Certified FSTEK version of Veeam Backup and Replication: backing up confidential information

This year we received a certificate of FSTEC (TU + NDV4) for the version of Veeam Backup & Replication v8 Update # 2 . In this post, I will briefly describe in which cases it is worth choosing this (certified) version of the product instead of the regular (non-certified) version, the key differences between our certified version, and general legal requirements for backing up information of limited access that is not relevant to gostiny secret.

The certified version of the product intended for backing up information is generally required to be applied in the following cases:

• If the product is used in state organizations , in network segments, where, by virtue of FSTEC requirements, it is necessary to apply certified versions of software.
  
  
• If the virtual machines are processed information restricted access , not related to state secrets. This term is defined in legislation, and in fact includes any information, access to which is restricted by virtue of a law. For example, restricted information includes: confidential company information, personal data of individuals , various types of secrets (commercial, medical, law, etc.), information about production secrets, etc. Of course, state secrets should also be protected by certified products, however, in this case certification should be of a higher level than Veeam Backup & Replication has, therefore, it is impossible to protect data classified as a state secret using an existing certified version of the product.
  ')
  
• If an organization requires the use of certified software versions due to security policy .
  
  
• If the company receives restricted information from the counterparty as part of the contract execution (for example, information constituting a commercial secret of the counterparty).
  
  
• If the information system of the organization (due to its criticality and importance) is clearly subject to legal requirements requiring the use of certified information protection tools in it. For example: non-redundant parts of the network infrastructure of the Internet, automated control systems for NPPs, automated systems of the Ministry of Emergency Situations, information systems of state authorities, etc.

In 2013-2014, FSTEC issued orders No. 17, No. 21 and No. 31, in which the backup means in general (and, in particular, the backup means of virtual environments) were clearly assigned to information protection tools , and special requirements. In particular, the requirements for backing up virtualization tools are described in the WQP measure.8 . Especially I want to note that Veeam Backup & Replication v8 has been certified for technical specifications in accordance with the requirements of these orders FSTEC .

If the backup product was certified before these orders came into force by the FSTEC, then it has a “regular” certificate for the TU (without confirming compliance with the SECV.8 measure), this complicates the task for the user, because he needs to conduct tests himself to show the compliance of its information system with the actual requirements of the orders of the FSTEC

For example, if we talk about the backup of personal data , then:

• It is required to confirm the compliance of the product functional with protective measures from FSTEC orders for the case of the 1st and 2nd levels of ISPD security, and for the 3rd and 4th levels, the operator himself decides on their use, based on the established requirements for the functioning of information systems personal data. The certificate of FSTEC on Technical Specifications allows to confirm this “automatically” without resorting to certification or other types of information security research.
  
  
• It is also required to confirm the absence of undeclared capabilities (NDV) in the product: since in FSTEC orders, data backup and recovery is directly related to “security measures”, then software products that provide backup performance are information security tools. Information security tools used in the ISPD of the 1st and 2nd levels of personal data security, as well as in 3rd level security systems, for which the threats related to the presence of undeclared features in the application software are relevant, should not be checked lower than the 4th level of control of the absence of undeclared capabilities . This is a very important point to determine the need for certification of backup tools, because NDV can only be confirmed through the system of state certification.
  

Regarding supported platforms, it can be noted that the certified version of Veeam Backup & Replication supports such popular versions of Microsoft and VMware virtualization platforms as VMware vSphere 5.5 / 6.0 and Microsoft Hyper-V Server 2012 R2 .

It should be borne in mind that the certified version is supplied on physical media with the necessary supporting documentation (form, TU, certificate), but the trial version can be downloaded, as usual, in electronic form (by contacting the sales department). The number of licenses purchased with a certified kit can be any. For the delivery of a certified version, FSTEC licenses are not required, therefore, the delivery of an electronic license and a physical certified kit can be made by any Veeam partner in Russia.

A separate advantage of the certified version of Veeam Backup & Replication is its technical support , which is carried out in Russia:

1) according to special service algorithms, since a certified product cannot be updated (and it is often proposed to do this for a regular non-certified version);
2) completely ( all three levels ) in Russian.

Brief conclusion

The received certificate of FSTEC gives Veeam users the opportunity to organize business processes in accordance with the requirements of the legislation of the Russian Federation. The certified version of Veeam Backup & Replication v8 can be used to back up personal data of individuals, confidential information of organizations, DSP-information, trade secrets and other information of limited access, not related to state secrets, both in the public sector and in commercial organizations.

Additional links

1. Information site about the certified FSTEC version of Veeam Backup & Replication and about backing up information of limited access in general
2. Article by M.Yu. Yemelyannikova, “The need for data backup for business, and whether the FSTEC certificate is needed for this”
3. Record of the webinar “Backing up business requests and the requirements of the law” (speakers Vitaly Savchenko, Mikhail Emelyannikov, Maria Sidorova)
4. Certificate of FSTEC on Veeam Backup & Replication