| title | description | services | documentationcenter | author | manager | editor | ms.assetid | ms.service | ms.workload | ms.tgt_pltfrm | ms.devlang | ms.topic | ms.date | ms.author |
|---|---|---|---|---|---|---|---|---|---|---|---|---|---|---|
Security Features for protecting hybrid backups using Azure Backup | Microsoft Docs |
Learn how to use security features in Azure Backup to make backups more secure |
backup |
JPallavi |
vijayts |
47bc8423-0a08-4191-826d-3f52de0b4cb8 |
backup |
storage-backup-recovery |
na |
na |
article |
11/24/2016 |
pajosh |
More and more customers are hit with security issues like malware, ransomware, intrusion etc. These security issues result in data loss and cost per security breach has been ever increasing. To guard against such attacks, Azure Backup now provides Security Features to protect hybrid backups. This article talks about how to enable and leverage these features using Microsoft Azure Recovery Services Agent and Microsoft Azure Backup Server. These features have been built on three pillars of security:
- Prevention - An additional layer of authentication is added whenever a critical operation like Change Passphrase is performed. This validation is to ensure that such operations can be performed only by users having valid Azure credentials.
- Alerting - Email notification is sent to subscription admin whenever a critical operation like Delete Backup data is performed. This email ensures that user is timely notified about such actions.
- Recovery - Deleted backup data is retained for additional 14 days from the date of delete. This ensures recoverability of the data within given time period so there is no data loss even if attack happens. Also, more number of minimum recovery points are maintained to guard against corrupt data.
Note
Security Features should be enabled only if you are using:
- MAB agent - minimum agent version 2.0.9052. Once you have enabled these features, you should upgrade to this agent version to perform critical operations like Change Passphrase, Stop backup with Delete data
- Azure Backup Server - minimum MAB agent version 2.0.9052 with Azure Backup Server update 1
- DPM - Do not enable these features for DPM. These features are coming soon in future URs, so enabling them will not have any impact on existing functioanlity.
- IaaS VM Backup - Do not enable these features for IaaS VM Backup. These features are not yet available for IaaS VM backup, so enabling them will not have any impact on IaaS VM backup.
- Once enabled, you get Security Features for all the Azure Recovery Services Agent (MARS) machines and Azure Backup Servers registered with the vault.
- Enabling this setting is a one-time action and you cannot disable these features after enabling them.
- This feature is available only for Recovery Services vault.
Users creating recovery services vault would be able to avail all the Security Features. For existing recovery services vault, following steps should be used to enable these features:
-
Log in to Azure portal using Azure credentials
-
Type in Recovery Services in the Hub menu to navigate to recovery services list.
The list of recovery services vaults appears. From this list, select a vault.
The selected vault dashboard opens.
-
From the list of items that appears under vault, click Properties under Settings.
-
Click Update under Security Settings.
Update link opens Security Settings blade, which lets you Enable these features and gives summary of the feature.
-
Select a value from the drop down Have you configured Azure Multi-Factor Authentication? to confirm if you have enabled Azure Multi-Factor Authentication. If it is enabled, you are asked to authenticate from another device (e.g. mobile phone) while logging in to Azure portal.
As part of Security Features, when critical operations are performed in Azure Backup, you have to enter Security PIN available on Azure portal. Enabling Azure Multi-Factor authentication adds a layer of security, ensuring only authorized users with valid Azure credentials and authenticated from second device can access Azure portal and perform such critical operations.
-
Use the toggle button to Enable and click Save button on top to save Security Settings as shown in the figure. You can select Enable only after you select a value from "Have you configured Azure Multi-Factor Authentication?" drop down.
As a security measure, Azure Backup retains deleted backup data for additional 14 days and does not delete it immediately if Stop backup with delete backup data operation is performed. To restore this data in the 14-day period, use the following steps:
For Microsoft Recovery Services Agent (MARS) users:
- If the machine where backups were happening is still available, use Recover data to the same machine in MARS to recover from all the old recovery points.
- If the machine mentioned above is not available, use Recover to an alternate machine to use another MARS machine to get this data.
For Azure Backup Server users:
- If the server where backups were happening is still available, re-protect the deleted data sources and use Recover Data feature to recover from all the old recovery points.
- If the machine mentioned above is not available, use Recover data from another Azure Backup Server to use another Azure Backup Server to get this data.
As part of this feature, checks have been added to make sure only valid users can perform various operations.
As part of adding extra layer of authentication for critical operations, you would be prompted to enter Security PIN when performing Stop Protection with Delete data and Change Passphrase operations.
To receive Security PIN, use the following steps:
- Log in to Azure portal.
- Navigate to recovery service vault > Settings > Properties.
- Click Generate under Security PIN. Generate link opens a blade, which contains Security PIN to be entered in Azure Recovery Services Agent UI. This PIN is valid only for 5 minutes and gets generated automatically after that period.
To ensure that there are always a valid number of recovery points available, following checks have been added:
- For daily retention, minimum seven days of retention should be done
- For weekly retention, minimum four weeks of retention should be done
- For monthly retention, minimum three months of retention should be done
- For yearly retention, minimum one year of retention should be done
Whenever some critical operations are performed, subscription admin would be sent an email notification with details about the operation. If you want to configure additional email ids to receive email notifications, you can use Azure portal to configure them.
The Security features mentioned in this article, provide defense mechanisms against targeted attacks preventing attackers to touch the backups. More importantly, these features provide an ability to recover data if at all attack happens.
- Get started with Azure Recovery Services vault to enable these features
- Download latest Azure Recovery Services agent to protect Windows machines and guard your backup data against attacks
- Download latest Azure Backup Server to protect workloads and guard your backup data against attacks