You can enable the security enhancement feature of Hybrid Backup and Recovery (HBR) to improve the security management of your data backup. This feature can protect your data against unexpected operations, malicious attacks, and unauthorized backup or restoration and help meet the requirements for data security and compliance. HBR allows you to encrypt your data based on Key Management Service (KMS), enable the immutable backup feature, and isolate backup permissions and recovery permissions. This topic describes how to enable the security enhancement feature for data backup.

Background information

HBR provides the following features to support the security enhancement feature for data backup.

  • KMS-based encryption
    KMS-based encryption allows you to manage your encryption key. You can encrypt the data in the backup source by using KMS before you store the backup data to the backup vault.
    Notice
    • If you enable KMS-based encryption, you cannot modify a KMS key.
    • If you disable or delete a KMS key, you cannot restore the backup data from the backup vault.
    • We recommend that you configure the ID of a KMS key before you use the key to encrypt the data in the backup source. For more information, see Create a CMK.
  • Immutable backup
    The immutable backup feature supports the Write Once Read Many (WORM) policy. If you enable this feature, you can write data to all backup vaults only once and read data from the backup vaults multiple times. The immutable backup feature provides additional protection for your backup vault.
    Notice
    • If you enable the immutable backup feature, you cannot disable this feature.
    • If you enable the immutable backup feature, you cannot delete the backup vault or backup data until the retention period expires.
    • Backup and recovery operations are not affected.
  • Isolation of backup permissions and recovery permissions

    You can grant backup or recovery permissions to a specified RAM user. This way, the RAM user can perform only backup or recovery operations but cannot perform both operations. This helps prevent unauthorized operations.

Enable KMS-based encryption

  1. Prepare a KMS key.
    Before you use a KMS key to encrypt the data in the backup source, you must configure the ID of the KMS key. For more information, see Create a CMK.
  2. On the Create Backup Plan page, set the Source Encryption Type parameter to KMS and specify the KMS KeyId parameter to create a backup plan. Then, you can enable the KMS-based encryption feature.
    On the Storage Vaults page, you can find Encryption based on KMS in the Backup Type column.

Enable immutable backup

  1. Log on to the HBR console.
  2. In the left-side navigation pane, choose Backup Appliance > Storage Vaults.
  3. Find the backup vault for which you want to enable the immutable backup feature. In the Actions column to the right of the backup vault, choose More > Modify Backup Vault.
  4. In the Modify Backup Vault panel, turn on Immutable Backup.
  5. In the dialog box that appears, click OK.
  6. In the Modify Backup Vault panel, click OK.
    After you click OK, Yes is displayed in the Immutable Backup column.

Isolate backup permissions and recovery permissions

  1. Obtain the RAM policy that you can use to deny the backup permissions or recovery permissions for a backup vault.
    1. Log on to the HBR console.
    2. In the left-side navigation pane, choose Backup Appliance > Storage Vaults.
    3. Find the backup vault. In the Actions column to the right of the backup vault, choose More > Modify Backup Vault.
    4. In the RAM Permission Policy section of the Modify Backup Vault panel, select the RAM policy that you can use to deny the backup permissions or recovery permissions.
      • RAM Policy that deny restore
        Click the Copy button in the upper-left corner of the input box to copy the script. Example:
        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "hbr:CreateRestore",
                        "hbr:CreateRestoreJob",
                        "hbr:CreateHanaRestore",
                        "hbr:CreateUniRestorePlan",
                        "hbr:CreateSqlServerRestore"
                    ],
                    "Resource": [
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
                    ]
                }
            ]
        }
        Note v-0000ryfi******piu is the ID of the backup vault.
      • RAM Policy that deny backup
        Click the Copy button in the upper-left corner of the input box to copy the script. Example:
        {
            "Version": "1",
            "Statement": [
                {
                    "Effect": "Deny",
                    "Action": [
                        "hbr:CreateUniBackupPlan",
                        "hbr:UpdateUniBackupPlan",
                        "hbr:DeleteUniBackupPlan",
                        "hbr:CreateHanaInstance",
                        "hbr:UpdateHanaInstance",
                        "hbr:DeleteHanaInstance",
                        "hbr:CreateHanaBackupPlan",
                        "hbr:UpdateHanaBackupPlan",
                        "hbr:DeleteHanaBackupPlan",
                        "hbr:CreateClient",
                        "hbr:CreateClients",
                        "hbr:UpdateClient",
                        "hbr:UpdateClientSettings",
                        "hbr:UpdateClientAlertConfig",
                        "hbr:DeleteClient",
                        "hbr:DeleteClients",
                        "hbr:CreateJob",
                        "hbr:UpdateJob",
                        "hbr:CreateBackupPlan",
                        "hbr:UpdateBackupPlan",
                        "hbr:ExecuteBackupPlan",
                        "hbr:DeleteBackupPlan",
                        "hbr:CreateBackupJob",
                        "hbr:CreatePlan",
                        "hbr:UpdatePlan",
                        "hbr:CreateTrialBackupPlan",
                        "hbr:ConvertToPostPaidInstance",
                        "hbr:KeepAfterTrialExpiration"
                    ],
                    "Resource": [
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu",
                        "acs:hbr:*:1178037424989531:vault/v-0000ryfi******piu/client/*"
                    ]
                }
            ]
        }
        Note v-0000ryfi******piu is the ID of the backup vault.
  2. Log on to the RAM console and create a custom policy.
    For more information, see Create a custom policy.
  3. Select the RAM user whose backup and recovery permissions you want to isolate. Then, attach the policy that you created in 2 to the RAM user.