|
| 1 | +--- |
| 2 | +title: Overview of security features |
| 3 | +description: Learn about security capabilities in Azure Backup that help you protect your backup data and meet the security needs of your business. |
| 4 | +ms.topic: conceptual |
| 5 | +ms.date: 03/12/2020 |
| 6 | +--- |
| 7 | + |
| 8 | +# Overview of security features in Azure Backup |
| 9 | + |
| 10 | +This article introduces security capabilities in Azure Backup that help you protect your backup data and meet the security needs of your business. |
| 11 | + |
| 12 | +## Manage and control identity and user access |
| 13 | + |
| 14 | +Azure Backup enables you to manage fine-grained access using [Azure Role-Based Access Control (RBAC)](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles). RBAC allows you to segregate duties within your team and grant only the amount of access to users necessary to do their jobs. |
| 15 | + |
| 16 | +* Azure Backup provides three built-in roles to control backup management operations: |
| 17 | + * [Backup Contributor](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#backup-contributor) - to create and manage backup except deleting Recovery Services vault and giving access to others |
| 18 | + * [Backup Operator](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#backup-operator) - everything a contributor does except removing backup and managing backup policies |
| 19 | + * [Backup Reader](https://docs.microsoft.com/azure/role-based-access-control/built-in-roles#backup-reader) - permissions to view all backup management operations |
| 20 | + |
| 21 | + [Learn more about Role-Based Access control to manage Azure Backup](https://docs.microsoft.com/azure/backup/backup-rbac-rs-vault). |
| 22 | + |
| 23 | +* Azure Backup has several security controls built into the service to prevent, detect, and respond to security vulnerabilities. [Learn more about security controls for Azure Backup](https://docs.microsoft.com/azure/backup/backup-security-controls). |
| 24 | + |
| 25 | +## Encryption |
| 26 | + |
| 27 | +Encryption protects your data and helps you to meet your organizational security and compliance commitments. Within Azure, data in transit between Azure storage and the vault is protected by HTTPS. This data remains on the Azure backbone network. |
| 28 | + |
| 29 | +* Backup data is automatically encrypted using [Microsoft managed keys](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#encryption-of-backup-data-using-microsoft-managed-keys). You also can encrypt your backup data in the Recovery Services Vault using [your encryption keys](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#encryption-of-backup-data-using-customer-managed-keys) stored in the Azure Key Vault. |
| 30 | + |
| 31 | +* Azure Backup supports backup and restore of Azure VMs that have their OS/data disks encrypted with Azure Disk Encryption (ADE). [Learn more about encrypted Azure VMs and Azure Backup](https://docs.microsoft.com/azure/backup/backup-azure-vms-encryption). |
| 32 | + |
| 33 | +## Protection of backup data from Accidental or malicious deletes |
| 34 | + |
| 35 | +Azure Backup provides security features to help protect backup data even after deletion. One such feature is [soft delete](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#soft-delete). With soft delete, if a malicious actor deletes the backup of a VM (or backup data is accidentally deleted), the backup data is retained for 14 additional days, allowing the recovery of that backup item with no data loss. The additional 14 days retention of backup data in the "soft delete" state doesn't incur any cost to the customer. [Learn more about soft delete](https://docs.microsoft.com/azure/backup/backup-azure-security-feature-cloud#soft-delete). |
| 36 | + |
| 37 | +## Monitoring and Alerts |
| 38 | + |
| 39 | +Azure Backup provides [built-in monitoring and alerting capabilities](https://docs.microsoft.com/azure/backup/backup-azure-monitoring-built-in-monitor) to view and configure actions for business-critical events. [Backup Reports](https://docs.microsoft.com/azure/backup/configure-reports) serve as a one-stop destination for tracking usage, auditing of backups and restores, and identifying key trends at different levels of granularity. |
| 40 | + |
| 41 | +## Security of hybrid backup data |
| 42 | + |
| 43 | +Azure Backup service uses the Microsoft Azure Recovery Services (MARS) agent to back up and restore files, folders, and the volume or system state from an on-premises computer to Azure. MARS now provides security features to help protect hybrid backups. These features include: |
| 44 | + |
| 45 | +* **Prevention**: An additional layer of authentication is added whenever a critical operation like changing a passphrase is performed. This validation is to ensure that such operations can be performed only by users who have valid Azure credentials. [Learn more about the features that prevent attacks](https://docs.microsoft.com/azure/backup/backup-azure-security-feature#prevent-attacks). |
| 46 | + |
| 47 | +* **Alerting**: An email notification is sent to the subscription admin whenever a critical operation like deleting backup data is performed. This email ensures that the user is notified quickly about such actions. [Learn more about notifications for critical operations](https://docs.microsoft.com/azure/backup/backup-azure-security-feature#notifications-for-critical-operations). |
| 48 | + |
| 49 | +* **Recovery**: Deleted backup data is retained for an additional 14 days from the date of deletion. This ensures recoverability of the data within a given time period, so there's no data loss even if an attack happens. Also, a greater number of minimum recovery points are maintained to guard against corrupt data. [Learn more about recovering deleted backup data](https://docs.microsoft.com/azure/backup/backup-azure-security-feature#recover-deleted-backup-data). |
| 50 | + |
| 51 | +## Next steps |
| 52 | + |
| 53 | +* [Security features to help protect cloud workloads that use Azure Backup](backup-azure-security-feature-cloud.md) |
| 54 | +* [Security features to help protect hybrid backups that use Azure Backup](backup-azure-security-feature.md) |
0 commit comments