VEEAM AND STOREONCE – viewed from an audit perspective! (part 2)

TECHNICAL PRACTICES ON STOREONCE

After first part of this scenario now we go on to describe the technical procedures for using immutability functions on StoreOnce.

REQUIREMENTS

Before proceeding to the configurations, it is good to reiterate what are the prerequisites necessary for the proper use of all the components needed to use immutability with StoreOnce.

  • Minimum firmware version required: 4.3.2 (better 4.3.6 for MFA)
  • Creation of user accounts with specific roles
  • Two-factor authentication
  • Enabling and configuring Dual Authorization
  • Type of operations allowed
  • The “Maximum ISV Controlled Data Retention” parameter must be set to 365000 in the Catalyst Store configuration.
  • It is recommended to use incremental backup processes with the application of synthetic full to optimize the data transfer rate.

ROLES AND TYPES OF USERS

The following roles should be associated with users based on their functions:

  • Administrator: This role allows the user to create and edit functions from the StoreOnce management console. Any user with the Administrator role has the same permissions as the default Admin account.
  • Security Officer: This role restricts the user to view, approve and deny dual authorization requests. Restricts access to monitoring and viewing for all other features.
  • BackupAdmin: This role limits the user to creating, editing, and managing data services function.
  • Backup Operator: This role limits the user to monitoring and viewing of data services function.

User types

The following types of user accounts are available:

  • Local User (typically administrators): Accessed locally using credentials stored on StoreOnce.
  • Directory User: Log in using Domain Users.
  • Directory Group: Active Directory groups.

NOTE: To add domain users or groups the StoreOnce must be placed in the domain itself.

 Default account

During StoreOnce installation a default user account (Admin) is created with the Administrator role. It is not possible to delete this account. It is advisable to change the default Admin user password to avoid security holes and keep it in a safe place.

Some recommended best practices from HPE

  • Create additional accounts to which you assign the correct roles that allow the minimum privileges necessary to prevent accidental or malicious data loss.
  • If you create a group with the Observer role, HPE recommends setting up a user in the group with the Administrator role. (Roles set up with the Add User action take precedence over roles set up with the Add Group action.)

Active Directory or LDAP users are recommended whenever possible.

Note: for me is not a best way to use LDAP or AD users. Why? Read next paragraph

 TWO-FACTOR AUTHENTICATION (2FA)

NOTE: Two-factor authorization (2FA) is available from firmware version 4.3.6 and later.

It is only available for local users.

Security for accessing the StoreOnce management panel can be further enhanced by implementing MFA authentication.

Configuration is quite simple. It involves enabling two-factor authentication in Users and Groups for both the administrator and Security Officer.