cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
Veritas.com
Support

Backup Exec and POPI Act

Go to solution
victor_morgan
Level 2

‎01-26-2016 11:02 PM

HI there,

 

I am currently using Backup Exec 10.0 and is currently busy addressing PoPi (Protection Of Personal Information) requirements with regards to unauthorised access. Can you advise when performing the backups, is the data stored in such a manner making it difficult/or impossible to access the data without the use of Backup Exec software itself?

 

Regards

Victor

1 ACCEPTED SOLUTION

Accepted Solutions

Go to solution
CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎01-27-2016 03:16 AM

Hi,

 

Yes, encryption is configured on the actual media server in question. It will only encrypt bsckups from then on. Anything done before then is unencrypted.

Thanks!

View solution in original post

0 Kudos
8 REPLIES 8

Go to solution
CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎01-26-2016 11:07 PM

nice to see another South African on the forums!!! :)

 

 BE 10 is incredibly old and it might be worth your while upgrading to BE 15 (or something else that's at least still got support). It might not necessarily have the same sort of protection as newer versions have due to its age and lack of improvements.

That said, there is every chance the data can be read. I've managed to import an ARCserv tape and restore it using Backup Exec 12.5 The way in which both applications wrote to tape made this possible for BE 12.5 to read the catalog and contacts. So I would assume this would indeed be possible, especially with BE 10. Your best bet to protect your data is to look at encryption. Read up in the BE 10 Admin Guide on encryption, how to set it, and what the best practices are.

Newer versions of Backup Exec support higher levels of encryption. Read below on these:

https://www.veritas.com/support/en_US/article.000075544

https://www.veritas.com/support/en_US/article.HOWTO22978

https://www.veritas.com/support/en_US/article.TECH49603

It might also be possible to read and access backup files if you're backing up to disk, and you use NTbackup to access this. BE and NTbackup write in a similar way, but haven't seen this asked for later versions. Read up on encryption carefully before implementing it, and check what POPI wants in order to comply with it.

Thanks!

0 Kudos

Go to solution
pkh
Moderator
Moderator
   VIP    Certified

‎01-27-2016 12:20 AM

With the newer versions, you can encrypt your backups, but not if it is a GRT backup to disk
0 Kudos

Go to solution
Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎01-27-2016 12:32 AM

BE 10 used media header passwords but not true enccyption and  as such there exist numerous ways to recover data without needing Backup Exec (or knowledge of the media header password.) and as such is almost certainly not POPI compliant

 

BE 11D and later provided encryption capability where not only do you need Backup Exec but you need the backup set encryption keys as well (so either knowledge of the passphrases or a copy  of the BEDB) to recover data.

 

BE 15 takes it another step and encrypts the content of the BEDB, so that you would now need Backup Exec and either the passphrases OR both the bedb and the exported database excyption key (DEK) to recover data.

The later versions of Backup Exec do have FIPS compliant capabilities although how that relates to POPI I am not sure.

 

If you do go to Backup Exec 15 check the HCL and SCL carefully as you may be running older software or hardware that is no longer supported (or compatible). Although if you are running software that old you probably have further issues with data security that need addressing.

0 Kudos

Go to solution
victor_morgan
Level 2

‎01-27-2016 03:06 AM

Thanks for the feedback...just one correction on my side...we are running Backup Exec 12.0

 

0 Kudos

Go to solution
victor_morgan
Level 2

‎01-27-2016 03:09 AM

Thank you....for the encryption does one need to configure it yourself? I have outsouce the backup process to my vendor and hopefully they will be able to set it up ensuring some sense of security to close the GAP on unauthorised access.

0 Kudos

Go to solution
CraigV
Moderator
Moderator
Partner    VIP    Accredited

‎01-27-2016 03:16 AM

Hi,

 

Yes, encryption is configured on the actual media server in question. It will only encrypt bsckups from then on. Anything done before then is unencrypted.

Thanks!

0 Kudos

Go to solution
Colin_Weaver
Moderator
Moderator
Employee Accredited Certified

‎01-27-2016 03:25 AM

Make sure your vendor keeps good (secure) documentation for the backup set encryption key passphrases and backs up the BEDB.bak (recommend without using encryption to avoid the catch 22 of the thing that helps you decrypt being encrypted) and if going to BE 15 (separately) the exported database encryption key

 

Of course do not keep the backup of the BEDB.bak and the exported DEK and the passphrases next to each other or next to the backup media - as anyone that breaks in will have all they need if you keep them together. ;)

 

 

0 Kudos

Go to solution
pkh
Moderator
Moderator
   VIP    Certified

‎01-27-2016 03:28 AM

When you set up encryption, it is not a blanket encryption. You have to enable it on every job that you want to encrypt the output
0 Kudos