A significant milestone for #Veeam. VBR V13 is now GA as we speak. This is fascinating news.
This release we were all waiting for, for many reasons. The most important thing to me is that it is delivered as a pre-hardened software appliance on Linux.
In addition to the existing Windows-based installable software that will remain available, V13 now also
offers a new software appliance deployment option for significantly reduced operational costs and
security risks. By lowering deployment complexity and applying optimizations and DISA STIG
hardening to the OS automatically, time to value is reduced while risky misconfigurations are avoided
and the ongoing maintenance burden is decreased.
The unique benefits of Veeam Software Appliance (VSA) include:
Pre-built
With VSA, the base OS aka “just enough” operating system (JeOS) and the backup software are
packaged together to create a software appliance configured to run optimally on industry-standard
server hardware or in a virtual machine. The entire VSA stack is fully maintained by Veeam, including
JeOS, backup software and 3rd party components updates, so you could focus more on backup and
recovery and less on backup infrastructure management.
VSA is delivered as bootable installation media (ISO) for quick deployment on any physical, virtual or
cloud machine that supports boot from USB or from an ISO file. Installation of VSA requires just a few
clicks with automated disk partitioning intelligently configuring volumes for optimal performance and
OS security. In addition, for even faster deployment as a VMware vSphere VM, VSA is also offered as a
Virtual Appliance (OVA).
Despite JeOS is based on Linux, no Linux OS expertise is required because we abstract all essential OS
management tasks with a simple text-based user interface (TUI) and a web-based console covering
common host OS management tasks such as network settings configuration. And should something
ever go sideways, purpose-built bootable rescue media will help to get your VSA back up in no time by
reinstalling the base OS while preserving its configuration and backups.Pre-hardened
VSA is secure-by-default thanks to its base OS preconfigured according to DISA STIG guidelines to
minimize attack surface and block known attack vectors. No manual hardening, no guessing games –
industry best practices are baked in! Plus, we go even further to make VSA harder for hackers to
break into by restricting remote OS access over SSH out of the box and mandating multi-factor
authentication (MFA) for all sensitive operations.
In addition, core services have been reworked to run under a low-privileged OS account, thereby
vastly reducing privilege escalations opportunities in case of software vulnerabilities, ensuring an
attacker is unable to easily take over the OS and extract sensitive information such as saved
infrastructure credentials. We also sandboxed the execution of custom scripts used by various
functions to ensure they cannot do any damage to VSA.
Secure-by-default from the start, the software appliance also stays hardened over time thanks to fully
automated security patches and hardening updates. By making these updates mandatory, Veeam is
taking ownership of security outcomes for our customers as we committed with our CISA Secure by
Design pledge.
Predictable
VSA is designed for True Zero Trust operations with no base OS privileges available to backup server
administrators or any other roles. This prevents backup admins from applying configuration changes
with unpredictable results that may impact backup performance, reliability and security, helping
businesses to maintain the baseline posture through the entire software appliance lifecycle.
Further, any legitimate but sensitive host management operations such as the creation of new admin
accounts or the deployment of remote management agents must be approved by the dedicated user
with the Security Officer role, who at the same time is not allowed to initiate any operations on their
own. Designating a Security Officer from your company’s Security Team is highly recommended to
enable true Zero Trust operations but can be skipped for small IT environments with a single
administrator responsible for everything.
Want even more predictability? New to V13 VSA is the new backup infrastructure lockdown mode
which once enabled prevents unauthorized addition of backup infrastructure components, which can
not only impact backup performance by changing the network traffic flow but also be used for data
exfiltration if newly added infrastructure components are controlled by a malicious actor.Veeam
All-in-one Appliance
Thanks to low deployment complexity and predictability, VSA particularly shines as an all-in-one
backup appliance – especially thanks to offering the immutability option for backups stored in its
built-in repository – making it an appealing solution for SMB and ROBO environments. Installed on an
industry-standard storage-optimized server chassis, VSA offers unmatched performance and up to
1PB of immutable backup storage in a single box! And while the built-in repository does not provide the
same level of protection against cyber-attacks as Veeam Hardened Repository due to the added
attack surface of the backup management software, immutability still offers major benefits by
protecting backups against accidental or malicious deletion. But for ultimate protection, we
recommend separating management server and backup storage by deploying standalone hardened
repositories – which V13 makes it a breeze to do with Veeam Infrastructure Appliance described next.
In addition, Veeam ONE v13 and Veeam Service Provider Console v9 have also been released today.
Former Nuclear Engineer | University Lecturer | Technology Advisor | Digital Transformation evangelist | FinTech | Blockchain | Podcaster | vExpert ⭐️⭐️⭐️⭐️ | VeeamVanguard ⭐️⭐️ | Nutanix SME | MBA | AWS ABW Grant’23
