01-26-2016 11:02 PM
HI there,
I am currently using Backup Exec 10.0 and is currently busy addressing PoPi (Protection Of Personal Information) requirements with regards to unauthorised access. Can you advise when performing the backups, is the data stored in such a manner making it difficult/or impossible to access the data without the use of Backup Exec software itself?
Regards
Victor
Solved! Go to Solution.
01-27-2016 03:16 AM
Hi,
Yes, encryption is configured on the actual media server in question. It will only encrypt bsckups from then on. Anything done before then is unencrypted.
Thanks!
01-26-2016 11:07 PM
nice to see another South African on the forums!!! :)
BE 10 is incredibly old and it might be worth your while upgrading to BE 15 (or something else that's at least still got support). It might not necessarily have the same sort of protection as newer versions have due to its age and lack of improvements.
That said, there is every chance the data can be read. I've managed to import an ARCserv tape and restore it using Backup Exec 12.5 The way in which both applications wrote to tape made this possible for BE 12.5 to read the catalog and contacts. So I would assume this would indeed be possible, especially with BE 10. Your best bet to protect your data is to look at encryption. Read up in the BE 10 Admin Guide on encryption, how to set it, and what the best practices are.
Newer versions of Backup Exec support higher levels of encryption. Read below on these:
https://www.veritas.com/support/en_US/article.000075544
https://www.veritas.com/support/en_US/article.HOWTO22978
https://www.veritas.com/support/en_US/article.TECH49603
It might also be possible to read and access backup files if you're backing up to disk, and you use NTbackup to access this. BE and NTbackup write in a similar way, but haven't seen this asked for later versions. Read up on encryption carefully before implementing it, and check what POPI wants in order to comply with it.
Thanks!
01-27-2016 12:20 AM
01-27-2016 12:32 AM
BE 10 used media header passwords but not true enccyption and as such there exist numerous ways to recover data without needing Backup Exec (or knowledge of the media header password.) and as such is almost certainly not POPI compliant
BE 11D and later provided encryption capability where not only do you need Backup Exec but you need the backup set encryption keys as well (so either knowledge of the passphrases or a copy of the BEDB) to recover data.
BE 15 takes it another step and encrypts the content of the BEDB, so that you would now need Backup Exec and either the passphrases OR both the bedb and the exported database excyption key (DEK) to recover data.
The later versions of Backup Exec do have FIPS compliant capabilities although how that relates to POPI I am not sure.
If you do go to Backup Exec 15 check the HCL and SCL carefully as you may be running older software or hardware that is no longer supported (or compatible). Although if you are running software that old you probably have further issues with data security that need addressing.
01-27-2016 03:06 AM
Thanks for the feedback...just one correction on my side...we are running Backup Exec 12.0
01-27-2016 03:09 AM
Thank you....for the encryption does one need to configure it yourself? I have outsouce the backup process to my vendor and hopefully they will be able to set it up ensuring some sense of security to close the GAP on unauthorised access.
01-27-2016 03:16 AM
Hi,
Yes, encryption is configured on the actual media server in question. It will only encrypt bsckups from then on. Anything done before then is unencrypted.
Thanks!
01-27-2016 03:25 AM
Make sure your vendor keeps good (secure) documentation for the backup set encryption key passphrases and backs up the BEDB.bak (recommend without using encryption to avoid the catch 22 of the thing that helps you decrypt being encrypted) and if going to BE 15 (separately) the exported database encryption key
Of course do not keep the backup of the BEDB.bak and the exported DEK and the passphrases next to each other or next to the backup media - as anyone that breaks in will have all they need if you keep them together. ;)
01-27-2016 03:28 AM