![\"\"](\"http:\/\/www.klaushaller.net\/wp-content\/uploads\/2022\/12\/61_3_Figure_1_Configuring_VM_backups_in_Azure_Portal.png\")
<\/a>Protecting and Securing VM Backups in Azure<\/h2>\n\n\n\n
Azure has various built-in features for preventing accidental or intentional deletion of backups. The most radical is the \u201cimmutable\u201d option (Figure 2, 1). If switched on (and locked in), backups cannot be deleted before the retention period expired. This immutability feature is a lifesaver if ransomware attackers delete or encrypt critical data. A second feature, multi-user authentication (2), enables IT organizations to demand that a second person approves critical activities such as vault deletion operations or modifications of backup policies. It benefits organizations by preventing severe misconfigurations resulting in the loss or unavailability of current or future backups, whether by mistake or on purpose. To formulate it differently: Immutable backups help rebuild your data center after really severe incidents. Multi-user authentication helps prevent such a mess from happening in the first place and ensures that your backups exist.<\/p>\n\n\n\n Finally, the soft delete setting allows enabling the feature to roll back deletion operations (Figure 2, 3 and 4). In the context of VM backups in RSVs, the feature is especially beneficial to restore the status quo ante after smaller application management or engineering mistakes. If application managers notice something was deleted by mistake some time ago, they can easily restore it. Helpful for operational mistakes but only of limited value for ransomware attacks. Engineers can circumvent the soft delete feature \u2013 and even Microsoft documents how to delete all data forever, even if soft delete is active. A closing remark for VM backups: These configuration options apply to VMs and their backups though configurations take place via Recovery Services vaults.<\/p>\n\n\n\n File shares are not a CISO\u2019s darling, but the technology exists for decades and probably continues to live for some more years. File shares enable uncomplicated interactions between users themselves, applications themselves, and between users and applications. It might be an often-redundant technology, but the ability to use file shares is a must in any context of legacy applications.<\/p>\n\n\n\n While (in the portal) the relevant configuration options for Azure VMs backups are on the Recovery Service Vault, the situation is different for file shares. Many backup-related configurations take place on the Azure Storage Accounts, which contain the file shares. And a warning for those who understand backing up Azure Blobs, which are also stored in Azure Storage Accounts: backups for blobs (see \u201cBlob and PostgreSQL Backups in Azure\u201d<\/a>) differ from the ones for file shares.<\/p>\n\n\n\n Azure supports ad-hoc backups<\/strong> (just click \u201cadd snapshot\u201d in the portal\u2019s snapshots mask) and periodic backups<\/strong> (Figure 3). Configuration options for periodic backups are the frequency<\/strong> (every four hours or less often) and how long backups are kept. Azure allows configuring retention<\/strong> periods<\/strong> of several years.<\/p>\n\n\n\n Protecting and Securing Fileshare Backups in Azure<\/p>\n\n\n\n Protecting file share backups is delicate because it is not just about protecting the backups. It is also about protecting the Storage Accounts. They contain the actual backup data. If deleted, all associated backups are gone. Thus, cloud security architects should be aware of the various configuration options for Storage Accounts and Recovery Services vaults to prevent the deletion or discontinuation of critical backups (Figure 4).<\/p>\n\n\n\n On the top are configuration options on the Storage Account level and for the Recovery Services vault. Most important is the immutability<\/strong> feature. When active and locked in, it guarantees that nobody \u2013 and really nobody \u2013 can delete these backups. It is a brand-new feature in public preview. Second, there is an option to forbid deleting the Storage Account utilizing a delete-lock<\/strong>. It makes deleting Storage Accounts hard to impossible. The different purposes are crucial: immutability is about having a backup when someone tries or succeeds in deleting all or critical data. The lock helps more to prevent the Storage Account deletion, which would bring down applications (even if the data can be restored with an immutable backup). Thus, its purpose is to improve reliability and application uptime.<\/p>\n\n\n\n On the Azure File Share level, Azure provides the soft-delete feature (Figure 5). It has some peculiarities, especially since Azure supports soft-delete for SMB file shares<\/strong> and not for NFS <\/strong>ones. The SMB variant is particularly strong in the Windows respectively Microsoft world. The scope for soft-delete is not a single file but complete file shares. If switched on, engineers can restore a file share after its deletion. However, it does not bring back individual files if they are deleted. For this, the backup functionality with periodic backups or ad-hoc snapshots has to be used. So, to conclude: Azure provides various backup-related features, but understanding them in detail is critical to prevent issues if organizations really need them in critical situations.<\/p>\n\n\n\n VMs and Fileshares are fundamental building blocks for IaaS workloads in on-prem or cloud environments such as Azure. So, which features does Azure provide for companies to back up their IaaS-related data and components? And how does Azure help prevent undesired manipulations or deletions of such backups? To answer these questions, this article elaborates on […]<\/p>\n","protected":false},"author":1,"featured_media":1455,"comment_status":"closed","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[24,22,16,23],"tags":[45,49,65,60],"class_list":["post-1449","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-azure","category-cloudsecurity","category-information-security","category-securityarchitecture","tag-azure-storage-account","tag-backups","tag-fileshares","tag-iaas"],"_links":{"self":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1449","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=1449"}],"version-history":[{"count":1,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1449\/revisions"}],"predecessor-version":[{"id":1456,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/posts\/1449\/revisions\/1456"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=\/wp\/v2\/media\/1455"}],"wp:attachment":[{"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=1449"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=1449"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.klaushaller.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=1449"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<\/a>Azure Fileshare Backups<\/h1>\n\n\n\n
Fileshare Backups in Azure<\/h2>\n\n\n\n
<\/a><\/a><\/a>