Azure Backup Protects Against Deliberate Attacks

Microsoft’s cloud backup solution, Azure Backup, has added new protections to defend your data against deliberate attacks. This post will explain what this means for you.


A report on the subject of “ransomware” and businesses that was published earlier this year by Symantec makes for very sobering reading. Malware, such as CryptoLocker, that attacks a business by scanning for data on the network, encrypting it, and demanding a bitcoin ransom to decrypt the data, is becoming more common. Ransoms are increasing, and terms such as ransomware-as-a-service have been coined to describe these professional attacks that are orchestrated by criminal organizations. The success of these forms of attacks has inspire other attackers, greedy for a slice of the pie; kits are available to build your own ransomware!
Ransomware attacks were once entirely random, but targeted attacks are become more common. That’s a worry because it implies that an attack will be better planned to defeat defenses. One approach to protecting yourself against a crypto attack is to restore your files from backup. That can be an expensive (human effort and downtime) solution but that might be better than paying an attacker — I have heard stories of a decryption failing and the attackers requiring a second ransom!
What if the attacker also prevented access to your backup? Maybe they deleted your backups? Azure Backup has implemented new security mechanisms to protect your backup data from these deliberate kinds of attacks.

New Azure Backup Security Features

There are 4 features that have been added to protect your backup data:

  • Retention of deleted data: Your data will be retained by the recovery services vault for 14 days after you delete it. This means that even if some ransomware manages to delete your backups, you can still restore your data.
  • Minimum retention range checks: Maybe you need to go further back in time to before the infection. This feature ensures that you can restore from more than just 1 recovery point.
  • Alerts and notifications: You will be alerted in the event of a backup schedule being stopped or backup data being deleted. You’ll know that an attack is underway if no human initiated this action.
  • Multiple layers of security: You can require a PIN to be entered to perform certain actions. For example, if I attempt to stop a scheduled backup and delete all of the data from a MARS agent, I will be prompted to enter the PIN.

Enabling Azure Backup Security Features

If you have an existing Azure recovery services vault, then you can navigate to Properties in the vault to enable the new security features. Note the option where you can configure a PIN for sensitive actions.

 The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]

The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]
Click Update under Security Settings to open a Security Settings blade. Here you can:

  • Specify if you have enabled multi-factor authentication (MFA) in Azure AD. Your options are Yes, No, and I Will Configure It Later. MFA will introduce two-factor authentication to allow Azure to verify that any instructions really do come from an administrator.
  • Enable the security settings of Azure Backup. Note that you cannot undo this action.


The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]
The security settings blade of an Azure recovery services vault [Image Credit: Aidan Finn]

Please note that to use these security features, you must have up-to-date on-premises software:

  • The latest version of the MARS agent
  • Azure Backup Server with Upgrade 1

System Center Data Protection Manager (DPM) does not support these features yet.