Phase 07 — Tăng Cường Tuân Thủ & Xác Nhận DR (Compliance + DR Validation)

⏱️ 3–5 ngày

DISA STIG

DR Test

Compliance

Phase 07 là giai đoạn CUỐI CÙNG. Sau khi hoàn thành, hệ thống Veeam v13 Enterprise sẵn sàng cho production và kiểm toán ISO 27001 / DISA STIG / SOC2.

Điều kiện tiên quyết

Tất cả Phase 01–06 phải hoàn thành trước khi bắt đầu Phase 07.

Phase 01 ✓ Phase 02 ✓ Phase 03 ✓ Phase 04 ✓ Phase 05 ✓ Phase 06 ✓

PHẦN A Security Hardening Verification

A1 — DISA STIG Compliance Report
A2 — Encryption Verification
A3 — RBAC Audit
A4 — Four-Eyes Approval Testing
A5 — Infrastructure Lock
A6 — Audit Log Configuration
A7 — Security Restore

PHẦN B DR Testing & Validation

B1 — HA Failover Test
B2 — Full DR Recovery Test
B3 — Immutability Breach Test
B4 — SureBackup Validation
B5 — Tape Recovery Test

PHẦN C Compliance Documentation Package

Evidence collection table
Final acceptance checklist
Maintenance calendar
Risk register

Breaking Changes v13 Security — Điểm Mới Quan Trọng

DISA STIG Report Built-in

VSA có sẵn báo cáo DISA STIG compliance — không cần công cụ ngoài.

Infrastructure Lock Mode

Mới trong v13 — ngăn thêm component mà không có Security Officer approval.

Security Restore (AV Scan)

Tích hợp sẵn AV scan trước khi restore VM ra production.

gRPC + Certificate Auth

Hoàn toàn thay thế NTLM — xác minh không còn NTLM fallback.

Coveware Recon Integration

Tích hợp Coveware trong Veeam ONE Threat Center để phát hiện malware sớm.

A1DISA STIG Compliance Report (Built-in VSA)

Web UI VSA → Reports → Security & Compliance → DISA STIG Report
→ Run report
→ Review all findings
→ Fix all non-compliant items
→ Re-run until clean

Common STIG Findings & Fixes

Finding	Fix
SSH enabled on JeOS node	Disable via Host Management → Security → SSH → Disable
MFA not enforced	Enable MFA for all admin accounts (Phase 02, Step 5)
NTLM authentication active	Disable NTLM in AD + Veeam settings
Default password not changed	Change all default `veeamadmin` passwords
Audit logging disabled	Enable audit log retention ≥ 90 days
Backup not encrypted at rest	Enable AES-256 on all backup jobs
Config backup not encrypted	Enable encryption on config backup

A2Encryption Verification

At-Rest Encryption

Each backup job → Edit → Advanced → Security
→ Enable backup file encryption: AES-256 ✅
→ Password: key stored in enterprise password vault (CyberArk / HashiCorp Vault)
→ Verify: .vbk file cannot be opened without key

In-Transit Encryption

VBR ↔ Proxy

TLS (certificate-based, automatic in v13)

VBR ↔ S3

HTTPS enforced via bucket policy

Veeam ONE ↔ VBR

TLS certificate

Verify No Plaintext Backup Traffic

# Capture on backup VLAN and verify TLS handshakes
tcpdump -i eth0 -n port 2500 -w /tmp/backup_traffic.pcap
# Analyze: should show TLS handshake, not plaintext data

A3RBAC Audit

Console → Main Menu → Users and Roles
→ Review every assignment
→ Check: is each account using minimum privilege?

Audit Checklist

Không có user nào có quyền vượt quá mức cần thiết Security Officer account ≠ Backup Administrator account Tape Operator không thể tạo disk backup jobs Restore Operator không thể chỉnh sửa backup jobs Không còn temporary/test accounts nào Tất cả service accounts là gMSA Ghi lại RBAC matrix cuối cùng làm audit evidence

A4Four-Eyes Approval Testing

Kiểm tra rằng Security Officer approval được yêu cầu cho các thao tác sau:

1. Delete backup job

Thử xóa job → dialog phải hiện yêu cầu Security Officer credentials

Evidence: chụp screenshot của approval dialog

2. Disable immutability

Thử tắt immutability trên repo → phải bị chặn hoặc yêu cầu approval

Evidence: chụp screenshot của approval dialog

3. Remove SOBR extent

Thử xóa extent → phải yêu cầu Security Officer approval

Evidence: chụp screenshot của approval dialog

A5Backup Infrastructure Lock Verification

Web UI VSA → Security → Backup Infrastructure Lock → Status: ENABLED ✅
Test: Try to add new backup repository without Security Officer approval → must be BLOCKED
Screenshot: capture lock status as evidence

Tính năng mới trong Veeam v13. Ngăn chặn attacker thêm "rogue" backup infrastructure vào môi trường.

A6Audit Log Configuration

Console → Main Menu → History → Audit Logs
Verify logs capture:
  - Login/logout events
  - Job create/modify/delete
  - Repository changes
  - Restore operations
  - Security Officer approval events

Retention: ≥ 90 days (DISA STIG requirement)
Export to SIEM: syslog or Windows Event Forwarding (optional but recommended)

A7Security Restore Configuration

Backup job → Edit → Advanced → Integration
→ Enable: "Scan machine for viruses and malware before performing restore"
→ AV engine: ICAP endpoint OR Windows Defender
→ Test: restore VM to staging → verify AV scan runs → check scan report

B1HA Failover Test (VSA)

Test scenario: Node 1 (primary) suddenly fails

Step-by-Step

1

Pre-test — document current state

Active node: veeam-node1 (ghi vào test log) · All jobs: running normally · Cluster IP: resolves to Node 1
2

Simulate failure

Power off VSA Node 1 (simulates hardware failure)
3

Start timer ⏱️
4

Connect to Cluster IP

Dialog: "Primary node not responding — connect to secondary?" → Click Yes → connect to Node 2
5

Initiate failover

HA → Emergency Failover → Confirm
6

Stop timer — record RTO

Expected RTO: ≤ 10 minutes

Post-Failover Verification Checklist

All jobs visible (no re-entry needed) ✅ All credentials intact ✅ SOBR accessible and healthy ✅ New backup jobs can be created ✅ Cluster IP now resolves to Node 2 ✅

Restore Node 1: Power on → becomes standby node

B2Full DR Recovery Test (VM from DR site)

Test scenario: Main site unavailable — recover from DR site

1. Select Tier-1 VM backup from repo-dr-01
2. Restore → Instant VM Recovery → Target: DR vCenter cluster
3. Start timer ⏱️
4. Verify:
   - VM boots successfully at DR site
   - Application services start (SQL, IIS, AD)
   - Network connectivity from DR site
   - Data integrity: spot-check critical files, DB records
5. Stop timer → Record RTO (target: per SLA)
6. Cancel restore (or migrate if actual DR event)

B3Immutability Breach Test

# Temporarily enable SSH via Host Management
# Connect to repo-01

# Test 1: Delete immutable file
rm /backups/vm-backup.vbk
# Expected output: rm: cannot remove '/backups/vm-backup.vbk': Operation not permitted ✅

# Test 2: Overwrite immutable file
echo "ransomware" > /backups/vm-backup.vbk
# Expected output: bash: /backups/vm-backup.vbk: Permission denied ✅

# Disable SSH after test

B4SureBackup Validation (Rule: 0 Errors)

1. Run SureBackup job for ALL Tier-1 VMs
2. Verify for each VM:
   - VM boots successfully in virtual lab ✅
   - Heartbeat/ping tests pass ✅
   - Application-specific tests pass (SQL query, web response) ✅
   - NO failures
3. Fix any SureBackup failures BEFORE signing off
4. Export SureBackup report as audit evidence

Không chấp nhận bất kỳ SureBackup failure nào. Tất cả Tier-1 VMs phải pass 100% trước khi sign-off.

B5Tape Recovery Test

1. Select tape from GFS-Monthly pool
2. Restore → Tape → select backup from tape
3. File-level restore to staging location
4. Record restore time (expected: several hours depending on data size)
5. Note: Tape is long-term archive, NOT primary DR → document separate RTO

Tape recovery RTO được document riêng biệt — không áp dụng SLA tương tự disk/cloud restore.

C1Evidence Collection Table

Document	Source	How to Get
DISA STIG Compliance Report	VSA Web UI	Security → Compliance → Export PDF
RBAC Matrix	VBR Console	Users & Roles → Screenshot + Export
Backup Success Rate (90 days)	Veeam ONE	Reports → Backup Success Rate → Export
SureBackup Results	Veeam ONE / VBR	History → SureBackup → Export
HA Failover Test Log	Manual	Record RTO + screenshots
DR Recovery Test Log	Manual	Record RTO + screenshots
Immutability Test Evidence	Manual	Screenshot of "permission denied"
Encryption Settings	VBR	Backup job properties → Screenshot
Four-Eyes Approval Logs	VBR Audit Log	Export audit log entries
Infrastructure Lock Status	VSA Web UI	Security → Screenshot
3-2-1-1-0 Verification	VBR	Backup → Properties → Storage → Screenshot

C2Final Acceptance Checklist

C3Maintenance Calendar (Post-Deployment)

Frequency	Tasks
Daily	Morning Veeam ONE summary, check failed jobs
Weekly	SureBackup auto-run, SOBR health check, tape GFS job
Monthly	Capacity forecast review, security alert review
Quarterly	DR failover drill, tape recovery test, RBAC review
Annually	Full DISA STIG audit, license renewal, hardware refresh review

C4Risk Register

Risk	Severity	Mitigation
Ransomware encrypts backups before immutability kicks in	HIGH	Immutability lock period ≥ 30 days; air-gap tape offsite
HA failover exceeds 10-minute RTO SLA	MEDIUM	Pre-test network latency; use dedicated management VLAN
DISA STIG findings remain unresolved at audit time	HIGH	Run STIG report weekly; assign owners to each finding
S3 Object Lock misconfigured — backups deletable	HIGH	Verify Compliance mode (not Governance) on all S3 buckets
gMSA password rotation breaks Veeam service accounts	MEDIUM	Test gMSA auto-rotation in staging before production rollout

Breaking Changes v13 Security — Điểm Mới Quan Trọng

PHẦN A — XÁC MINH BẢO MẬT

A1DISA STIG Compliance Report (Built-in VSA)

Common STIG Findings & Fixes

A2Encryption Verification

At-Rest Encryption

In-Transit Encryption

Verify No Plaintext Backup Traffic

A3RBAC Audit

Audit Checklist

A4Four-Eyes Approval Testing

A5Backup Infrastructure Lock Verification

A6Audit Log Configuration

A7Security Restore Configuration

PHẦN B — KIỂM TRA XÁC NHẬN DR

B1HA Failover Test (VSA)

Step-by-Step

Post-Failover Verification Checklist

B2Full DR Recovery Test (VM from DR site)

B3Immutability Breach Test

B4SureBackup Validation (Rule: 0 Errors)

B5Tape Recovery Test

PHẦN C — GÓI TÀI LIỆU TUÂN THỦ

C1Evidence Collection Table

C2Final Acceptance Checklist

Security

DR Resilience

Compliance

Operations

C3Maintenance Calendar (Post-Deployment)

C4Risk Register

Triển Khai Hoàn Thành!