Knowledge base
October 12, 2023
Ransomware Security: Microsoft’s Multi-Authorization for Azure Backup
In today’s digital landscape, data are crucial and their security is even more crucial. Microsoft remains at the forefront of providing data security solutions with the introduction of Multi-User Authorization (MUA) for Azure Backup vaults. This provides an additional layer of security that works in conjunction with Azure Resource Guard. In this article, we dive deeper into the details and benefits of this new feature and how it can take organizations’ security standards to the next level.
Key points:
- MUA works with Azure Resource Guard to add an additional layer of authorization.
- Multi-User Authorization (MUA) enhances security for Azure Backup vaults, similar to how MUA now works with Recovery Services vaults.
- Resource Guard and vault can be placed in different tenants for optimal protection.
- Microsoft has introduced a new security feature, Multi-User Authorization (MUA), for Azure Backup vaults.
Microsoft Introduces Multi-User Authorization for Azure Backup Vaults
Azure Backup is a cloud-based service that allows users to perform backup and recovery of data both from various Azure services and from on-premises Windows Server, in the Azure cloud.
MUA strengthens security by adding an additional layer of security, a Resource Guard, which also requires the user to have sufficient permissions to change a critical Azure Backup setting. This addition is specifically designed to further help organizations defend against ransomware.
Configure MUA for Azure Backup with Resource Guard
Azure Backup uses Resource Guard to ensure that only authorized users perform critical operations. Critical operations are actions that can affect the integrity, availability and security of the backup data. When Resource Guard is configured for an Azure Backup vault, the Resource Guard owner must approve all requests to change critical backup settings.
Microsoft explained: “This requires action by the resource guard owner to approve and grant access. You can also use Azure Active Directory (AAD) Privileged Identity Management (PIM) to manage just-in-time access (JiT) on the resource guard. In addition, you can create the resource guard in a subscription or tenant different from that with the recovery services vault, for maximum isolation.”
Requirements to activate Multi-User Authorization in Azure Backup
To get started with Multi-User Authorization, Microsoft recommends ensuring that the Backup vault and Resource Guard exist in the same Azure region. In addition, the vault administrator may not have contributor rights on the Resource Guard. IT professionals can choose to place the Resource Guard in a different subscription than the vault being protected for optimal protection.