Backup Security

Attya, Mohamed 206 Reputation points
2023-07-08T19:37:38.78+00:00

Securing the backup vault can be with different approaches but what if the Global administrator got compromised . Is there any approach that can disable access to the backup vault even for global admin. Like giving Microsoft itself the ownership of the vault and for enabling access to it must contact Microsoft ?

Azure Backup
Azure Backup
An Azure backup service that provides built-in management at scale.
1,344 questions
0 comments No comments
{count} votes

Accepted answer
  1. Luke Murray 11,246 Reputation points MVP
    2023-07-08T20:18:02.4766667+00:00

    Hi, Attya

    You can configure Resource Guard, on your Azure Recovery Vault; Resource Guard adds PIM (Privileged Identity Management) in front of Backup operations, such as Delete, etc. You can add approvals as well. Forcing MFA to occur, and if needed multiple users to approve any change.

    Screenshot showing demo resource guard properties.

    You can also adjust the vault to be immutable. Making the vault immutable, will prevent anything from being deleted, before the Azure policy, and retention period for that backup expired. Keep in mind, this can cause unforeseen effects, like cost growout, etc, but you can lock the immutability to prevent any changes, even from a person with GA rights.

    1 person found this answer helpful.
    0 comments No comments

1 additional answer

Sort by: Most helpful
  1. Azar 25,850 Reputation points MVP
    2023-07-08T19:41:20.44+00:00

    Hi Attya there are a few approaches that can disable access to the backup vault even for global admin

    1. Implement Role-Based Access Control (RBAC) and assign minimum required permissions.
    2. Enable Multi-Factor Authentication (MFA) for all user accounts.
    3. Monitor and audit activities in the backup vault.
    4. Implement Just-in-Time Access (JIT) and Azure AD Privileged Identity Management (PIM) to limit elevated privileges.
    5. Regularly review and update security practices.

    If you find the answer useful kindly accept.


Your answer

Answers can be marked as Accepted Answers by the question author, which helps users to know the answer solved the author's problem.