Update 4 for Service Providers – Tape as a Service

When Veeam Backup & Replication 9.5 Update 4 went Generally Available a couple of weeks ago I posted a What’s in it for Service Providers blog. In that post I briefly outlined all the new features and enhancements in Update 4 that pertain to our Veeam Cloud and Service Providers. As mentioned each new major feature deserves it’s own seperate post and today I’m kicking off the series with what I feel was probably the least talked about new feature in Update 4…Tape as a Service for Cloud Connect Backup.

As a reminder here are the top new features and enhancements in Update 4 for VCSPs.

Tape as a Service for Cloud Connect Backup:

When we introduced Cloud Connect Backup in version 8 of Backup & Replication we offered the ability for VCSPs to offer a secure, remote offsite repository for their tenants. When thinking about air-gapped backups…though protected at the VCSP end, ultimate control for what was backed up to the Cloud Repository is in the hands of the tenant. From the tenant’s server they could manipulate the backups stored via policy or a malicious user could gain access to the server and delete the offsite copies.

In Update 3 of Backup & Replication 9.5 we added Insider Protection to Cloud Connect Backup, which allowed the VCSP to put a policy on the tenant’s Cloud Repository that would protect backups from a malicious attack. With this option enabled, when a backup or a specific restore point in the backup chain is deleted or aged out from the cloud repository. The actual backup files are not deleted immediately, instead, they are moved to a _RecycleBin folder on the repositories.

In Update 4 we have taken that a step further to add true air-gapped backup options that VCSPs can create services around for longer term retention with the Tenant to Tape feature. This allows a VCSP to offer additional level of data protection for their tenants. The tenant sends a copy of the backup data to their cloud repository, and the VCSP then configures backup to tape to send another copy to the tape media. If there is a situation that requires recovery if data in the cloud repository becomes unavailable, the VCSP can initiate a restore from tape.

VCSPs can also offer a tape out services to help their tenants achieve compliance and internal policies without maintaining their own tape infrastructure. Tapes can be stored by the service providers, or shipped back to tenant as shown in the diagram below.

To take advantage of this new Update 4 feature VCSPs will need to configure Tape Infrastructure on the Cloud Connect server. What’s great about Veeam is that we have the option to use traditional tape infrastructure or take advantage of Virtual Tape Libraries (VTLs) which can then be backed by Object Storage such as Amazon S3. I am not going to walk through that process in this post, there are a number of blogs and White Papers available that guide you on the setup of an Amazon Storage Gateway to use as a VTL.

Once the Tape Infrastructure is in place, as a VCSP with a Cloud Connect license when you upgrade to Update 4, under Tape Infrastructure you will see a new option called Tenant to Tape.

A tenant backup to tape job is a variant of a backup to tape job targeted at a GFS Media Pool which is available for Veeam customers with regular licensing. What’s interesting about this feature is that there are a number of options that allow flexibility on how the jobs are created which also leads to a change of use case for the feature depending on which option is chosen.

Choosing Backup Jobs will allow VCSPs to add any jobs that may be registered on the Cloud Connect server…though in reality there shouldn’t be any configured due to licensing constraints. The other two options provide the different use cases.

Backup Repositories:

This allows the VCSP to backup to tape one or more cloud repositories that can contain one or multiple tenants. The can allow the VCSP to backup the Cloud Connect repository in whole to an offsite location for longer term retention.

The ability to archive tenant Cloud Connect Backups to tape can help VCSPs protect their own infrastructure against disasters that may result in loss of tenant data. It can be used as another level of revenue generating service. As an example, there could be two service offerings for Cloud Connect Backup… one with a basic SLA which only has one copy of the backup data stored… and another with an advanced SLA that has data saved in two locations…the Cloud Connect Repository and the tape media. 

Tenants:

This option offers a lot more granularity and gives the VCSP the ability to offer an additional level of protection on a per tenant level. In fact you can also drill down to the Tenant repository level and select individual repositories if tenants have more than one configured.

Again, this can be done per tenant, or there can be one master job for all tenants.

It’s important to understand that all tasks within the tenant backup to tape feature are performed by the VCSP. Unless the VCSP has created a portal that has information about the jobs, the tenant is generally unaware of the tape infrastructure and the tenant can’t view or manage backup to tape jobs configured or perform operations with backups created by these jobs. There is scope for VCSPs to integrate such jobs and actions into their automation portals for self service.

Restores:

VCSPs can restore tenant data from tape for one tenant or more tenants at the same time. The restore can go to the original location or to a new location or be exported to backup files on local disk

Wrap Up:

Tenant to Tape or Tape as a Service for Cloud Connect Backup was a feature that didn’t get much airplay in the lead-up to the Update 4 launch, however it give VCSPs more options to protect tenant data and truly offer an air-gapped solution to better protect that data.

References:

https://www.veeam.com/wp-using-aws-vtl-gateway-deployment-guide.html

https://aws.amazon.com/about-aws/whats-new/2016/08/backup-and-archive-to-aws-storage-gateway-vtl-with-veeam-backup-and-replication-v9/

4 comments

  • We’re an MSP/VCSP and we just had this discussion after reports of a mid-size MSP getting breached through a ConnectWise plugin and all their clients getting crypto’d. We have insider protection enabled, but if we as the provider get breached, it’s all vulnerable.

    Would implementing tape/VTL protect against a breach of our systems too? In other words, if an attacker gets access to our Cloud Connect console, could they wipe VTL backups we previously sent to Amazon S3?

  • Geoff Burke

    Great post about a great new feature. One thing that would have been nice would have been the ability to drill down and choose individual backup copy jobs instead of whole repositories. Some Tenants might only want certain jobs archived and other not. Right now you would need to create separate cloud repositories for them.

  • You forgot to Mention that this tenant backup feature is only available for tenants that are already upgraded to Update 4. For “older” tenants you Always receive an version error when the backup to tape starts.

    • That’s somewhat implied in that most of the new functionality we have released in Update 4 requires that the tenant is on Update 4 as well to take advantage of the features. This has been the same for past releases. In theory all tenants/end users should be upgrading to Update 4 ASAP. There aren’t many reasons to stay on previous releases.