When it comes to data within your backups it is important to understand what types of data is being stored within your backup files. Now this can be achieved through indexing and search but take that requirement one step further and think how could we search against a specific type of data, credit card information for example that we don’t or shouldn’t be keeping, the integration with HyTrust allows for this type of data to be highlighted and reported on.

Also with this integration it gives the ability to monitor your environment for malicious activity and if anything is found then it will trigger a reactive backup of your environment and data.

In the previous post we touched on the deployment process and adding some VMs to the HyTrust CloudAdvisor console along with the adding of Veeam backup jobs. We deployed an agent to the running production system and we also selected a backup of a VM. Just by adding that backup VM into my console it triggers a set of commands to start a process to understand what is happening within that machine in terms of data.

Below we will touch on the technology being used by Veeam and how Hytrust can find this important information.

Instant VM recovery

For those not aware, Veeam’s Instant VM Recovery is a great and really fast way of recovering data in a really fast fashion. It’s going to take that backup file, mount that backup file to the virtual environment and it’s going to then power on the machine, this way you can check that this is the restore point you require and once you are happy you can use the hypervisor migration tools to migrate back to the production storage. If that doesn’t work, then Quick Migration from Veeam can also be used to get that machine back in the production storage. (consider this as it’s not as seamless.)

More details on Instant VM recovery can be found in the Veeam User Guide here.

More to the point is that once you have added a VM from a backup to your CloudAdvisor it’s going to perform the above steps to get that first parse on the data. Here is an automated by HyTrust Instant VM Recovery process.

Based on those insight profiles that we configured or didn’t because I used the default we start to see some information from the backup file. Now this is a lab and there is not much happening here but this really can give some insight into the backup data out of the box based on the insight profiles created.

Insight Profiles Explained

The best way to explain is by creating a new profile.

The first steps is what do we want to find within the VM or the backup? CloudAdvisor have a few pre- canned options here, but we can create our own.

Creating our own is a way of defining how particular data looks.

Once you have the name you then need to define the expression to which data you would like to find.

The naming is the easy bit but there is a huge user guide built in here that you can refer to, to make sure things are searching for what you require,

I went out and I found a credit card regex to use in this scenario. And for those interested in doing the same here it is.

^(?:4[0-9]{12}(?:[0-9]{3})?          # Visa
|  (?:5[1-5][0-9]{2}                # MasterCard
| 222[1-9]|22[3-9][0-9]|2[3-6][0-9]{2}|27[01][0-9]|2720)[0-9]{12}
|  3[47][0-9]{13}                   # American Express
|  3(?:0[0-5]|[68][0-9])[0-9]{11}   # Diners Club
|  6(?:011|5[0-9]{2})[0-9]{12}      # Discover
|  (?:2131|1800|35\d{3})\d{11}      # JCB
)$

This was sourced from – https://www.regular-expressions.info/creditcard.html I expect this site to come in very handy as we need to find further expressions.

I went over to the machine that is part of the added VM groups and I added a simple text file to the desktop and added a credit card number to the machine on the desktop. I then went and took a new Veeam backup. I then created a new snapshot schedule within CloudAdvisor which forced the Instant VM Recovery to take place so that we would then discover the Credit Card information.

I finally wanted to show you the dashboard for this specific machine within the multiple restore points known here as Discovery Points.

That’s some of the things from a security perspective that should be in place but what if something does get breached and data could have got out of the business. Then you must report any data and security breaches to the information commissioner. This is new as this was a choice from the company if they felt it required by themselves to report. It is not mandatory.

Now we have the overview, I think you will agree it’s going to mean for a huge review for a lot of businesses to understand the way their systems work as well as their employees.

Data Minimisation

Another area that I feel this is going to highlight is the security of systems. Often overlooked or its been the cutting corners for getting things done quicker. GDPR will mean a much stronger focus on technical security, this is going to introduce the use of encryption and having to make sure those security patches are installed on those workloads.

As well as Encryption, pseudonymisation will also be another technique where businesses will have to explore. Pseudonymisation is a technique that allows to replace some of the identifiers with fictitious entries to protect people’s data privacy.

Quote from WikiPedia:

“Pseudonymisation enhances privacy by replacing most identifying fields within a data record by one or more artificial identifiers, or pseudonyms. There can be a single pseudonym for a collection of replaced fields or a pseudonym per replaced field.”

Road Warriors

Many of us carry laptops and other mobile devices around with us on a daily basis, the majority of these devices actually contain some work content. How is this affected? Well it comes down to that review of process and directive from the data protection officer. There will be a requirement as there is today but with more of a highlight on making sure staff members are reliable when taking personal data and business data offsite on these devices. Device encryption is one of the areas I can quickly see being the easy tick here but I am sure there are more options around this like remote workers with thin clients on the road. Because this could also put data at risk of exposure and failure to ensure these points could expose businesses to a fine.

One of the key points moving forward or after the 25^th May 2018, consent must be freely given, specific, informed and unambiguous. It cannot be buried in lengthy terms and conditions.

This will make it much harder for marketers to establish that they have the requisite permissions, which is why your inbox has probably been “spammed” recently with emails asking for your consent to continue receiving messages. The benefit moving forward is that it also needs to be just as easy to opt out of these as it is to sign up for them.

How will the company achieve this?

Most of these public and private organisations that hold such data will be required to appoint a Data Protection Officer. The task of the DPO will be to monitor compliance with the law, education and training to staff as well conducting those internal audits and making sure things are in a good place. The DPO will also be the first point of contact for the authorities, I will touch on these later as well. They will also be the point of contact for any of those people that have their data processed, this will not stop at the employees this also includes the customers too. The interesting thing here is that the DPO must be given the resources to carry out these functions and must have direct access to the top of the management tree. Over the next year few years with the way data is becoming extremely important the DPO role is going to be really important for all.

Who is responsible for making sure everyone adheres?

This is who, well at least for the UK, Elizabeth Denman, Information Commissioner for the United Kingdom. Elizabeth is also the
Chief Executive Officer for a 500+ person independent regulatory agency enforcing data protection and freedom of information law. She appeared recently on the BBC and was asked some interesting questions in regard to the GDPR coming into effect.

“We will have more powers to stop companies processing data, but we only take action where there has been serious and sustained harm to individuals,” she explained.

“What this new fining power gives us is the ability to go after larger, global and sometimes multi-national companies where the old £500,000 fine would just be pocket change.”

She added that she accepted that some companies will need time to become fully compliant.

“The first thing we are going to look at is, have they taken steps, have they taken action to undertake the new compliance regime,” she added.

“Do they have a commitment to the regime?

“We’re not going to be looking at perfection, we’re going to be looking for commitment.”

Large fines will be reserved for the most serious cases, she said, when a company refuses to comply voluntarily.

This is why I mention that if you are only getting around to looking into this and if it effects your business then it’s not too late. But you need to welcome it because the world is changing to have more awareness to data and more importantly personal data and how it is used.

Let’s try and summarise

All those customers that have been holding your data, emailing you privacy updates via email and even those people that have been calling you will be obligated to clearly inform people about the why they are collecting personal data, how is it going to be used and if it’s going to be shared then who to. This is the reason I personally think this is a step in the right direction for data, it means it’s going to make our personal data safer and puts more control on us as to what we want companies to do with it. Unfortunately, this is not going to be an easy switch for all companies and there will be teething pains but it’s a necessary must in my eyes.

For the British people reading that thinks this will all go away post the United Kingdom leaving the European Union. Nope! The UK government have made it very clear that they will remain signed up.

Like I said I am all in favour of this and I do hope that the rest of the world takes notes and also becomes regulated in a similar way. I am also really pleased to know the company I work for is also adhering to this regulation.

Hopefully this is not new news to anyone that must adhere to this new regulation, if it is then there are heaps of content out there and I summarised the Veeam efforts here in another blog post – Veeam & GDPR – The Journey to being GDPR Compliant

Last week, Veeam had their annual conference VeeamON in Chicago, at the conference I was fortunate enough to team up with some fellow Veeamers to talk about the process that Veeam has taken to achieve GDPR compliance but also how it’s not a line in the sand and it’s a case of continuous improvement. We also touched on some of the features that are included within Veeam Backup & Replication and Veeam ONE that will help you understand what your data is doing and what you are doing with it.

It was really interesting to hear the audience asking the questions in regard to GDPR and other regulations, the nature where service providers in the US were already well and truly down the lane in becoming GDPR but still had some questions in that regard, like where the line gets drawn between end user and service provider. Then there were people in the room that didn’t know that they needed to be compliant even though they hold European data.

If you are late to the game that doesn’t mean you shouldn’t get yourself on the path to becoming compliant. 4% of your turnover or £20 million could be the incentive that you need. More details can be found in that first link above.

You may have also noticed a stream of emails coming in regarding privacy rules from pretty much every company you have ever dealt with. One thing I want to share is that you read these and understand what they will be committing to do to protect your data. I would also take a look back over those browser settings because these could be used as a third-party way of passing on data to these companies and then it’s not your data as such, just something else to be aware of.

I am going to be putting a few posts out this week in the run up to “GDPR Date” I hope they are useful. I want to touch on some personal changes people should consider, at the end of the day it’s your data! But I would rather these massive companies not use my data for the wrong reasons. I will also be touching on some more features within the Veeam platform that may help.

This post will go into the capabilities that this then extends to Veeam ONE in terms of being able to report against these locations and more importantly be able to highlight location violations that may have occurred within the company.

At the same time Veeam Backup & Replication was updated to update 3 so was Veeam ONE.

In the post linked above that covered this feature within backup and replication I talk of the benefits of being able to define where workloads reside in their backup state. This is good but it’s not that useful when you get to scale if you don’t have a way of reporting against those workloads.

Veeam ONE Reporter

Veeam ONE Reporter is one of the three components that come with the Veeam ONE product, it allows for the data that is captured via the monitor to be pushed into neither dashboard for instant visibility or to reports that can be scheduled and sent to various areas of the business. It is the reporter component that we will use to gain our visibility into the data location tagging we achieved in Veeam Backup & Replication

To begin with a bit more of an overview to reporter, there are already lots of really great reports built into the product that can be used out of the box, the ability to see change tracking reports to see who has made changes to your virtual environment as well as your backup. There is a report on Active Snapshots, in that VMware world you are going to be treading or walking a thin line by keeping many active snapshots open for a period of time.

There is also the ability to create custom reports where you can take the useful bits of other reports and include that information into one custom report.

For the purposes of seeing how we can benefit from the data locality tagging there are two reports, and these are searchable in this same screen above over to the right of the screen.

Data Sovereignty Overview

When you select this report, you are faced with two options, scope of the environment we want this report to be ran against. Could be multiple sites, virtual centres etc different data protection or security officers with different responsibilities or even different countries or continents.

As you can see secondly you then can choose what are those source locations that we want to include. These are the locations that were created within Veeam Backup & Replication.

You can then run that there and then or we can save and configure a schedule.

The first page of the report is going to show us Virtual Machines or Agent Locations, we can see from this report that I have 4 machines that do not contain a tag at all, we also see the backup locations in our environment we have two locations both defined as Columbus and London. Other information such as Replica locations and tape drive locations can also be configured.

The second page and this page can be exported into a Word, Excel or PDF file at this stage. Here we can see the backup location if there were additional or secondary long-term retention backup copies we can see where this data now resides. For an overview report that you might want to see every now and again to make sure that workloads were being marked as being in a location it’s quite a powerful feature. As well as being very simple and easy to run and gain that information.

Data Sovereignty Violations

The more important report that I expect to be ran more frequently would be the Data Sovereignty Violations report. This is going to take those locations and it’s going to now look at where the data is residing and report back any violations of data sovereignty, this will really help if your business is spanning multiple geolocations and you have to have visibility into not only production data but also the backup data.

This first page or the first snapshot gives you a good first view of where there are possible problems with regulations. If it is with backup jobs, replication jobs or even tape, it will also high light where no tag has been defined on certain constructs within Veeam Backup & Replication.

The second screen is going to drill down into more detail about where the live system is running but tell us where the backup is residing. If this is different than expect to see the mismatches or violations in here.

The final page is going to highlight those constructs that do not have a tag assigned to them.

Finally I wanted to share those example reports in PDF format just to see what they look like.

Data Sovereignty Overview

Data Sovereignty Violations

As we move close to that GDPR-Day of the 25th May 2018,I wanted to collate all of the related blogs, white papers and other media together so that they could be seen and read. The need to become compliant should have already started for most but for some it’s been put in the corner. It’s happening people.

I have to share this link as well as I thought the URL was great.

https://howmanydaystill.com/its/gdpr

Veeam were very cautious about just releasing the next GDPR compliant message and marketing which generally speaking is completely false, there is not one backup vendor that can make any one company GDPR compliant. The process that Veeam has taken to release this information is basically on how Veeam itself has become GDPR compliant already and some of the features within the Veeam platform that assist you as a customer to becoming GDPR compliant state and then to retain that compliance.

I wanted to put together a list of resources that consolidates all of those links into one place. obviously this list I expect to continue growing but the bulk of the content is listed below.

Blogs

Fast approaching a year ago the first GDPR communications from Veeam were released via Danny Allan this blog really touches on the high level why and what this GDPR is all about, it touches on that this is a necessary change and how the world of data is very different now to what it was pre smart phones and all of this other connected technology. It also starts to touch on the journey that Veeam had to take to reach that compliant state and then to sharing that story.

One Year out – Considerations for the next 12 months

At the beginning of the year @DannyAllan5 began the blog series on GDPR and this really comes from the battle scars that were gleaned from the findings from Veeam becoming or starting that compliance journey. This 5 part series that is linked below touches on some of the key principles required and things that you need to know prior to getting to that compliant stage but then also how do you maintain that, it’s not a finish line that you as a business need to get to. This is a new way of life and managing data into the future.

GDPR: Lesson 1, Know Your Data

GDPR:Lesson 2, Manage Your Data

GDPR:Lesson 3, Protect Your Data

GDPR: Lessons 4 & 5, Document-Comply-Improve

White Papers

These 5 lessons can also be found in more detail in a couple of white papers released in January of this year. Mark Wong who holds the position within Veeam as the General Counsel has written these white papers. The first one is for IT staff this one covers the 5 steps but in more detail to assist in what the process should look like to become compliant from that IT manager perspective within a business. The second is aimed toward the CIO how Veeam plays a critical role within data management and protection strategies to ensure Veeam remain compliant while delivering Availability and how this information can help your business to achieve the same.

GDPR: 5 lessons learned Veeam compliance Experience Shared – A Step by Step guide for IT professionals

GDPR: 5 Lessons Learned, Veeam Compliance Experience Shared. CIO Summary.

Webinars

A recorded webinar from February this year.

• Our insights and five key lessons that we learned through our own compliance to help you on the path to thinking about GDPR compliance

• How to accelerate your GDPR efforts today

• Existing data management strategies and tactics for efficient IT assessment

Avoiding GDPR Penalties – 5 Key Principles. Veeam compliance Experience Shared

Other Resources

Finally we have the Veeam landing page with further resources on how Veeam can assist in that journey to being GDPR compliant. Some two pagers, recorded VeeamLive sessions and a Data privacy impact survey.

https://go.veeam.com/gdpr-compliance

At the recent Cisco Live I spoke on the Cube of the Veeam GDPR messaging.

A year ago I had my good friend Paul Stringfellow on the Veeam communities Podcast where we were talking about security but there were many mentions of GDPR but other security considerations that everyone should consider – Episode 123 – A Security 1,2,3 chat with Paul Stringfellow

Finally I have also been adding some of the technical features that will really help when it comes to this journey here.

First up is the backup repositories location the ability to set your location of the target backup repository.

Before we move forward we need to create our locations. You can do this by right clicking on the object and then selecting manage locations.

A very simple wizard approach, add your locations by text and that’s it.

Once you have added your list of locations you will see them all listed as below. The import wizard allows you to import from a csv.

It’s as simple as that, but it’s not how complicated the feature is, it’s how and what it does for your business. You can also define locations on your other physical components.

This will then allow us to populate location down to the assets within these virtual centres or these physical entities. See below for some other areas where you can define location.

Agent Management – Location Tagging

Also within the update 3 feature list was the inclusion of agent management but of course the location tagging continues here to show where those physical or cloud instances reside.

Now that we can define where our physical constructs are this will help us understand where the data has come from if you are moving from certain countries or sites. Next up we will look at how this can be seen and presented on within Veeam ONE.