Your Data Deserves Better Than Veeam - Part 3: Why Auto-Patching Matters

William Urban, Technical Marketing Manager and Ruso Bhattacherjee, Technical Content Marketing Specialist

In 2024, all organizations realize that they can be a ransomware target, and attacks often go undetected. IT and security teams understand that data is the primary target for both bad actors and ransomware attacks, making backup data ever more critical to your organization. Ransomware gangs know that if the backup data is also corrupted, the chances of getting paid increase as it makes recovery difficult. 

Keeping all your software and infrastructure up to date, especially data protection solution-related software and hardware is a great way of ensuring that your entire environment and your backup data are secure. Security patches play a critical role in keeping your data safe from all known threats and vulnerabilities of the software. 

As a SaaS solution, Druva Data Resiliency Cloud is auto-updated and always up-to-date. You don’t need to worry about keeping track of released patches and manually installing them. Unfortunately, you don’t get the same peace of mind with legacy data protection software, especially solutions like Veeam. 

We will discuss how the tracking and manual installation of security patches for legacy data protection solutions is time-consuming and places your cyber defense and recovery strategies at high risk of failure. 

The problem with security patches

Security patches are released to address known security vulnerabilities in software. The problem is: as soon as a security patch is released, it informs everyone on the internet that there is an issue with the software. 

As soon as IT administrators become aware of the newly released patch, they then plan on installing the patch. In most cases, patches are applied based on their severity. Similarly, when hackers become aware of the new patch, they start looking for ways to exploit the known vulnerability. 

If IT admins don’t install the patch quickly enough, hackers can get into critical systems of an organization and infect it with ransomware. With so many components to take care of, sometimes it becomes difficult for admins to remain aware of all the issues present in a component.  Sometimes a  patch is not applied even if a fix is available for an issue because admins are unaware of it.  

Sadly, installing patches is not the only thing IT admins are tasked with. It’s just one of their many duties. Thus, installing a patch as soon as it’s available is difficult. This problem is intensified if the security patch is related to the data protection solution. 

Keeping track of all patches is again a tricky affair.  Security and IT teams must know how many physical or virtual servers, with different software, are used to run backups for data center, ROBO, SaaS, and cloud workloads and then keep track of all patches released for each software used in these systems. 

As ransomware targets backup data first, an infected system means admins won’t ever be able to recover the data if both the main system and its backup data are corrupted. As backup applications are rarely internet-facing, once threat actors are able to get inside an organization, they often exploit an unpatched system.

DIY approach to security patches

With legacy backup solutions like Veeam, the onus of keeping all the systems updated falls squarely on the shoulders of the organization. For example, in 2023, a single Veeam issue had 4 CVEs (Common Vulnerabilities and Exposures) associated with it. The resolution was to apply a hotfix for each issue. 

This might seem like a small number until you realize that attackers start scanning for vulnerabilities within 15 minutes of them being announced. 

In another reported issue, Veeam urged customers to patch a high-severity security vulnerability that impacted its backup and replication software. However, the patch was only made available more than 15 days after the bug was reported. This means that hackers had more than enough time to exploit the vulnerability. IT administrators always have to track and apply all such security patches on time to keep backup data safe. This not only increases their workload but puts important backup data at risk. 

But, Druva’s solution is secure by design. For its zero-trust platform, Druva manages availability and security of its cloud with pen testing, automatic vulnerability scans, patching, and regular updates. This ensures that your data is secure without any effort from you or your admins.

Cyber Recovery - Automated versus manual approach

Druva has built-in recovery scans that automatically detect and remediate malware during recovery — Druva handles computation with no added effort for you. For legacy software like Veeam, building the recovery workflows is your responsibility. You configure and run the malware scans, using your own servers, and manage the remediation yourself. 

Protecting backup data

With Druva, you are fully protected right from the moment you sign up. Cybercriminals don’t wait for you to secure your backup data before they launch an attack. If you are not protected right from the get-go, security gaps will start appearing in your backup environment and before you know it, the damage will be irrecoverable.  

However, for legacy data protection solutions like Veeam, YOU have to plan and execute a long list of things, even for basic security.  

You are already aware of how easy it is to start backing up data with Druva. Now, let’s understand how Druva makes it effortless and automated to secure backup data versus a legacy data protection solution like Veeam. 




Infrastructure planning

Doesn't need infrastructure so no planning is required.

The entire infrastructure is fully managed, maintained, and monitored by Druva. Our solution is always security-hardened.

Understand and decide if your environment is large, medium, or small. Then, place all backup infrastructure on a separate network. 

To protect your backup files from loss as a result of malware activity or unplanned actions, you can add to your backup infrastructure a hardened repository based on a Linux server.

Veeam makes you do the very things that they are responsible for and then charges you for it. 

Backup server

Everything that you need to protect and secure your data is included on day 1: Storage, compute, software, and security.

Just to secure your backup server, you need to complete the following: 

  1. Start with restricting inbound and outbound connections. 

  2. Then, encrypt backup traffic, use self-signed TLS certificates generated by Veeam Backup & Replication.

  3. Restrict untrusted Linux VMs and Linux servers to connect to the backup server.

  4. Use the recommended Access Control List (ACL) for the custom installation folder.

Following Veeam security best practices for larger environments requires even more steps (for example, separate AD domains).

Backup and replication database

With Druva, you don’t need to bother about such things. 

Ensure that only authorized users can access the backup server and the server that hosts the Veeam Backup & Replication configuration database

Thereafter, enable data encryption for configuration backup to secure sensitive data stored in the configuration database.

Backup repositories

Entire backup infrastructure - not just storage - is fully air-gapped and immutable with dual-envelope encryption. 

All security measures that you have to deploy and configure for Veeam are already built-in in Druva.

To secure your stored data, you must consider 8 different recommendations. Most of these are a must if you want to keep your data safe.

  1. Follow the 3-2-1 rule when designing backup infrastructure.

  2. Place hardware in an access-controlled area.

  3. Ensure only authorized users have permission to access backups and their replicas.

  4. Deploy on physical servers

  5. Use the built-in data encryption feature.

  6. Encrypt SMB traffic.

  7. Enable immutability for backups.

  8. Use offline media to keep backup files.

  9. Ensure the security of mount servers.    

Veeam Backup Enterprise Manager

Not required.


With Druva, you don’t need different UIs and running different applications on different servers. We provide managed detection and response (MDR) of backups with immediate, human alerting - at no extra cost! 

Again, there are 3 recommendations to protect this server. 

  1. To prevent a key change attack, you need to deploy Veeam Backup Enterprise Manager on a server different from the Veeam Backup & Replication server. That’s not it though. 

  2. Next, you have to arrange an alternative way to decrypt the data if a password for encrypted backup or tape is lost. 

  3. Finally, you need to juggle through a host of permissions and assign them carefully to prevent privilege escalation and arbitrary code execution (ACE) attacks.

Veeam Cloud Connect

Not applicable

Druva provides 100% confidentiality. We guarantee that customer data will not be

compromised as a result of a security incident.

We also guarantee that 100% of the last successful backup of your data will be recoverable in the event of a ransomware incident.

All of these are not empty promises. We are so confident that your data is safe that we guarantee you are protected against five key risks including cybercrime, human, application, operational, and environmental risks, up to $10M.

This one is interesting because Veeam clearly states that if an attacker obtains a provider’s private key, backup traffic can be eavesdropped and decrypted. 

Then they specifically put the onus on you to mitigate risks by ensuring that the TLS certificate is kept in a highly secure place and cannot be uncovered by a third party.

Try Druva today and say goodbye to security headaches

To learn more about how simple Druva is to deploy, use, secure, and back up your data than Veeam, visit our Druva vs. Veeam competitive page. Read the previous blogs in this series for an overview of Druva vs. Veeam, and how the two solutions compare for the setup and recovery of Microsoft 365 data — and stay tuned for more.

Ready to try Druva? Your data deserves better than Veeam — make the switch and get up to 6 months of 100% SaaS data protection FREE.