Secure deployment best practices for Datto appliances
Topic
This article discusses best practices for secure configuration and deployment of Datto SIRIS, ALTO, and Datto NAS devices.
Environment
- Datto SIRIS
- Datto ALTO
- Datto NAS
Description
Datto BCDR appliances ship with inherent and configurable security features and functionality to support a secure deployment. You are responsible for the configuration of those features and for deploying the Datto appliance in a way that meets your network and security architecture requirements. Datto expects that you will deploy your BCDR appliances in a secure LAN environment with no inbound internet access, and that appropriate network access control exists on your LAN to limit the accessibility to your appliance network daemons and services.
The Datto BCDR appliance offers a range of configuration options to help MSPs and end-users manage BCDR work-flows in a manner that best suits their environment. MSPs should always deploy the Datto device in a secure LAN environment, and enable more secure configuration options when available and appropriate for the end-user.
Access control objectives
Datto strongly recommends implementing least privilege (external link) access controls, such as the following:
- Never allow inbound access from the internet to the appliance.
- Deploy the appliance in line with the Unified Backup networking and bandwidth requirements article.
- Only permit access outbound from the device, as you don't need inbound access for the appliance to function.
- Restrict outbound communications from the Datto appliance to only the networks in the Knowledge Base, and deny all other communications.
- Limit access to the appliance's management end-user network GUI to only trusted network
- Management workstations that need access for BDR workflow purposes.
- Only allow protected systems to communicate with the appliance.
- Implement strong identity and access management practices for device GUI and IPMI login.
- Ensure all employees have MFA access configured.
Limiting accessibility
You can deploy your Datto devices in line with the above best practices in several ways, including, but not limited to:
- Placing the appliance in a protected backup network requiring L2 adjacency.
- Limiting the backup network's reachability through network routing restrictions.
- Employing a network firewall to implement network access control lists.
- Deploying port-based access control lists (ACLs) on network switch ports.
Account management
Portal and Local User access credentials for MSP technicians and end-user employees should be updated when those employees leave their respective organizations.
- Update Portal and Local User passwords when required in the device.
- For Local users, see Local Users
- For Portal employees, see Partner Portal: Managing employee accounts and roles
- For Portal organizations, see Partner Portal: Managing company and organization users & roles
- Assign a Security Administrator.
- Know the differences between an employee and an organization using Partner Portal: Managing company and organization users & roles.
- Use the User Activity Log via the Partner Portal, to audit user activity on a BCDR device.
Enable Relay forced login
- Relay forced login requires all users to enter their login credentials when navigating from the Partner Portal to the device GUI.
- Enable Relay forced login in the device GUI by navigating to Configure > Device Settings > Datto Relay Forced Login and clicking Enable Forced Login.
See the Device Settings article for more information.
Ensure your device is running the latest software version
- Updates ensure that your device has the latest software and operating system packages. They also patch and harden the appliance to Datto's most recent standards.
- You can find the software version your Datto device is running listed at the top of the home page of your device GUI.
See the Device Settings article for more information.
Deploy encrypted agents
Agent level encryption assures backup data written to the appliance's ZFS filesystem and replicated to the Datto Cloud is encrypted at rest, using a unique key that you can only generate with the passphrase held by the MSP or end-user.
- Agent encryption is available on specific appliance platforms, such as the SIRIS family of appliances and ALTO XL appliances.
- See the How to Encrypt Backups on a Datto Appliance and Properly Sizing a Datto Appliance Knowledge Base articles for more information.
Configure file shares with secure protocols and settings
- Understand the policy and compliance requirements of the environment in which you have deployed the Datto device, as you can jeopardize compliance by selecting unsecure file share options.
- Whenever end-user business requirements allow, do not permit anonymous or public access to any file share.
- Leverage CHAP authentication with iSCSI file shares, as CHAP requires authentication to access the file share.
- Enable SFTP instead of FTP, as SFTP requires authentication AND encrypts data in transit across your network.
See the Share Settings article for details on CHAP authentication settings.
Unmount file recoveries and local virtualizations when no longer required
- Do not make file restore data or local virtualizations on supported platforms available for longer than is necessary to complete the required BDR workflow.
- After you have confirmed mounted file restores and local virtualizations are no longer needed, you should unmount them.
- Remove a file restore by navigating to Restore>Active Recoveries, selecting the file restore or local virtualization, and clicking Remove Restore.
Enable mounted restore alerts
This option displays an alert in the device GUI when you have a file restore, or virtualization mounted for longer than the admin-specified period. These alerts warn you of latent restores that may need removal.
- Enable Mounted Restore Alerts in the device GUI by navigating to Configure >Device Settings >Mounted Restore Alert, selecting the number of days after which to alert from the drop-down menu, then clicking Apply.
- Configure local users with strong access credentials
- Configure local user account usernames and passwords following the MSP or end-users identity and password management policies.
- Where MSPs and end-users lack identity and password policies, Datto strongly recommends following password guidance in NIST SP 800-63: Digital Identity Guidelines.
- Avoid using known weak or compromised passwords (i.e., 123456, password, admin, etc.). A secure password has a combination of uppercase and lowercase letters, as well as numbers and special characters.
Enable remote logging
For end-users with logging and auditing requirements, you can configure the ability to send device logs to an off-box syslog server for later analysis. To enable Remote logging:
- Navigating to the Device Web (local device UI).
- Select Configure > Device Settings > Remote Logging
- Click Enable Remote Logging
- Enter the IP address and port of the syslog server.
- Click Add Remote Server.
See the Device Settings article for additional information.
Enable secondary replication
Secondary Replication copies the replicated offsite data, to a second offsite server. This ensures that your data is available in the event of unintended deletion of backup data. Data remains available in the secondary site for 90 days after deletion from the primary.
Secondary replication is enabled by default on devices with this available. To adjust this setting in the device GUI, navigate to Configure > Device Settings > Secondary Replication.
See Secondary replication for further information.
NOTE Secondary replication is not currently available in the ANZ region.
Datto is committed to providing a backup and disaster recovery solution with security features that aid customers in meeting their security policy and compliance requirements. Should you have any questions or concerns relating to topics covered in this article, please reach out to Datto Technical Support.
