Backups should be encrypted whenever they contain any data that is important to an organization and there is any chance that the data could be accessed by non-authorized entities. This usually means that all backups on tape should always be encrypted!
Considerations for why to encrypt
Backups should be encrypted whenever data will be or might be at risk. Situations where this could happen include:
- When media will be out of your hands (courier, briefcase, shipping)
- When media could be misdirected (theft of tapes, remote site security breach)
- When the backup data could be captured while replicating over a WAN link
If the backups end up in the wrong hands, it is not a difficult process to access the data. This could cause considerable issues for your organization.
Considerations for when to encrypt
In addition to security concerns, encrypting backups can be a consideration for deduplication or replication performance. A review of the devices and connections, as well as the procedures, will dictate where and how backups are encrypted to create the least impact while ensuring the data is protected. Some items to consider:
- Traffic shaping appliances to optimize WAN performance may see encrypted backups as all new data with a significant degradation or even elimination of dedupe.
- Some hardware dedupe appliances will not be able to dedupe encrypted data, depending on where it was encrypted and how they handle the encrypted data. In this case, it would be much better to encrypt at the appliance, if that is an option, instead of in the backup software unless they are very tightly integrated.
- When the backups are written to disk and in the same data center, there may not be a need to encrypt the data since the original data is in the same location. However, encryption might be justified if there are concerns that a physical theft of a resource that contains sensitive information could occur.
How to encrypt Veeam backups
Encryption of any data written to tape should be part of your backup procedure and the design of your backup environment should include securing the data whenever there is a risk to it. This should also include backing up to USB drives that may be stored off site, and can be easily stolen, or backup replication jobs to another site or cloud provider. Note:
- Veeam can be set to encrypt during backup jobs or backup copy jobs under the storage menu
- Veeam tape encryption is under the options menu
If you would like a review of your backup environment and procedures or assistance in improving your overall security posture, email firstname.lastname@example.org. We are happy to help!