Description
The Security configuration risk meter represents the current risk score based on current security configurations in NetBackup.
- Security configuration risks may arise from improper or sub-optimal configurations.
- A higher risk score indicates weaker security configurations.
The security configuration risk score is determined based on the following security settings:
Display name |
Impact of this setting |
|---|---|
| Multifactor authentication (MFA) | Enforces multifactor authentication (MFA) |
| Multi-person authorization (MPA) | Configures multi-person authorization (MPA) |
| Secure control communication | Enables communication with 8.0 and earlier hosts |
| Secure data-in-transit (encryption) | Enables Data-in-transit encryption |
| Secure certificate deployment | Determines the Security level for certificate deployment |
| Service user configuration | Determines how the service user is configured |
| Malware detection configuration | Enables Malware detection |
| Anomaly detection configuration | Enables Anomaly detection |
How to improve the Security Configuration Risk Score?
To improve the risk score, enable any of the settings listed that are crucial to security posture, and carry a higher effect on risk score.
Secure control communication
This setting enforces secure communication in a NetBackup domain. If enabled, communication with version 8.0 and earlier hosts will fail.
Before enabling this setting, make sure that there are no NetBackup clients or media servers on a version prior to 8.1.
To enable Secure control communication, user must disable the setting Enable communication with 8.0 and earlier hosts.
For more information refer to the Admin Guide topic: https://www.veritas.com/content/support/en_US/doc/21733320-149123528-0/v127786715-149123528
Secure certificate deployment
This setting is considered enabled if the security level for certificate deployment is set to High or Very High. If the security level for certificate deployment is set to Medium, this setting is considered as not enabled.
The NetBackup Security level for certificate deployment determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It also determines how frequently the NetBackup Certificate Revocation List (CRL) is refreshed on the host.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v120724164-163077041
Secure data-in-transit (encryption)
This setting is considered enabled, if all the hosts in the NetBackup domain are configured to use DTE. Considered not enabled, if none of the hosts are configured to use DTE, and partially enabled otherwise. Data-in-transit encryption is crucial for security as it protects backup data while it is being transmitted over network by encrypting it, preventing interception and unauthorized access during its journey.
The risk score will be reduced if more hosts are configured to use DTE.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v148057986-163077041
Enforce multifactor authentication (MFA)
Multi-factor authentication adds an additional layer of protection beyond just passwords, significantly reducing the risk of unauthorized access.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v162562656-163077041
Multi-person authorization (MPA)
This setting is considered enabled if Multi-person authorization is enabled for any of the NetBackup operations which supports MPA. This is considered disabled if Multi-person authorization is not configured for any of the operations.
Multi-person authorization is a crucial setting as it ensures that critical actions or decisions are approved by multiple authorized individuals, minimizing the risk of errors, fraud, or misuse of privileges.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v162211618-163077041
Service user configuration
This setting is considered enabled if all of the hosts in the NetBackup domain are configured with a non-privileged user (service user). It is considered not enabled, if none of the hosts are configured with a service user, and partially enabled otherwise.
Having NetBackup services configured to run under a service user account is highly recommended.
The risk score will be reduced if more hosts are configured to run NetBackup services under a service user account.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v149824635-163077041
For information about configuring a service user account for previous versions, refer to the Security and Encryption guide of the respective version.
Anomaly detection configuration
This setting is considered enabled if backup anomaly detection is configured.
To improve the risk score, configure backup anomaly detection.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v164904945-163077041
Malware detection configuration
This setting is considered enabled if the Scan Host Pool is configured under Malware detection.
To improve the risk score, configure a scan host pool for malware detection.
For more information refer to the Admin Guide topic - https://www.veritas.com/content/support/en_US/doc/21733320-163077041-0/v160533731-163077041
Note: The security risk score is determined based on the active status of each host within the domain. A host is deemed active if it has participated in secure communication within the domain over the past seven days.
Following settings consider active hosts for calculation:
- Secure data-in-transit encryption (DTE)
- Service user configuration
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.