cancel
Showing results for 
Search instead for 
Did you mean: 

Protect Your Backup Data from Ransomware with NetBackup Flex Scale’s Immutable Architecture

bkrieger
Moderator
Moderator
Employee

This blog is co-authored by: @AshwiniS

Ransomware is becoming a ubiquitous threat, and the need for data protection solutions to actively mitigate this threat is becoming an increasingly vital requirement. Organizations realize that they must protect their business-critical data against the threat of malicious alteration or removal.
 

That is where NetBackup Flex Scale 2.1 comes into play.  It provides multiple layers of protection for both your backup data and your backup infrastructure.  It includes immutable storage, widely known as WORM—Write Once Read Many storage—and then adds infrastructure protection with its lockdown mode.

Screen Shot 2021-12-16 at 1.11.49 PM.png

Lockdown mode is a core component of NetBackup Flex Scale’s immutable architecture. It means that in addition to providing WORM-based storage, the appliances hosting this storage in their distributed cluster move into a heightened security level to protect both data and storage infrastructure. 

The result is that even NetBackup administrators and those with access to the NetBackup Flex Scale appliance cluster cannot modify, encrypt, or delete storage accidentally or maliciously because WORM storage attributes prevent its alteration. Furthermore, other actions potentially destructive of data that could take place outside of the NetBackup domain infrastructure are also prevented when in lockdown mode: for instance, appliance administrators cannot assume elevated superuser privileges without the assistance and cooperation of Veritas Technical Support. The containerized infrastructure of NetBackup Flex Scale means that the process and storage namespace contexts these services run in are invisible to each other. Even when processes might share a container, SE Linux mandatory access controls and namespace isolation restrict the resources that they can access to the minimum amount necessary for operation. 

NetBackup Flex Scale offers two varieties of lockdown mode so that an organization can choose the appropriate strength. When running in compliance mode, no changes are possible to data in its retention period defined by a backup or storage lifecycle policy, and you cannot shorten the retention period even by appliance administrators or Veritas Support. Enterprise mode permits administrators with the backup administrator role to shorten retention settings by changing the retention lock duration; the system logs all such changes. 

Screen Shot 2021-12-16 at 1.07.33 PM.png

Entering lockdown mode is a simple and automated process. It can be performed during the initial deployment and configuration of NetBackup Flex Scale, or at any time post-deployment, either using the NetBackup Flex Scale UI or APIs. When entering lockdown mode, you can set the minimum and maximum permitted retention times, so that any backup or storage lifecycle policies that refer to WORM storage on the cluster must fall within this range. Lockdown Mode Features and Considerations 

NetBackup Flex Scale implements a cluster-based compliance clock that it refers to when determining whether a retention period on backup data has expired. An appliance administrator cannot change it, and it doesn’t refer to either system or network time (NTP). Even a powered-down cluster will resume the compliance clock countdown where it left off when returned to service.  

Once a cluster has entered lockdown mode, it cannot be exited as long as data is stored with an active retention period, nor can the lockdown mode be changed from Compliance lockdown mode to the less restrictive Enterprise version. However, a cluster in lockdown mode could become more restrictive by changing the lockdown mode Enterprise to Compliance. A cluster’s lockdown mode applies not only to appliances that are currently members of the cluster, but also to any appliances that are later added to it, and across NetBackup Flex Scale software upgrades (or even downgrades). 

Since appliances in lockdown mode have been security-hardened to restrict access to the underlying operating system and administrator accounts and to prevent potentially destructive actions like an administrator-initiated storage reset, NetBackup Flex Scale has implemented a One-Time Password (OTP) feature to unlock the superuser-level appliance commands that might be needed in a customer support context. The customer and Veritas Support can together generate an expiring one-time key to unlock this elevated access level, ensuring that any system-level activities may be closely supervised. 

Bear in mind that enabling lockdown mode and allowing the NetBackup Flex Scale storage server and disk pool to report that they are WORM-capable does not mean that a retention period is required for all data stored there. Naturally, any existing data will not have a retention period set, since the storage pool wasn’t enforcing one when it was originally stored. You can also create a non-WORM storage unit (STU) to coexist with the WORM-enabled STU in the same WORM-capable storage pool, and any data for which retention must not be set can be explicitly directed there in order to enforce this decision at a storage rather than at a policy level. 

Only the default, deployment-created STU will automatically enable WORM after switching to enterprise or compliance lockdown mode, and any other existing STUs will retain their default state of WORM retention not enabled, leaving their state up to the cluster’s storage administrators. 

NetBackup Flex Scale 2.1 has been hardened and improved not only from a software perspective of offering a solution to NetBackup workloads that need immutable and indelible storage as well as a scale-out deployment model, but also from the perspective of hardware, storage server, and platform security. In fact, it has passed regulatory compliance, such as: 

  • Securities and Exchange Commission (SEC) in 17 CFR § 240.17a-4(f), which regulates exchange members, brokers, or dealers 
  • Financial Industry Regulatory Authority (FINRA) Rule 4511(c), which defers to the format and media requirements of SEC Rule 17a-4(f) 
  • Commodity Futures Trading Commission (CFTC) in 17 CFR § 1.31(c)-(d), which regulates commodity futures trading 

To see some of these security features in action, check out this video.