Forum Discussion

John_Grovender's avatar
22 days ago

NetBackup 10.5 Greatly Expands Multi-Person Authorization (MPA) Features

Allowing legitimate “real” NetBackup users to get their jobs done while stopping “dummy” attacker users is critical. Therefore, the best data protection security is having top administrators be aware of any attempted or implemented changes to their environments. Version 10.5 greatly expands that awareness using new MPA features to control who changes what. To have that control this release secures even more critical features so they can’t be used against you.

First, to get these great new features make sure MPA is enabled and configured with the options you want. Access the Configure multi-person authorization options by selecting the Multi-person authorization section in the WebUI as shown below. You can limit how many features MPA controls. Key management is shown as an example.

Second, a number of MPA features are added with Release 10.5. Below is a brief tour of three that are sure to be the most popular. A list of the other new MPA features is at the end of this post.

API Key Operations

Enabling MPA with API protection in 10.5 guards end-user created API access key requests. In the WebUI such requests generate a ticket that appears in the MPA approval queue. Requestors are given a ticket ID number and are reminded approval is required as shown below.

After the ticket is added to the MPA queue, its status is posted and updated as shown below. Here we see ticket ID 6 has been approved. Approval status and potential conflicts with other requests are cited.

Requestors and approvers can open the details of each request as shown below. Approvers can see exactly what changes are being proposed before approving the changes. They can also copy the proposed API key and changes to document them.

MPA operations are captured in the Security Events. Security teams can use these events to create a trace log of changes to the NetBackup domain. Each event can be opened to see what action(s) took place after approval as shown below.

 

EKMS Key Management Operations

Version 10.5 MPA also guards KMS installation and configuration/EKMS key management. Attempts to install and configure or modify KMS or key management options generate a ticket that must be approved before being committed as shown below.

Here also approvers can open the ticket containing the KMS installation/change(s) being requested and verify if it is a legitimate request as shown below. As before they can copy this information for their own records. Legitimate requests can then be approved for implementation.

 

NetBackup Key Generation Operations

Creating additional EMS keys for existing KMS servers is also protected. Like the other operations shown above, creating KMS keys generates a ticket that must be approved. As before, approvers can open the ticket containing the changes/key request and verify if it is a legitimate request as shown below. They can copy this request information here, too.

 

Other MPA-Protected Operations Starting in 10.5

There’re a number of other new MPA features in this release. All of these features operate similarly to those highlighted above. The already mentioned new features and others and are as follows:

WebUi Security Settings

  • Changing the DR passphrase
  • Adding and removing a trusted master
  • Revoking existing and generating new NetBackup certificates
  • Changing global security settings
  • Adding and deleting security tokens
  • Adding and deleting host mappings, attributes, and allowing auto-reissues

Command Line Functions

  • Adding, deleting, and modifying encryption and key management using the nbkms command
  • Adding, deleting, and modifying the priority of EKMS server settings
  • External Certificate Authority (ECA) configuration. Previously only possible through the WebUI
  • API End-user generated encryption (KMS) keys

Each new release will add even more MPA features. But upgrade to NetBackup10.5 to greatly expand your decision-making security today.

No RepliesBe the first to reply