Improving Your Security Posture with Lockdown Mode & Immutability
If you have not already read the first blog in this series, I recommend checking out: Improving Your Security Posture with Multi-Factor Authentication | Veritas where we looked at the risks associated with not enabling Multi-Factor Authentication (MFA). Having a digital identity and access control strategy, which includes phishing-resistant MFA, provides peace of mind knowing that only approved personnel access your company's data and applications.
The next step in adopting an access management strategy is to ensure that only authorized personnel can access or modify the underlying Operating Systems. This has two benefits: bad actors cannot take control of your systems, and it reduces human errors.
You might not have contemplated this, but human error strongly contributes to cyber security mistakes and data loss. Stanford University and Tessian researchers found that approximately 88% of all data breaches are caused by an employee mistake. Rather than getting bogged down in who to blame for cyber security mistakes, we can instead focus on ways to reduce errors and configuration drift, such as reducing the ability to make changes.
Veritas Lockdown Mode
Veritas took a very different approach to designing immutable storage than competing solutions. It was clear we had to lock down the potential interfaces either an attacker or a well-intentioned administrator might use to delete the data. We chose to leapfrog typical design monolithic patterns and deliver the functionality microservices and containers. As we did that, we wanted to maintain independence between the control plane for administrative functionality and the data plane, so that we could easily separate responsibilities and duties. These two choices gave us a composable architecture, where we could create authentication and authorization boundaries at a service or process level, creating a delivery of zero trust between software components at a fundamental level. This also enabled a number of other benefits including multi-tenancy with support for multiple versions on the same system, ridiculously fast upgrades, simple interfaces with other storage vendors in the cloud or-premises.
The complication was how to enable rare administrative or support procedures in a way that would keep the data secure. To accomplish that we added a unique access mechanism where customer and Veritas support could exchange a one-time, time-limited token to enable a user to make changes in a way that would be auditable and protect the user from error. This innovation is known as “Lockdown” mode. Availability of this interface requires quorum approval – meaning your NetBackup administrator and Veritas must agree. This prevents unauthorized changes even if a bad actor or disgruntled employee stole credentials and they bypassed Multi-Factor Authentication (MFA).
Since we introduced it at the same time as immutability, many people didn’t realize that Lockdown mode can be used without immutability, although the reverse is not true—Immutability requires Lockdown mode.
Enabling Lockdown Mode
How to enable lockdown mode
Access codes enable non-RBAC users to administer NetBackup using CLI.
Immutability
Now that you have MFA and Lockdown to limit access to your systems, one of the best ways to safeguard your data is to implement immutable and indelible storage, ensuring data cannot be changed, encrypted, or deleted for a determined length of time (or at all). With the increasing ransomware threat holding data ransom, this is a cruitial step in improving your data posture.
NetBackup Flex Appliances, NetBackup Flex Scale and NetBackup Access Appliances provide secure and tamper-resistant immutable and indelible storage, preventing data backups from being tampered with or from unauthorized access, which is vital to an effective and rapid recovery strategy. Veritas also offers the ability to immutably store data in the cloud on object storage, including our own Alta Recovery Vault and with 3rd party Open Storage Technology (OST) vendors.
Veritas recommends an updated strategy for backups. In the past we recommended a 3-2-1 strategy; three copies of data, two on site on different media, and one copy offsite. The current rise in cyber threats today calls for adding an extra "1" creating a 3-2-1+1 strategy; three copies of data, two on site on different media, one copy offsite and one copy that is immutable. Learn more about the top reasons to implement this strategy from Veritas Cloud Advocate, Demetrius Malbrough: Top 4 Reasons to Implement a 3-2-1 Backup Strategy | Veritas or check out our latest Veritas or check out our latest Veritas L!VE episode with or check out the latest Veritas L!VE episode with Hai Nguyen, Senior Director of Product Management: Veritas L!VE: Business Resiliency with 3-2-1 Backup Strategy – : Business Resiliency with 3-2-1 Backup Strategy – YouTube.
Veritas Alta Recovery Vault has another benefit compared to procuring your own cloud storage. It creates a separation of duties where the administration of the storage is managed by Veritas, providing you another layer of isolation from attack. It doesn’t matter if all you credentials and MFA systems were compromised, you still can’t delete of Recovery Vault storage.
Lockdown Mode and Immutability is an important step in your cybersecurity strategy. If you are currently a Veritas customer, be sure your appliances are locked to prevent unauthorized access or modification, and check out our other tips for cybersecurity: The Seven-Step Checklist to Secure Backup Data (veritas.com)
