Good job for making it to the final part in this series! This is the fourth and final article in our four-part series about Securing Your Backup Data and Safeguarding Against Ransomware.
The prior articles were intended to help familiarize yourself with ways that HYCU discovers sources and protects data with simplicity. We also focused on our native anti-ransomware capability, but also shared how we provide the flexibility to further enhance your security posture by choosing storage targets that offer additional options for making backup data difficult to compromise and through simply changing/rotating passwords. The last step in the process of securing your backups is to focus on how to secure the pathways to and from your sources, hosts, and targets.
Fortunately, configuring the virtual network adapters for HYCU is a very simple and straightforward process. While only one virtual NIC (vNIC) is required, at a minimum, it is possible to multi-home HYCU, by adding a second vNIC to the HYCU VM after deploying it with the first vNIC attached. Once the second vNIC is attached (after deploying the VM), it becomes a configurable item within the HYCU 4.1 Web UI. And, customers can disable the web listener on the second NIC that is being used to access a storage network.
Based on your target selection, consider the following.
- If you choose an NFS target for your primary backups, please be aware that appliance may require a whitelist setting to permit traffic to the network storage from HYCU.
- If you opt for an SMB target, you will need to configure an account with access to a share that you create. It is also important to disallow (or not improperly allow) any unauthorized network access to your backup data share. And, not attach it to other machines in your environment.
- If you select an iSCSI target, it would be prudent to consider enabling/configuring CHAP (Challenge-Handshake Authentication Protocol), which can be done on the target and within HYCU.
- For cloud object storage targets, you will need to configure accounts and/or secret/access keys to grant access to the cloud storage. Then you will need to decide if you need an encrypted high-speed isolated connection (configured with peered connection points and appropriate routes), a site-to-site VPN connection, or if you can simply go over the public internet with HTTPS/TLS.
Also, HYCU’s Web UI can be configured to use a customer or provider generated PKI certificate. The initial deployment provides a self-signed certificate, but customers can take the next step in using a custom certificate using their own certificate authorities. Moreover, HYCU’s source connection with Nutanix Prism can also be configured to use certificate authentication.
If customers take the time to implement the aforementioned measures appropriate for their environments and lock down ports and access, then the final few steps may be to disable SSH access to HYCU, limit access to Prism Element or vCenter UI’s to only the necessary Nutanix and/or VMware Admins (and their administrative workstations/servers) through micro-segmentation. Doing these things can greatly limit access to the VM console to only those select individuals or machines.
Above all, using common sense (i.e. not allowing internet access to servers and keeping admin workstations extremely hygienic), carefully selecting your storage targets (to include the kinds that provide anti-ransomware features), and following these network-related guidelines, will remarkably reduce the opportunity for an attack and give you a fighting chance to recover gracefully.
Thank you for following this tech blog series! To read the full series, you can check them out here:
- Protecting Backup Targets and Data
- Protecting your Server and Application Sources with HYCU
- Securing and Safeguarding Data with HYCU 4.1
- Network Considerations for Securing and Safeguarding Your Data
As always, please share your comments and feedback, and you can reach out to us at firstname.lastname@example.org if you would like more prescriptive guidance or support.