In my previous life, I worked as an IT Security consultant. Not the pony-tailed cracker/pentester you could imagine, but more focused on procedures, organizational risks, and so on. I then moved a long ago into the virtualization space, but that mindset has always stayed with me.
When I talk about security with different people, being them colleagues, customers, partners, service providers, I usually met two different kind of people.
For many, security is just a check in a feature list: “oh, you support encryption for your backups? Good”.
Then, there are security-savvy people, those who don’t accept those simple answers, and even the fact we say “we use AES-256 for our encryption” is not enough, and they want to have more and more details before accepting any solution in their environments. And in some infrastructures, a NO from the Security Team means a NO GO for any deployment.
I’m surely in the latter category, and when we at Veeam developed Cloud Connect, while discussing about the great feature in it called Cloud Gateway, I wanted to know more and more. We use a single TCP port with SSL protection for direct connections over the Internet, so which level of SSL is used? Do we fallback if a client requires a lower version? How do we prevent man-in-the-middle (MITM) attacks?
I can tell you, I stressed our developers and product managers a lot, but the outcome was a great set of informations for people like me who take security for real. After collecting these informations, I’ve developed a series of animations to better explain those concepts; so why not record a voice-over on them? The final result is this 6 minutes video, where I explain the security features of Veeam Cloud Connect communications: how we use SSL (or better said, TLS, we do not use old protocols like SSL, we say SSL because few people know the term TLS…), or how we exchange keys and avoid MITM attacks.
Enjoy the video, and let me know what do you think.