How to improve security configurations to minimize the security risk associated with NetBackup 11.0 and later
Description
The security configuration risk meter represents the current risk score based on current security configurations in NetBackup. Security configuration risks arise from improper or suboptimal configurations. A high configuration risk score implies that more number of security settings need to be configured in the domain.
The security configuration risk score is determined based on various security settings, which are considered for its calculation, as outlined in the table below:
Security setting |
Description |
Recommended value |
|---|---|---|
| Insecure communication with 8.0 and earlier hosts | Determines secure communication in NetBackup domain. | Disabled |
| Secure data-in-transit encryption (DTE) | Determines global Data-in-transit encryption (DTE) mode. It encrypts backup data while it is being transmitted over the network. | Enforced / Preferred On |
| Percent of hosts with DTE enabled | Determines the percentage of active hosts in the domain which are participating in DTE. | 100% |
| Multifactor authentication (MFA) | Adds an additional layer of protection beyond just passwords, significantly reducing the risk of unauthorized access. | Enforced |
| Multi-person authorization (MPA) | Ensures that critical actions or decisions are approved by multiple authorized individuals. | Enabled |
| Percent of encryption-enabled backup storage | Represents the percentage of total active backup storages which are configured to encrypt the data at rest. |
100% |
| Immutable backup storage | Represents if there is at least one active WORM backup storage configured. | Configured |
| Client-initiated redirection restores | This setting determines if client-initiated redirect restores are allowed in the domain. | Restricted |
| Security level for certificate deployment | Determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. | Very High / High |
| Percent of hosts with service user configured | Measures the percentage of active hosts that are configured to run NetBackup services under a service user account. | 100% |
| Anomaly detection | Detects anomalies in backup metadata. |
Enable only for unstructured data / Enable |
| Percent of servers with version [primary version] or later | Represents the percentage of active primary server or media server host with NetBackup version of the primary server or later. | 100% |
| Malware detection | Detects malware in supported backup images. | Configured |
| Percent of other hosts with version [primary version] or later | Represents the percentage of active hosts other than primary servers and media servers with NetBackup version of the primary server or later. | 100% |
| CLI access to OS administrator | This setting enables or disables CLI access for the operating system administrator. | Disabled |
| Web UI access to OS administrator | This setting enables or disables Web UI access for the operating system administrator. | Disabled |
How to improve the Security Configuration Risk Score?
Some settings which are crucial to security posture, carry higher effects on risk score. Settings mentioned at the top have a higher impact, while those at the bottom carry a lower score
- Insecure communication with 8.0 and earlier hosts
If this setting is enabled, communication with version 8.0 and earlier hosts will fail. Before enabling this setting, make sure that there is no NetBackup client or media server on a version prior to 8.1
Users must disable the setting 'Enable communication with 8.0 and earlier hosts' to lower the risk score.
For more information, refer to the "How NetBackup 8.1 or later hosts communicate with NetBackup 8.0 and earlier hosts" topic in the NetBackup Security and Encryption Guide.
- Secure data-in-transit (encryption)
This setting determines global Data-in-transit encryption(DTE) mode. It is crucial for security as it protects backup data while it is being transmitted over the network by encrypting it, preventing interception and unauthorized access during its journey.
This setting 'Data-in-transit encryption' should be set to 'Enforced' or 'Preferred On', so that all or most of the active hosts* in the NetBackup domain are configured to use DTE. If set to 'Preferred Off,' its considered as higher risk.
For more information, refer to the "Configuring data-in-transit encryption (DTE)" topic in the NetBackup Security and Encryption Guide.
Note: The DTE global mode setting is excluded from the risk score calculation.
- Percent of hosts with DTE enabled
This setting displays the percentage of active hosts* configured with DTE.- If global DTE is enforced: 100%
- If global DTE is preferred on: The percentage of active hosts* configured with AUTOMATIC / PREFERRED_ON configuration.
- If global DTE is preferred off: The percentage of active hosts* configured with PREFERRED_ON configuration.
If global DTE mode is enforced, the client-level DTE mode becomes irrelevant from a security perspective. All transmitted data will always remain secure.
For more information, refer to the "Configuring data-in-transit encryption (DTE)" topic in the NetBackup Security and Encryption Guide.
- Enforce multifactor authentication (MFA)
Multi-factor authentication adds an additional layer of protection beyond just passwords, significantly reducing the risk of unauthorized access.
The risk score will decrease if MFA is enabled.For more information, refer to the "Configuring multifactor authentication" topic in the NetBackup Security and Encryption Guide.
- Multi-person authorization (MPA)
Multi-person authorization is a crucial setting as it ensures that critical actions or decisions are approved by multiple authorized individuals, minimizing the risk of errors, fraud, or misuse of privileges.
This setting is considered enabled if Multi-person authorization is enabled for any of the NetBackup operations which supports MPA. This is considered disabled if Multi-person authorization is not configured for any of the operations.
The risk score will decrease if MPA is enabled for at least one operation.For more information, refer to the "Configuring multi-person authorization" topic in the NetBackup Security and Encryption Guide.
- Percent of encryption-enabled backup storage
This setting indicates the percentage of total active backup storage that is configured with encryption. It provides a metric to measure and ensure compliance with data security policies by reflecting how much of the backup storage environment is secured using encryption.
To reduce the risk score, make sure that all the active backup storage in the domain is configured with KMS for encryption.
Note:- Basic disks are considered in the risk calculation, as they do not support encryption and are therefore considered unsafe.
- Disk pools associated with active storage units are considered in the risk score calculation, with a storage unit being deemed active if it has been selected for backup through policy within the last 31 days.
- For MSDP type storage server, the encryption enabled with KMS selected during creation of storage server is considered. Any active disk volume (ex. LSU created on Amazon/Azure) configured on this storage server with encryption enabled/disabled, is considered as safe storage.
- The storages configured on the previous version of media servers will be excluded from the risk calculations (exclusions are MSDP and BasicDisk storages). Once the media server is upgraded to NetBackup 11.0 (for OST storages, upgrade to OST SDK 12.1), they will start reporting the encryption status and will be considered for risk calculations. The upgraded storage-servers, disk-pools, disk-volumes and storage-units should be refreshed from Web-UI/CLI to get effect after the media server upgrade.
- Tape-based backup storage is not considered in the risk score calculation.
- Immutable backup storage
The data written to WORM backup storage is indelible and immutable. This setting is configured if:
- At least one active STU (Storage Unit) on a disk-based storage server is available
OR - An active volume pool with a WENCR/WORM prefix is available.
It's recommended to have at least one active backup storage to be immutable.
Active STU: An STU (Storage Unit) is considered active if it is selected for backup through policy within the last 31 days.
Active Volume Pool: A volume pool is considered active if data has been written into it within the last 31 days
For more information, refer to the "Creating a NetBackup WORM storage server instance" topic in the NetBackup Security and Encryption Guide.
- At least one active STU (Storage Unit) on a disk-based storage server is available
- Client-initiated redirected restores
This setting determines if client-initiated redirected restores are allowed in the domain.
The presence of this file increases the risk score. Therefore, it is recommended to avoid having this file.For more information, refer to the "Allowing a single client to perform redirected restores" topic in the NetBackup Security and Encryption Guide.
- Security level for certificate deployment
The NetBackup Security level for certificate deployment determines the checks that are performed before the NetBackup CA issues a certificate to a NetBackup host. It also determines how frequently the NetBackup Certificate Revocation List (CRL) is refreshed on the host.
The 'Security level for certificate deployment' should be set to 'High' or 'Very High'. If the security level is set to 'Medium', it is considered a risk.For more information, refer to the "About NetBackup certificate deployment security levels" topic in the NetBackup Security and Encryption Guide.
- Percent of hosts with service user configured
This setting measures the percentage of active hosts* in the environment that are configured to run NetBackup services under a service user account.
If all the hosts in the NetBackup domain are configured with a non-privileged service user, it is considered lower risk indicating 100% value for this setting.For more information, refer to the "Configuring a service user account" topic in the NetBackup Security and Encryption Guide.
- Anomaly detection
To improve the score, configure Backup anomaly detection.For more information, refer to the "Configure backup anomaly detection settings" topic in the NetBackup Security and Encryption Guide.
- Percent of servers with version [primary version] or later
This setting identifies the percentage of active hosts* (only primary/media servers) which are running on NetBackup version later or same as that of the primary server.
The higher the % value indicates, the lower the risk score, hence it's recommended to upgrade the hosts to the version equal to the primary version.
- Malware detection
To improve the score, configure the scan host pool for malware detection.For more information, refer to the "Malware scanning" topic in the NetBackup Security and Encryption Guide.
- Percent of other hosts with version [primary version] or later
This setting identifies the percentage of active hosts* (other than the primary/media server) which are running on NetBackup version later or same as that of primary server.
The higher the % value indicates, the lower the risk score, hence it's recommended to upgrade the hosts to the version equal to the primary version.
Note:- NBOSVM (OpenStack) instances are not considered for score calculation.
- WORM / Snapshot manager are considered for risk score calculation.
- Trusted primary servers are considered as clients for the domain.
- Storage servers configured on host other than the media server are also considered under other active hosts.
- CLI access to OS administrator
This setting displays if the 'CLI access for the operating system administrator' is enabled or disabled.
If the setting is enabled, the OS Admin needs to login with 'bpnbat –login' for the CLI access
It is recommended to keep this 'Disabled'For more information, refer to the "Disable command-line (CLI) access for operating system (OS) administrators" topic in the NetBackup Security and Encryption Guide.
- Web UI access to OS administrator
This setting displays if the 'Web UI access for the operating system administrator' is enabled or disabled.
If the setting is enabled, the OS Admins need to have the RBAC Administrator role to access NetBackup Web UI.
It is recommended to keep this 'Disabled'For more information, refer to the "Disable web UI access for operating system (OS) administrators" topic in the NetBackup Security and Encryption Guide.
*active hosts: The security risk score is determined based on the active status of each host within the domain. A host is deemed active if it has participated in secure communication within the domain over the past seven days.
The following settings consider active hosts for calculation:
- Secure data-in-transit encryption (DTE)
- Service user configuration
- Percent of servers with version [primary version] or later
- Percent of other hosts with version [primary version] or later
References
Was this content helpful?
Translated Content
Please note that this document is a translation from English, and may have been machine-translated. It is possible that updates have been made to the original version after this document was translated and published. Veritas does not guarantee the accuracy regarding the completeness of the translation. You may also refer to the English Version of this knowledge base article for up-to-date information.