replication solutions, we are excited to offer our partners a proven way to protect their customers against ransomware.
Due to the nature of their work, Service Providers must be familiar with malware in its many forms. It can infiltrate a network through any number of vectors: email attachments, malicious thumb drives, social engineering, or even hand-crafted false web pages. Ransomware isn’t that different from traditional malware in this sense; it still uses all of these same vectors to achieve access to a target network.
Ransomware distinguishes itself from common malware by turning encryption, a tool generally used to secure data, into an attack. Encryption is a process by which data is transformed into a different form, a code, after which the original data can only be accessed with a specific key. The ransomware randomly generates a key, encrypts all data available to it, and then sends that key back to the attacker. That way, only the attacker has access to business-critical data, which lets them hold it for ransom.
After it became evident that ransomware was a critical threat, Service Providers began instituting rigorous backup requirements. Attackers have answered with a simple strategy: encrypt or destroy backups first. Once malware has made its way onto a network, the attacker can delay encryption (referred to as an Incubation Period) until they have located and destroyed any backups. That means the Service Provider will be in for a nasty surprise when they attempt to restore that client’s data.
WORM is the latest response from the security community against ransomware attacks, and it stands for Write Once, Read Many. In order to prevent backups from being destroyed or overwritten, security researchers defined a new standard for storage systems that prevented anyone, even system-level administrators, from modifying backup data. This may sound simple in principle, but is quite difficult to design and execute. Additionally, it is not a simple plug-and-play software implementation – WORM must be supported on the storage array itself.
Access to data on the storage array must be limited to a highly restricted, security-hardened account. No remote account or utility is allowed access to write data to the array. Once this feature is enabled, data is written once to the disk, and then locked for a pre-determined period of time. In order to interact with this storage, users send and retrieve data through a management utility such as an Object Storage API.
During our search for a comprehensive ransomware solution, Green Cloud came across Cloudian. Already a proven storage provider, Cloudian’s implementations of WORM and Data Immutability on their storage array drew our attention because of their strict compliance with governmental regulations. Cloudian’s integration with Veeam made it a natural fit for Green Cloud’s BaaS offering.
Let’s take a look at how WORM-enabled storage performs during a ransomware attack, in contrast with standard storage. When an attacker first infiltrates a network, they will make sure they have repeatable access to that network. Then begins the Incubation Period, where the attacker lays low on the network while collecting data.
Backups are the primary target. If possible, the attacker will locate and modify backup data. This can be in the form of encryption, configuration changes to remove drives from the backup job, or outright deletion. Traditional storage offers no protection against this type of attack. If the attacker gains access to the backup storage medium, they can wipe out months or years of user data to ensure that their ransom attack is successful.
In contrast, when the attacker attempts to write over backups on WORM-enabled storage, they find that the data cannot be modified in any way. Even modifying the backup job to contain bunk data will not destroy or overwrite the existing backups. This greatly extends the incubation period, which means more time where the malware can be detected and removed by Endpoint Protection or other anti-malware solutions.
Enabling our partners to deliver a safe, secure platform on which customers can do business is a priority for Green Cloud. Veeam emphasizes that Service Providers should follow the “3-2-1 Rule” when designing their backup infrastructure:
Have at least three copies of your data.
Store the copies on two different media.
Keep one backup copy offsite.
Green Cloud’s BaaS has allowed us to fill a critical data protection role as a remote repository for on-site backups. Secure BaaS, our new offering powered by Veeam Cloud Connect and Cloudian Storage, offers a Veeam Repository that is fully protected against ransomware and malicious deletion.
For more information on Secure BaaS and Ransomware Protection, feel free to contact your Account Manager, or visit https://greenclouddefense.com/contact-us/.
We are living through a fundamental shift in how – and where – work gets accomplished. Spurred by COVID-19, employees have mass-migrated from offices and coworking spaces into their homes. For the time being, whether we like it or not, working from home is a necessity. As more businesses look to remote work solutions, it is important for network and IT engineers to take this new set of design requirements into consideration. Green Cloud is here to help our partners take on these challenges together.
A smooth transition to remote work is all about access. If your architecture is designed for remote access, your employees can work from anywhere. This is a natural use case for cloud hosting. Green Cloud recommends the following:
Want to read more? Download our ebook: 3 Keys to Remote Work Cloud Solutions
Multi-Factor Authentication (MFA) allows you to add an additional layer of security to your authentication process. There are two parts to a traditional authorization setup: A username and a password. We generally assume that your username is known to an attacker, since it is the most public piece of information. Many usernames are displayed by default, such as users on forums, or can be derived by combining a target’s first and last names. That means that the password is the first piece of private information by which a user’s identity can be confirmed.
MFA adds another piece of private information (another factor) to the authentication process. There are a handful of different secondary security factors:
So, when you enter your username and password, your MFA service prompts you to check for one of those additional factors. If you do not respond, or provide an incorrect response, it will not allow you to move on. That’s why for many users, MFA just means “another button I have to click to log in.”
By requiring you to verify your identity every time you log in, MFA puts another obstacle in the path of an attempted attack. Combining two pieces of information is difficult enough; finding a third makes the task even harder. When the third is also a piece of private information to which no one else has access, it means that every time you log in you prove your identity beyond the ability of most attackers.
The strength of a factor relies on how difficult it is for an attacker to acquire it. The most basic second factor includes PINs, passwords and one-time use codes that you know or retrieve. Since they are just information (something you know), all an attacker has to do is learn that information. A device or physical key (something you have) is more difficult to acquire, since the attacker would not be able to simply learn them. They are still vulnerable to theft or loss though, which makes biometrics (something you are) the most secure factor. While it is still possible for an attacker to overcome biometric security, it is the most difficult type of factor to acquire.
The goal of improving security is to make a successful attack harder, not impossible. Like any security measure, there are ways in which MFA can be defeated. It is important to keep these potential flaws in mind when utilizing MFA in order to mitigate them and stay as secure as possible.
Many MFA providers use the SMS network to send one-time codes to the customer’s phone on login. The SMS system has several vulnerabilities that a would-be attacker could use to redirect that message to another phone. Attacks can exploit issues with the SS7 network or simply attack the user’s phone company account to change the SIM destination of their phone number. To combat this, switch to a different factor wherever possible and keep a close eye on your cell service to prevent fraud.
If your second factor is a physical device, there is a risk associated with losing that device. In some cases, a cell phone will both be a physical factor and store a digital password. This means that if an attacker were to gain root access to the phone, they would have access to the entire account. Using cell phones as a second factor works best for services or accounts that are not directly stored on the phone.
Even the most secure MFA installation can be breached through Phishing attacks. The most common attack uses a fake version of the target website that attempts to trick users into entering their username, password and MFA token. When the login attempt is forwarded to the actual version of the website, the phishing site picks up the user’s session token. This enables the attacker to access the user’s account without the need to have their actual username, password or other factors.
Keeping users educated on security risks is crucial to maintaining a good security posture. Employees who are less knowledgable about the basics of virtual security are more vulnerable to social engineering and phishing attacks, which are still the most common threat to large infrastructures. Education that results in more competent users also improves security hygiene and decreases operational costs.
Make sure your infrastructure has been evaluated for security risks. This may include penetration testing (or pen test) or other security services from an accredited security firm. Pen tests will evaluate the overall security posture of a corporation, including the design of its infrastructure and the vulnerability of its users. Most security organizations will include a plan of action with the result of a pen test to improve security and make sure your MFA (or other authentication scheme) is adequately protecting your business.
Many popular service accounts allow users to add a second factor to their account (see TwoFactorAuth.org for a list). The most common factors are one-time passwords delivered through SMS, email or authenticator apps. When you add a second factor you will usually receive recovery codes for use if you can’t access your one-time code. These codes should be kept in “cold storage” (a thumb drive or written down in a notebook) in order to make sure you can always access your account. Unfortunately, there isn’t a good way to use MFA with a vendor who does not explicitly support it. That’s why it’s important to keep your primary points of access (such as logging in to your computer) secure as well.
Your options for MFA improve for business accounts since your company has full control over your environment. Microsoft Server supports RADIUS authentication, which administrators can configure to use an MFA server. Services such as Duo MFA provide a central point of management for your domain’s authentication. It is also possible to enforce policies for physical or biometric factors.
Green Cloud enforces mandatory MFA on the Partner Portal. We support SMS, E-mail and Domain authentication for both Microsoft AD and Google Domains. Beyond that, there are various ways Green Cloud services can be configured to implement MFA, such as using a SAML Active Directory provider to authenticate logins to vCloud Director. DaaS also supports the use of RADIUS authentication.
Resoundingly, yes. MFA is a more secure way to authenticate users, and it is widely supported on a variety of platforms. While it has its weaknesses, when implemented by itself it solves many issues associated with password-only authentication. Supplemented by a properly-designed infrastructure and user education, MFA is a great tool to improve security posture.
LEARN MORE: Check out our Knowledge Base
Litigation Hold, the hold feature introduced in Exchange 2010 to preserve data for eDiscovery, is still available in Exchange Server and Exchange Online. Litigation Hold keeps a copy of user data but does not restore lost data. However, in no way does is it equal in functionality of O365 backup.
With Litigation Hold, you risk the chance of liability because it only allows you to place all items on hold. All data would be discoverable in legal proceedings not just data needed for the legal process.
Additionally, Litigation Hold offers no direct restore option. It is not designed to restore user account data. Users would have to go through a manual recovery process after exporting their data. And, restoring mail from Litigation Hold does not preserve the folder structure. How will this impact your users?
With the rampant spread of malware and ransomware and Litigation Hold’s inefficient method to restore, you may want to think twice about using it instead of the more holistic, efficient process O365 backup with Veeam provides.
Financially, since user data cannot be deleted with Litigation Hold, storage costs will skyrocket. And without the ability to archive users, if you need to maintain their data, you must continue to pay licensing fees to Microsoft.
Regarding former employees, it’s not easy to restore their emails, documents and/or data to a different user. With Litigation Hold, recovering back into O365 requires exporting specific data and then importing it back in, a cumbersome and time-consuming task.
Need another reason why Litigation Hold cannot compete with O365 Backup? No copy of data in a secondary physical location is created with Litigation Hold. To enable rapid restores of user data, you must look to third-party, purpose-built Office 365 backup solutions, like our O365 BaaS with Veeam product.
Green Cloud’s O365 BaaS with Veeam backs up Microsoft Exchange, OneDrive and SharePoint. O365 BaaS will preserve and restore your data whether it has been accidentally deleted, is prone to internal/external security threats or must be maintained due to legal and compliance requirements. Our backups allow impacted customers to quickly restore user data to before disaster struck.
Our O365 BaaS solution also allows customers to backup and maintain a users’ former employees’ data. This feature delivers huge cost savings; you would not have to make recurring payments for Microsoft licenses to maintain those past employees’ data. Our O365 BaaS solution allows customers to restore archived user data quickly to current users.
Litigation Hold can be costly, risky and hard to manage. And it is not backup.
In my previous post, I discussed how today’s customers are eager for solutions. Business-owning customers want to spend their time running their business and not on solving complicated IT problems; they WANT to pay you to make IT easier.
That all sounds great, but again — how do you secure those clients?
Iteration. MCSPs must constantly communicate with their clients in a more personal way. Dashboards, reports, email blasts, automated tickets and generic vCIO content is great. However, it is not enough to create a tailored solution with the complexity required at this point. Clients need a plan; they need to be able to absorb this massive transition slowly. You must create a progressive technology plan that takes them from where they are to where they need to be, leading to higher acceptance and better retention.
Start with your knowledge of their business. If you don’t have this knowledge, get it. Based on their vertical, their maturity and their concerns, start with what matters most. Compliance? Data Security? DR? Mobility? Scalability? Pick something to be the hub of your plan; something that justifies all the change and the necessary action for the client, or also justifies the early steps that don’t seem like they are immediately solving a problem. It won’t be the same for all clients. It needs to manage their concerns and reduce anxiety around the coming changes. In other words: solve a problem. Give them a plan that makes their business more efficient, not just cloudification. Once you have this, communicate, communicate, communicate — not just QBRs or automated communications. Sell the plan, get their buy in and share what’s next and why it’s important. Remind them why this is happening every step of the way.
The critical steps will be the following, regardless of your justification:
Identity management. You are going to be distributing their services to the best place for the job, but this can’t add 20 different logins to their daily life. As you roll out the rest of the plan, start with single sign-on and access control from the beginning. As a bonus, select a provider that adds SaaS utilization management so that you can be efficient with the clients’ spend on SaaS — Okta and MetaSaaS, for instance.
Accelerate. Implement SDWWAN for reliable and responsive connectivity to the cloud – VMware’s Velocloud for instance. This will reduce the time that you spend managing the network connections that are critical to the solution, and it will keep the experience solid as they rely more heavily on the cloud via their WAN.
Secure. Secure the solution with a managed NGFW and SOC solution. Protect the endpoints — don’t just trust a firewall, no matter how next generation it may be. Belts and suspenders. You want to start out secure, not by bolting it on after a breach or compromise. This is the first step that will feel like they are making progress. If this isn’t done right early, it will lead to similar failures as discussed above with the WAN. Cloud is inherently secure to end users. You don’t want to misstep and have them question the solution mid-way.
SaaS offload. Find the needs best served by SaaS. No need to migrate a legacy app that is in need of refresh and unable to realize the promise of the cloud due to its shortcomings from age. Don’t force it. Ask yourself, “Does the SaaS alternative really solve their problem?”
Migrate. Migrate their legacy apps to IaaS. Migrate their desktops to DaaS or a workspace solution. You won’t be able to replace everything with SaaS. It’s not the best solution for every workload and forcing it will just decrease the clients’ efficiency and happiness with the solution. DaaS and IaaS will give their legacy applications the SaaS-like feel of mobility and accessibility. One more note: Don’t force DaaS until everything else is in order. It’s another place you can undo a lot of trust if the predecessor tasks are not solid and complete.
Protect. Don’t forget a DR and backup strategy. That’s another place that clients think is magic in the cloud. Backup SaaS data, replicate IaaS data to multiple regions. Have a DR strategy for remote working. Don’t undersell the value of having a DR plan for not only major natural disasters but things like holidays, inclement weather, moving offices or growing quickly.
Measure and improve. The cloud offers an endless stream of information about your clients’ workloads. Use this technology to continually improve through discussions of changes to their business, growth of resources, continued migrations to SaaS, auditing, etc.
Above are some tools to help with the planning of such a strategy and communicating the value. It’s time to evolve. It’s time to change the game again. You will differentiate yourself and secure long-term clients.