Archive data vaulting to Air-gapped Cyber Resilient Domain (CRD) | About Veritas NetBackup for Sheltered Harbor | About Veritas Sheltered Harbor solutions | Veritas Solution Guide for Sheltered Harbor | Veritas™

Veritas Solution Guide for Sheltered Harbor

Last Published:
Product(s): NetBackup & Alta Data Protection (10.5)

Archive data vaulting to Air-gapped Cyber Resilient Domain (CRD)

In this process, the selected data is backed up and replicated to Cyber Resilient Domain (CRD) and leaves the original files on the source. To start the data vaulting operation, the backup policy that uses storage lifecycle policy (SLP) with IRE capable storage unit, needs to be configured on the production NetBackup primary server.

When you start the data vaulting operation, the NetBackup client software on your computer sends the data to be backed up to the NetBackup media server that runs in the production domain. That media server then replicates it to media server that runs in CRD domain and subsequently it is imported in CRD NetBackup primary server. This process ensure that a copy is created on immutable storage that is present in the CRD domain and is completely isolated from the production domain.

After a copy of the data is created in the immutable storage, the Sheltered Harbor solution sends an attestation message to the Sheltered Harbor monitoring log.

Note:

Sheltered Harbor solution requires outbound connections to be open from CRD primary server to production primary server so that import notification works.

Import notification is sent to the production domain that indicates that the copy of SLP images is completed in the CRD domain.

The Sheltered Harbor solution on the NetBackup client initiates the backup of encrypted data. The following diagram depicts the process of data vaulting to CRD domain:

Figure: Data vaulting using Veritas NetBackup for Sheltered Harbor

Data vaulting using Veritas NetBackup for Sheltered Harbor

The process flow is as follows:

  1. Input storage: The input storage includes manifest, account data files, and corresponding hash files that originated from the institution. At this stage, the input data is extracted using the Sheltered Harbor solution and is processed further for input data validation.

    Here, it generates an archive volume and encrypts it using the data encryption key. It also generates the secure envelope that stores the cryptographic material of encryption.

  2. External or cloud provider KMS: The Sheltered Harbor solution encrypts the input storage data using data encryption key (DEK) and this DEK is further encrypted with the help of a configured premises KMS. It ensures that the encryption/decryption keys do not leave the KMS boundaries. If cloud KMS is not configured, you can use on-premises KMS.
  3. Transfer storage: The input data files are compressed and encrypted to generate encrypted archive volumes and are stored in the transfer storage.
  4. Backup in production domain: The encrypted archive volumes along with secure envelope get backed up on a production MSDP storage unit first. A unique keyword is generated and is used during backup. This keyword identifies the backup image during restore and it can be seen using - -report command option. For example, 'SH-<random number>' keyword is generated during backup that is further used on the BAR UI to see the backup files.

    Note:

    The Backup operation runs successfully without configuring IRE import notification.

  5. Air gap: The air gap restricts network access to data stored on MSDP server running in CRD domain except during time-frame when replication occurs from production MSDP to CRD MSDP server. Once the encrypted archive volumes along with secure envelope get backed up in production domain, NetBackup initiates replication of that backup image only when logical air gap is closed.
  6. Import in CRD domain: Once the image is replicated to CRD domain, the import operation imports the image in CRD domain ensuring that a copy of encrypted archive volumes and secure envelope, is made on immutable storage in CRD domain. After successful import, a notification is sent to Production Primary server.
  7. Sheltered Harbor monitoring log: The Sheltered Harbor solution keeps polling for import notification from CRD domain. Once it receives that an attestation message as a proof of a successful completion of the daily data vaulting process is sent to Sheltered Harbor monitoring Log.