Description

1) Secure communication during Backup and Restore 

Backup Exec version 15 FP1 introduced and started using most secure and latest SSL v3 (TLS) communication protocol for backup and restore operation. In current implementation Backup Exec, it allows TLSv1, TLSv1.1 and TLSv1.2 protocols, while SSLv2 is disabled. The actual protocol version used for the control connection is negotiated  to the highest version mutually supported by the client and the server.

2) Data protection in transit and at rest - Encrypt Backup Set

The backup which is stored on disk/tape/cloud can be protected  by using 128 or 256 bit AES pass phrase. The remote agent of the client being backed up encrypts the data and sends it over the wire to Backup Exec server where it is stored in encrypted form. To turn on encryption, enable it in the Backup Job.

Note: Encryption cannot be performed for Backups run with Granular Recovery Technology to disk storage (cloud storage is exception). Backup destination (Disk, Dedupe) in backup exec is secured with administrator level access by default. The folder has restricted permissions to allow administrative level access only and does not automatically inherit permissions set at the volume level.

3) Secure connection to Cloud Storage 

All the data is secured using SSL during data transfer from Backup Exec to the cloud-based storage device. Backup Exec encrypts the data inline before it is sent to the cloud, and jobs must have encryption enabled to encrypt the data stored in the cloud storage (refer point 2)

4) Backup Exec Job verification when destination is non cloud storage

All versions of Backup Exec write data to the media in Microsoft Tape Format (MTF). During backup when the data stream is written to the media, an associated checksum stream also gets written along with it on the media. Backup runs a verify post the Backup which reads the data stream and calculates the checksum which is then compared with the checksum written on the media. If both are same, then Backup Exec marks the verify job successful.

The same is done for the restore job as well. The data stream is read from the media and  then handed over via a secure connection to the backup exec remote agent. The backup exec remote agent writes the data on the file system and during this process, the checksum on media is compared with the checksum which is recalculated with the help of the data stream being received by the backup exec remote agent. If the checksum does not match, it results in the job failing with an error.

Note: It is recommended to enable verify during a Backup.

It should also be ensured that the Backup media is preserved well when not in use. A verify job should be run to confirm the data and media are in good state.

5) Backup Exec Job verification when destination is Cloud Storage

For cloud-based storage devices, by default, the Do not verify data for this job option is selected in the Backup Options. Cloud vendors charge for operations that read data from and write data to the cloud. To avoid charges for reading data during the verify operation of a backup or duplicate job, this option is selected by default.
The Backup Exec Cloud Connector implements the integrity check mechanisms for S3 (Amazon, Google, and private cloud vendors supported by Backup Exec) and Azure compatible cloud storage. This is available from Backup Exec 16 and later.

6) Secure Backup Exec console.

Backup Exec 20.1 introduces Secure Backup Exec console by providing the following features. To enable it select the Secure the Backup Exec Console check box:

Authentication

After you select the Secure the Backup Exec Console check box, the authentication setting is enabled and the next time that you launch Backup Exec, you need to enter Backup Exec login credentials to connect to the console.

If you do not enter the credentials you cannot connect to the Backup Exec console.

Lock Console option

After you select the Secure the Backup Exec Console check box, this option is enabled. This option lets you lock the Backup Exec session that you are working on and secure the Backup Exec console from unauthorized access. Unless you unlock the Backup Exec console, you cannot perform any tasks in the Backup Exec user interface.

Note: 
By default, this check box is not selected.
 

This option is not applicable for Remote Administration Console (RAC) as you must always provide credentials to connect to the Backup Exec console.

Only the owner of a System Logon Account, who is logged on to the Backup Exec console has the privileges to change the user access settings. If you want to know the owner of the System Logon Account, click the Backup Exec button, and then select Configuration and Settings > Select Logon Accounts > Manage Logon Accounts. On the Logon Account Management dialog box, the Owner column displays the owner of the System Logon Account.

In case of rolling upgrade, if you have an earlier version of MMS and an updated version of CAS, and you connect to MMS from CAS, this check box is available and you can select it. However, this setting is not enabled for MMS.

7) Common Vulnerabilities and Exposure (CVE) review 
Veritas Backup Exec Engineering reviews CVEs (common vulnerabilities and exposures) that are reported and affect product security stability or hampers data integrity and continue to upgrade the protocols and algorithms used within Backup Exec.