FSTEC Certified Version of Veeam Backup and Replication: Back Up Confidential Information


    This year we received the FSTEC certificate (TU + NDV4) for Veeam Backup & Replication v8 Update # 2 . In this post, I will briefly talk about when it is worth choosing this (certified) version of the product instead of the regular (non-certified) version, the key differences between our certified version, and the general requirements of the law for backing up non-restricted information to the state secret.

    A certified version of a product intended for backing up information is generally required in the following cases:

    • If the product is used in government organizations , in network segments, where, due to the requirements of FSTEC, it is necessary to use certified versions of software.

    • If virtual machines process restricted information that is not related to state secrets. This term is defined in the legislation, and in fact includes any information access to which is limited by virtue of a law. For example, restricted information includes: confidential company information, personal data of individuals , various types of secrets (commercial, medical, lawyer, etc.), information on production secrets, etc. State secrets should, of course, also be protected by certified products, however, in this case, certification should be of a higher level than Veeam Backup & Replication, therefore, it is not possible to protect data classified as state secrets with the existing certified version of the product.

    • If the organization , due to its security policy, requires certified software versions.

    • If the company, as part of the execution of the contract, receives limited access information from the counterparty (for example, information constituting the counterparty’s trade secret).

    • If the organization’s information system (due to its criticality and importance) is clearly subject to legislative requirements requiring the use of certified information protection tools in it. For example: sections of the network infrastructure of the Internet that do not have a backup system, automated process control systems of nuclear power plants, automated systems of the Ministry of Emergencies, information systems of public authorities, etc.

    In 2013-2014, the FSTEC issued orders No. 17, No. 21 and No. 31, in which backup tools in general (and, in particular, backup media for virtual environments) were clearly classified as information protection tools , and special ones were installed for them requirements. In particular, the requirements for backing up virtualization tools are described by the ZVS.8 measure . I especially want to note that Veeam Backup & Replication v8 has been certified for TU in accordance with the requirements of these orders of FSTEC .

    If the backup product was certified prior to the entry into force of these orders by FSTEC, then it has a “normal” certificate for technical specifications (without confirmation of compliance with the ZVS.8 measure), this complicates the task for the user, because he needs to conduct tests on his own to show compliance of its information system with the current requirements of the orders of the FSTEC.

    For example, if we talk about backing up personal data , then:

    • It is required to confirm the conformity of the product functionality to the protective measures from the orders of the FSTEC for the case of the 1st and 2nd security levels of ISPDn, and for the 3rd and 4th levels the decision on their use is made by the operator, based on the requirements for the functioning of information systems established by him personal data. The FSTEC certificate for TU allows you to confirm this “automatically”, without resorting to certification or other types of security studies of the information system.

    • It is also required to confirm the absence of undeclared capabilities (NDV) in the product: since in the orders of the FSTEC data backup and recovery are directly referred to as “security measures”, software products that provide backup are related to information protection. Information protection tools used in ISPDn of the 1st and 2nd security levels of personal data, as well as in systems of the 3rd security level, for which threats related to the presence of undeclared capabilities in the application software are relevant, must not be tested lower than the 4th level of control of the absence of undeclared opportunities. This is a very important point for determining the need for certification of backup tools, because NDV can only be confirmed through the state certification system.

    Regarding the supported platforms, it can be noted that the certified version of Veeam Backup & Replication supports such common versions of Microsoft and VMware virtualization platforms as VMware vSphere 5.5 / 6.0 and Microsoft Hyper-V Server 2012 R2 .

    Keep in mind that the certified version is delivered on physical media.with the necessary supporting documentation (form, technical specifications, certificate), but the trial version can be downloaded, as usual, in electronic form (by contacting the sales department). The number of licenses purchased with a certified kit can be any. For the delivery of the certified version, FSTEC licenses are not required, so any Veeam partner in Russia can supply electronic licenses and a physical certified kit.

    A separate advantage of the certified version of Veeam Backup & Replication is its technical support , which is carried out in Russia:

    1) according to special service algorithms, since the certified product cannot be updated (and this is often proposed to be done for the regular non-certified version);
    2) completely ( all three levels ) in Russian.

    Brief conclusion


    The received FSTEC certificate gives Veeam users the opportunity to organize business processes in accordance with the requirements of the legislation of the Russian Federation. The certified version of Veeam Backup & Replication v8 can be used to back up personal data of individuals, confidential information of organizations, chipboard information, trade secrets and other information of limited access that is not related to state secrets, both in the public sector and in commercial organizations.

    Sitelinks


    1. Information site on the FSTEC certified version of Veeam Backup & Replication and on backing up limited access information in general
    2. Article M.Yu. Emeliannikova “The need to back up data for business, and whether FSTEC certificate is needed for this”
    3. Record of the webinar “Backing up business requests and requirements of the law” (speakers Vitaliy Savchenko, Mikhail Emelyannikov, Maria Sidorova)
    4. FSTEC certificate for Veeam Backup & Replication

    Also popular now: