VOX

As a Sheltered Harbor Alliance partner, we have adapted our leading isolated recovery environment solution to meet the data vaulting and resiliency needs of Sheltered Harbor Participating financial institutions.

Sheltered Harbor is a non-profit organization, and the financial industries standards setting and certification body for cyber resilience. These cyber resilience standards developed to protect public confidence in the U.S. financial system if a devastating event like a cyber-attack causes an institution’s critical systems, and their backups, to fail. Implementing these standards ensures a financial institution remains connected with their customers, providing them access to their account balances and funds within 24 hours of an extreme cyber, data corruption or data deletion event. Our partnership with Sheltered Harbor gives our financial services customers that extra layer of protection and confidence that their critical data is protected and can be rapidly recovered after a devasting attack.

As an organization, Sheltered Harbor is responsible for the development, refinement and promotion of the financial industry’s purpose-built resilience standards, provides implementation support for financial institutions of all types and sizes and ensures adherence through independent audits and awarding certifications.  Data vaulting ensures that critical financial data is off-site, separated from the existing data protection, and in an immutable format. Sheltered Harbor resiliency plans ensure a financial institution has established all the processes, mechanisms, and people it needs to quickly recover from a crisis, during a disaster event.

To activate the Sheltered Harbor functionality, you must be an existing Sheltered Harbor Participant with a license file, registration ID, and institution ID ready to deploy on the NetBackup 10.2 or later client.  All configuration is performed on specific clients that have financial data to be protected by Sheltered Harbor, and in the correct Sheltered Harbor format.

Additionally, Sheltered Harbor requires an external Key Management Server (KMS), either a third party KMS solution on-premises, or cloud based KMS.  NetBackup KMS cannot be used for this solution. However, multiple KMS configurations can exist within a single NetBackup Primary Server if the same external KMS solution is used for both Sheltered Harbor and NetBackup.  The KMS configuration also requires a Sheltered Harbor CA certificate file. Here’s an example command sequence to configure KMS.  Your specific paths and key entries will vary from this example:

Enter the KMS Server name:  KMS_1.subkms.somedomain.com
Enter the KMIP port [5696 is default]:
Enter the absolute path of certificate file: /root/sh_files/kms_server_files/Certificate.pem
Enter the absolute path of private key file: /root/sh_files/kms_server_files/key.pem
Enter the absolute path of CA certificate file: /root/sh_files/kms_server_files/ca.pemEnter the envelope private encryption key ID: <key ID>
Enter the envelope private sign key ID: <key ID>
Enter the envelope public sign key ID: <key ID>
Configuration is saved successfully
The requested operation was successfully completed

During backup, data is encrypted and stored in an immutable NetBackup storage unit that is either a cloud-based vault such as Veritas Alta™ Recovery Vault, or an air-gapped vault.  The data is encrypted using the Sheltered Harbor standard format and a data encryption key (DEK) is further encrypted by KMS. Sheltered Harbor encryption keys never leave KMS boundaries. Concurrently, the configuration is linked with the Sheltered Harbor Monitoring Log, providing attestation (successful storage confirmation) for independent auditing.  Here’s an example of the backup process using the nbshvault (NetBackup Sheltered Harbor) command:

[root@server]# nbshvault -b
This command backs up the data as per the Sheltered Harbor compliance specifications.  Do you want to continue? [y/n] (y)
Enter the institution ID provided by the Sheltered Harbor: <Institution ID>
Enter the input storage path: /<Storage Path>
Enter the transfer storage path: /<Transfer Storage Path>
The solution is already configured.  Do you want to provide separate configuration for this backup operation? [y/n] (n)
Starting backup workflow
Performing license validation.
License validation is successful.
Checking for any latest pending image for attestation
No latest pending image found for attestation
Local copy of encrypted volume has been made, waiting for replication to Cyber Resilient Domain…
The replication to Cyber Resilient Domain is done, waiting for image to be imported there…….
Backup operation is successful.
The request operation was successfully completed.
[root@server]#

During a recovery, the data is decrypted from recovery storage using the same KMS solution and restored to the user-defined path.  Ensure the KMS solution is online and communicating during backup and recovery.

Customer financial data remains secure with this added layer of protection.  As a financial institution, enhance your Sheltered Harbor experience with trusted data protection using NetBackup.

To learn more about Sheltered Harbor, please visit: https://shelteredharbor.org.