You signed in with another tab or window. Reload to refresh your session.You signed out in another tab or window. Reload to refresh your session.You switched accounts on another tab or window. Reload to refresh your session.Dismiss alert
Copy file name to clipboardExpand all lines: articles/backup/protect-backups-from-ransomware-faq.yml
+15-13Lines changed: 15 additions & 13 deletions
Original file line number
Diff line number
Diff line change
@@ -4,7 +4,7 @@ metadata:
4
4
description: In this article, discover answers to protect backups from ransomware with Azure Backup.
5
5
ms.topic: faq
6
6
ms.service: backup
7
-
ms.date: 03/10/2022
7
+
ms.date: 03/14/2022
8
8
author: v-amallick
9
9
ms.author: v-amallick
10
10
@@ -16,7 +16,7 @@ summary: |
16
16
sections:
17
17
- name: Ignored
18
18
questions:
19
-
- question: What’re some best practices to protect backups against security and ransomware threats?
19
+
- question: What’re the best practices to configure and protect Azure Backups against security and ransomware threats?
20
20
answer: |
21
21
Your backup data that’s securely stored in an Azure resource called Recovery Services Vault or Backup Vault is *isolated*. This vault is a management entity, any application or guest don’t have direct access to these backups, thus *prevents malicious actors* to perform destructive operations on the backup storage, such as deletions or tampering of backup data.
22
22
@@ -27,13 +27,15 @@ sections:
27
27
- Azure Backup allows you to segregate duties within your team to grant only the amount of access necessary for your team members to do their jobs using [Azure role-based access control (Azure RBAC) to manage Azure Backup](backup-rbac-rs-vault.md).
28
28
- Use Privileged Identity Management to provide time-based and approval-based role activation to mitigate the risks of excessive, unnecessary, or misused permissions. [Learn more](../active-directory/privileged-identity-management/pim-configure.md).
29
29
30
-
- **Ensure soft delete isn’t turned off to protect backups from accidental or miscellaneous deletes**
30
+
- **Ensure soft delete is enabled to protect backups from accidental or malicious deletes**
31
31
32
-
Soft delete is enabled by default on a newly created Recovery Services vault. It protects backup data from accidental or malicious deletes for 14 days at no additional cost, allowing the recovery of that backup item before it’s permanently lost. We recommend not to disable this feature. If backups are deleted and soft delete isn’t enabled, you or Microsoft can’t recover the deleted backup data. Use [Multi-user authorization (MUA)](multi-user-authorization.md) as an additional layer of protection for these critical operations on your Recovery Services vault to validate operation before disabling this feature. For more information, see [How to enable, manage, and when to disable soft delete for Azure backup](backup-azure-security-feature-cloud.md)?
32
+
Soft delete is enabled by default on a newly created Recovery Services vault. It protects backup data from accidental or malicious deletes for 14 days at no additional cost, allowing the recovery of that backup item before it’s permanently lost. We recommend not to disable this feature. If backups are deleted and soft delete isn’t enabled, you or Microsoft can’t recover the deleted backup data. Use [Multi-user authorization (MUA)](multi-user-authorization.md) as an additional layer of protection for these critical operations on your Recovery Services vault to validate operation before disabling this feature. For more information, see [How to enable, manage, and when to disable soft delete for Azure Backup](backup-azure-security-feature-cloud.md)?
33
+
34
+
We also recommend to use Multi-user authorization (MUA) to protection critical operations on your Recovery Services vault.
33
35
34
-
- **Ensure multi-user authorization (MUA) is enabled for an additional layer of protection**.
36
+
- **Ensure Multi-user authorization (MUA) is enabled to protect against rogue admin scenario**.
35
37
36
-
MUA for Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization. For more information, see:
38
+
MUA for Azure Backup uses a new resource called the Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization. For more information, see:
37
39
38
40
- [How does MUA using Resource Guard works?](multi-user-authorization.md)
39
41
- [Provide Just-In-Time access on Resource Guard using Privileged Identity Management](multi-user-authorization.md#authorize-critical-protected-operations-using-azure-ad-privileged-identity-management).
@@ -46,7 +48,7 @@ sections:
46
48
47
49
- **Ensure network connectivity between backup services and workloads is secure**.
48
50
49
-
- For Azure VM, [by default all the communication happens within the Azure network](security-overview.md#internet-connectivity-not-required-for-azure-vm-backup).
51
+
- For Azure VM, [data in transit remains on the Azure backbone network without needing to access your virtual network](security-overview.md#internet-connectivity-not-required-for-azure-vm-backup). Therefore, backup of Azure VMs placed inside secured networks doesn't require you to allow access to any IPs or FQDNs.
50
52
- For databases on Azure VM, secure the outbound access with the following network connectivity requirements [for SQL Server](backup-sql-server-database-azure-vms.md#establish-network-connectivity), [for SAP HANA database](backup-azure-sap-hana-database.md#establish-network-connectivity) on Azure VM.
51
53
- For PaaS resources, such as PostgreSQL, communication happens within the Azure network. For workloads (such as Azure Files, Azure Disk, and Azure Blobs) where the backup data is stored in the operational tier, you need to *allow Azure services on the trusted services list to access storage account* in *Network Settings* for the corresponding storage account.
52
54
- For on-premises workloads that are protected using MARS or MABS, can use Microsoft peering for *ExpressRoute* or *Virtual Private Network (VPN)* to connect to Azure. Use *private peering* when using *private endpoints* for Backup. Network traffic between peered virtual networks remains private.
@@ -73,7 +75,7 @@ sections:
73
75
74
76
- **Regularly monitor your backups**
75
77
76
-
Use the monitoring solutions to identify machines in the organization that aren’t protected by Azure Backup, monitor your backup items, backup jobs, and policies. For more information, see:
78
+
Use the monitoring solutions (for example, Backup Explorer) to identify machines in the organization that aren’t protected by Azure Backup, monitor your backup items, backup jobs, and policies. For more information, see:
77
79
78
80
- [Monitoring and reporting scenarios](monitoring-and-alerts-overview.md).
79
81
- [Monitor your backups with Backup Explorer](monitor-azure-backup-with-backup-explorer.md).
@@ -87,13 +89,13 @@ sections:
87
89
88
90
- question: How to block (un)intentional deletion of backup data?
89
91
answer: |
90
-
- **Enable Soft delete to protect backups from accidental or miscellaneous deletes**.
92
+
- **Enable Soft delete is enabled to protect backups from accidental or malicious deletes**.
91
93
92
94
Soft delete is a useful feature that helps you deal with data loss. Soft delete retains backup data for 14 days, allowing the recovery of that backup item before it’s permanently lost. For more information, see [How to enable, manage and disable soft delete for Azure Backup](backup-azure-security-feature-cloud.md)?
93
95
94
96
- **Ensure Multi-user authorization (MUA) is enabled for an additional layer of protection**.
95
97
96
-
MUA for Backup uses a new resource called Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization.
98
+
MUA for Azure Backup uses a new resource called Resource Guard to ensure critical operations, such as disabling soft delete, stopping and deleting backups, or reducing retention of backup policies, are performed only with applicable authorization.
97
99
98
100
For more information, see:
99
101
@@ -115,9 +117,9 @@ sections:
115
117
- Once complete, ensure backups are configured and healthy on the recovered workloads.
116
118
- Identify gaps to check where the process didn’t work as expected. Find opportunities to improve process.
117
119
118
-
- question: Will backups containing an infected copy of data from a compromised source server impact the existing recovery points?
120
+
- question: Will an infected backup copy impact the existing clean recovery points?
119
121
answer: No, the infected recovery point (that is, backed-up data containing infected data) can’t spread to previous non-infected recovery points.
120
122
121
-
- question: I want to stop the recovery points on compromised server being pruned. What should I do?
122
-
answer: You need to [extend the retention duration of existing recovery points](backup-architecture.md#additional-reference), so that they aren’t deleted by the retention policy.
123
+
- question: How can I extend the expiration of recovery points in case of impact?
124
+
answer: If you need more time to investigate and recover in case of an impact, you can extend expiration to ensure the recovery points aren't cleaned up (as per policy). [Learn more](backup-architecture.md#additional-reference), so that they aren’t deleted by the retention policy
0 commit comments