Veeam backup app

I get the most flags for the Veeam backup tool. I have the free/community edition. Anyone else seen this?

Yes, I’m seeing it, too.
Veeam Backup gets flagged in the App Gov Score and App Gov Accelerator solutions, because:

  • It uses Public Client Flows. This is potentially dangerous.
  • It uses old authentication libraries. This is potentially dangerous.
  • It uses a certificate with years of validity. This is potentially dangerous.
  • It uses high-risk API permissions. This is potentially dangerous.

What do we tell the vendor? Does eNow recommend removal? I can download and reinstall their free community edition again and see if better score but I’d have to reconfigure the app is my guess. Lots of time.

Public Client Flows
The Public Client Flow issue that the App Gov Score and App Gov Accelarator solutions flag is related to the way the product team at Veeam have programmed the solution. This is as designed, but could be further improved by Veeam as indicated by Alistair Pugin in his blogpost on public client flows. An inquiry on their forums would be the obvious thing to do.

Authentication libraries
Veeam regularly updates the Veeam Backup for Microsoft 365 solution. Make sure you are on the latest build to get updates that include updated authentication libraries

The use of a certificate with a long validity period is something I frown upon. Veeam has chosen the route of least administrative burden and has traded in on certificate lifecycle management and thus security. This is as designed, but a question in the Veeam forums could be raised about this practice.

Risky permissions and roles
A backup solution will have high-risky API permissions. There is nothing to be done about those, because the permissions are required to access your data in order to make backups of it.

I am more than happy to post in Veeam’s forums…if you could craft a simple, short message that outlines the concerns, I will post there. I will also download and try their latest release, and see what if anything improves.

I have started a thread on the Veeam R&D Forums. :+1:
Mike Resseler (A Belgium guy, and program manager for all of Veeam’s cloud solutions last time I spoke with him…) already responded and shared that some of these items are already being looked into.

1 Like