Showing results for 
Search instead for 
Did you mean: 

NetBackup 10.4 MPA and MFA Enhancements --- Modern Security for Modern Times

Level 4


NetBackup 10.4 has been enhanced with key new multi-factor and multi-person authorization (MFA/MPA) features. These features help users keep up with the ever-evolving security threats to data recovery systems. Hackers have made it clear they’re coming for an organization’s data protection systems first, then laying waste to everything else. Version 10.4 makes that a lot harder with these new features.

MPA Enhancements

NetBackup 10.3 introduced MPA protection when performing irreversible data destructive actions. Version 10.4 expands MPA to include support for protecting global security settings, image hold operations, WORM options, and by capturing and displaying the API communications payload for MPA tickets. For example, who requested an action (created an MPA ticket) if the requestor has had rejected tickets. As a result of these MPA expansions, the following actions will now require MPA and prompt corresponding notifications in the MPA ticket system:

  • MSDP WORM configuration changes
  • Global Security setting changes
  • Legal holds on Images
  • Guard audit-related configuration changes
  • MPA tickets now show the differences between the previous and proposed state of changes being requested, as well as suspicious user activity. This helps MPA approvers decide if proposed changes should be authorized. For example, "User does not exist in this domain," or "This user's account is locked out"
  • Show a notification when no users have been assigned to the MPA Approver role, yet tickets are waiting
  • Identify ticket resolution conflicts if different decision outcomes are obtained from more than one MPA approver
  • On Flex systems, users can no longer delete instances without re-authorizing through MPA

Please see my other VOX posting for more detailed information on how MPA is enhanced for WORM and MSDP operations:

NetBackup 10.3+ MFA Container Logins and MPA Destructive Action Control

MFA Enhancements

An existing user Web UI session might be hacked if the end user browser is compromised. To prevent the exploit of a hacked browser session, an additional MFA prompt is posted when performing critical (image or platform-specific) operations. The user cannot continue/complete the change until they re-authorize with MFA. This adds a layer of security by forcing the legitimate user to be entering their one-time PIN (OTP) code again to validate their identity.