Flexible Security and Efficient Appliance Management with NetBackup Flex 5

In December 2024 Veritas released version 4 of the Flex operating environment for Flex appliances which included significant security, availability and functionality features. Now, six months later, we offer another substantially enhanced version of Flex. With the increased number of customers deploying large number of appliances, fleet management has been simplified. Customers can use an API management dedicated account (service account) and they can automate appliance administration without the need for login API by creating personal access tokens. Flex 5 also offers new user roles for more granular security, adds user session management and extends appliance monitoring options.

Granular Security

Role Based Access Control (RBAC) simplifies management of user privileges. In Flex 5 we introduce the observer role for users requiring read only appliance access. By default, every new local user account has the observer role automatically assigned. Moreover, the user account with observer role can be easily promoted by adding the administrator, security administrator or both administrator and security administrator roles.

Flexing the user management we also added three new extended roles: application operator, security observer and support.

The application operator extended role grants the ability to start, stop and relocate application instances. The application operator extended role can be assigned to users with the observer role.

The security observer extended role appends the administrator and observer roles with a possibility to view the appliance’s security information.

The support extended role allows management of diagnostic data such as appliance logs. This role can be also assigned to the base security administrator and observer roles.

See Figure 1 for the possible assignments of the extended roles.

Figure1. Flex base and extended roles with possible assignments

User Session Management

Another new Flex 5 feature permits appliance users to check and possibly terminate their Web UI and API sessions. Ability to monitor active sessions may assist in early detection of the breached appliance security. The user with security administrator role can also view and disconnect other users’ console and API sessions. See Figure 2

Figure 2. User session management

Appliance Management and Automation

Flex appliances include a simple and elegant Web UI nevertheless, for customers with large number of appliances automating management tasks without the console login is a must. With Flex 5 we are augmenting REST API with more options to simplify appliance management and automation. Customers can create a dedicated service account for API based appliance management and generate a personal token for every appliance local account.

Service Account

Service account is intended strictly for API based appliance management and console login is not possible. The service account is created by converting an existing user account. All the privileges are automatically inherited from the source user account. During the conversion process a maximum time-to-live (TTL) for the service account access token must be defined. By controlling and limiting the token’s TTL, it is possible to request short lived tokens lowering the security risks associated with appliance management. Service account access token is not tracked and managed by the appliance and it cannot be revoked.

Personal Token

For customers with enforced multifactor authentication (MFA) using service account, which requires login API can be cumbersome and complex to implement. Every local user can generate and manage its own personal token. This token similarly to the service account token inherits account privileges however, unlike the service account token, the token owner has full token management and tracking capabilities such as setting and changing the time-to-live and token revocation. Token’s possession is the only requirement to access appliance therefore eliminating the need for login API consequently eliminating the MFA time-based one-time password. This approach permits management of multiple appliances via API from a single location. There can be only one personal token per user account.

Rest API

To further streamline appliance management, we also augmented and grouped existing APIs into ‘uber’ APIs. These ‘uber’ APIs provide convenient means for obtaining more data with a single call eliminating the need for multiple code executions and resulting in lower appliance load. The more granular APIs have also been retained and in some cases additional ones developed.

Monitoring

Flex appliances have the self-monitoring and data collection capability provided by the internal, containerized instance of Prometheus server. The resource constraints limit the maximum data retention time to 30 days and volume of saved data. On busy appliances the data holding period can be even shorter once the allocated disk space is exhausted. Previously, the bearer token authentication method was not supported preventing customers from connecting the appliance to the Prometheus federation. Prometheus federation allows for time series data from one Prometheus server to be moved to another Prometheus server. Starting in Flex 5, the bearer token authentication is supported and customers can build their own server and decide from which appliances to collect data, how much and how long to retain it without the appliance disk space and time limitations.

Summary

Veritas listens to customer feedback and every release of the Flex operating environment is a leap in security and the best possible response to customers’ needs.  All new and existing Flex features translate directly to realizable business benefits. Granular role assignment delivers greater management flexibility, revamped APIs result in efficient and secure platform management and elasticity in performance data collection gives customers an option to decide what data should be kept and for how long. Current security fixes and patches, as always, are included by default and direct upgrade from Flex 2.1 is also possible.

Visit our website for additional information about this new and exciting release and to learn how Veritas can assist in solving business and technical data protection challenges.