NetBackup 10.3+ MFA Container Logins and MPA Destructive Action Control
Take advantage of the new Flex and Flex Scale security tools now available in NetBackup 10.3+. Flex and Flex Scale appliances use NetBackup application containers/instances. And, like every other part of NetBackup, Flex and its containers need a multi-factor authentication (MFA) option to secure all application and shell attack points from outsider (non-authenticated user) attacks. NetBackup release 10.3+ offers this feature. This feature is supported for the following NetBackup application containers on Flex Appliance and Flex Scale platforms:
- Primary servers
- Media servers
- MSDP WORM storage
Administrators will be happy to know they can still run NetBackup scripts almost identically to how they always have. MFA allows scripts to run commands, but script executions are bound to specific users/roles via API keys. So, administrators use MFA to get into FLEX, and NBU API secrets to get into instances with scripts. In fact, no matter how a user gets access to NetBackup (local console, SAML, LDAP, SSSD, AD, etc.) all logins are MFA of some type. Unique external proof of identity is always required for all logins.
MFA protection should not be confused with multi-person authorization (MPA). MPA is used to deter malicious insider (legitimately authenticated user) attacks, and is a new feature of 10.3+. MPA requires requested destructive actions (such as larges amounts of image deletions) by lower-authority roles be allowed by higher-authority roles within a pre-defined time window. MFA does not require MPA be active, but MPA does require MFA users who have successfully authenticated.
Be sure to check out the new MPA and MFA options in NetBackup 10.3+ to maximize your data protection domain security. Minimizing login and action risks is minimizing recovery time.