Veeam backup app

CrushNetworks · January 9, 2024, 7:54am

I get the most flags for the Veeam backup tool. I have the free/community edition. Anyone else seen this?

SanderBerkouwer · January 12, 2024, 8:51am

Yes, I’m seeing it, too.
Veeam Backup gets flagged in the App Gov Score and App Gov Accelerator solutions, because:

It uses Public Client Flows. This is potentially dangerous.
It uses old authentication libraries. This is potentially dangerous.
It uses a certificate with years of validity. This is potentially dangerous.
It uses high-risk API permissions. This is potentially dangerous.

CrushNetworks · January 12, 2024, 3:48pm

What do we tell the vendor? Does eNow recommend removal? I can download and reinstall their free community edition again and see if better score but I’d have to reconfigure the app is my guess. Lots of time.

SanderBerkouwer · February 6, 2024, 8:30am

Public Client Flows
The Public Client Flow issue that the App Gov Score and App Gov Accelarator solutions flag is related to the way the product team at Veeam have programmed the solution. This is as designed, but could be further improved by Veeam as indicated by Alistair Pugin in his blogpost on public client flows. An inquiry on their forums would be the obvious thing to do.

Authentication libraries
Veeam regularly updates the Veeam Backup for Microsoft 365 solution. Make sure you are on the latest build to get updates that include updated authentication libraries

Certificate
The use of a certificate with a long validity period is something I frown upon. Veeam has chosen the route of least administrative burden and has traded in on certificate lifecycle management and thus security. This is as designed, but a question in the Veeam forums could be raised about this practice.

Risky permissions and roles
A backup solution will have high-risky API permissions. There is nothing to be done about those, because the permissions are required to access your data in order to make backups of it.

CrushNetworks · February 8, 2024, 12:16am

I am more than happy to post in Veeam’s forums…if you could craft a simple, short message that outlines the concerns, I will post there. I will also download and try their latest release, and see what if anything improves.

SanderBerkouwer · February 29, 2024, 9:13am

I have started a thread on the Veeam R&D Forums.
Mike Resseler (A Belgium guy, and program manager for all of Veeam’s cloud solutions last time I spoke with him…) already responded and shared that some of these items are already being looked into.

Topic		Replies	Views
Non-Admin Consented API Permissions SaaS Applications	1	107	March 18, 2024
Parameters to identify high risk app registrations High Risk	1	43	June 24, 2024
🌐 Welcome to the Entra ID SaaS Applications Corner! SaaS Applications	0	83	January 5, 2024
App Registrations without Associated Enterprise Applications are all MSFT related! SaaS Applications	1	60	March 18, 2024
🌐 Welcome to the Entra ID Enterprise Applications Corner! Enterprise Applications	0	61	December 23, 2023

Veeam backup app

Related Topics