Security; Authentication; Authorization - VERITAS NetBackup White Paper

Security

Storage management applications have often been characterized as the biggest security loophole in a secure data
environment. Once the data leaves the confines of the physical system environment by way of a backup or data migration,
the data security policies and procedures often do not follow.
NetBackup addresses security concerns in the enterprise storage management environment by providing customers with a
wide range of security options. These include authentication, authorization, data encryption, and auditing. Each can be
tailored to meet a customer's specific needs. Data can be encrypted before it is sent across the network and/or before it is
stored on tape.

Authentication

VERITAS NetBackup authenticates via a peer-to-peer protocol between NetBackup master servers, remote servers, and clients
to validate that systems are who they say they are and protect against "spoofing." The authentication will take place after a
NetBackup connection has been established but before any NetBackup transactions have taken place.
For NetBackup, the standard authentication method is a one-time password (challenge / response) mechanism based on the
U.S. Navy's OPIE protocol. The one-time password method was chosen for NetBackup authentication because it is secure,
portable, and exportable.

Authorization

VERITAS NetBackup protects data from unauthorized access through the use of secure client hosts to restrict client-server
communications, and administrator-imposed restrictions on restore operations.
Users do not have direct access to the volumes containing their backed up files and cannot choose their own media
volumes. The VERITAS NetBackup server, not the user, chooses the secondary storage media. In addition, Media Manager
only allows VERITAS NetBackup to have access to these volumes, and imposes access control to protect the backed up files
from unauthorized viewing or use by other applications.
Under normal conditions, VERITAS NetBackup prohibits users from either viewing or restoring other people's files. By default,
VERITAS NetBackup enforces normal file viewing and restoration restrictions in which client users may view or restore only
those files that they personally backed up or archived from that client.
Administrators, however, have the flexibility to modify these restrictions to meet special site requirements. The administrator
may relax file access restrictions by giving designated clients on a server access to backup or archive images created on any
other designated clients. For minimum security, the administrator can disable all restrictions, permitting access by any client.
w w w . v e r i t a s . c o m V E R I TA S N e t B a c k u p R e l e a s e 3 . 4 Te c h n i c a l O v e r v i e w P a g e 31