The challenge in Data Security

In today´s digital world, many organizations have their daily critical content stored in business applications and system databases. This content may include business and confidential information, strategy and forecast figures, or sensitive data such as personally identifiable, personal credit or personal health information.

In addition to the typical year on year digital data growth; over the last few months we´ve seen an increasing number of remote workers as a consequence of mandatory or encouraged corporate policies due to Covid-19. Due to these reasons, many organizations are facing a financial risk and reputational damage if failing to protect their digital assets. However, securing backups can be difficult for companies that have a complex backup environment. The more applications, software environments, and locations they use to store data, the greater the risk is. See also Addressing cyber attacks with the right backup solution.

Micro Focus Data Protector provides a comprehensive security strategy that enables customers to use a centralized backup solution with an integrated security model and multiple methods to protect backup data. The solution enables administrators to implement security measures throughout their backup environment and with built-in advanced disaster recovery capabilities that can allow anything from creating disaster recovery images from existing backups to streamlining the task of restoring full mission-critical systems.

But all this, with a special focus on security in the processes.

Data Protector and Common Criteria

Common Criteria for Information Technology Security Evaluation (CC), and the companion Common Methodology for Information Technology Security Evaluation (CEM) are the technical basis for an international agreement, the Common Criteria Recognition Arrangement (CCRA), which ensures that:

• Products can be evaluated by competent and independent licensed laboratories so as to determine the fulfilment of particular security properties, to a certain extent or assurance;
• Supporting documents, are used within the Common Criteria certification process to define how the criteria and evaluation methods are applied when certifying specific technologies;
• The certification of the security properties of an evaluated product can be issued by a number of Certificate Authorizing Schemes, with this certification being based on the result of their evaluation;
• These certificates are recognized by all the signatories of the CCRA.

The National Information Assurance Partnership (NIAP) is responsible for U.S. implementation of the Common Criteria. NIAP also works with NATO and international standards bodies (ISO) to share Common Criteria evaluation experiences and avoid duplication of effort.  In the U.S., NIAP engages with other National Security Systems (NSS) users to ensure Protection Profiles, along with their associated DoD Annexes, provide a streamlined certification path for IA and IA enabled COTS products employed with NSS. 

The CC is the driving force for the widest available mutual recognition of secure IT products. This web portal is available to support the information on the status of the CCRA, the CC and the certification schemes, licensed laboratories, certified products and related information, news and events.

Since Common Criteria is becoming an IT standard, more and more organizations and individual customers are requesting it as mandatory item for proposals. CC assures customers that the certified solution meets these very strong needs and overall risk is mitigated. 

Data Protector is an enterprise class solution and we see Common Criteria as a major milestone we want to be compatible with. It certainly addresses customer needs while at the same time gives DP the assurance and feedback that all elements are build the right way with security in mind.

The CCDB has approved a resolution to limit the validity of mutually recognized CC certificates over time.  Certificates will remain on the CPL for five years.  Effective 1 June 2019, certificates with an expired validity period (that is, 5 years or more from the date of certificate issuance) will be moved to an Archive list on the CCRA portal, unless the validity period has been extended using the appropriate procedures.

With the release of Data Protector 2020.05 Data Protector is listed on the NIAP Product Compliant List, as a demonstration about the commitment to provide the highest security standards.

For more information about Common Criteria configuration of Micro Focus Data Protector, see Common Criteria Guidance and Common Criteria Configuration sections at the Data Protector Administrative Guide.

Additional Data Protector Security functionalities

• Protects Backup Operations: In Data Protector backup administrators have a tool that helps to increase the security of backup data sets. That is because Data Protector verifies the credentials of its installation servers, cell managers, and backup clients before they can communicate with each other. Once this secure peering process is complete, and since Data Protector 2019.08, all communications happen over Transport Security Later (TLS) protocol version 1.2. To configure the trust between the client and the Cell Manager, certain prerequisites must be met before installation. All the commands and script execution are routed through Cell Manager. Centralized command execution ensures that both control and data are sent over a secure TLS channel, which guarantees data integrity. Additionally, command execution is possible between Data Protector client hosts, but a host that is not part of Data Protector cell will not be able to communicate, significantly reducing the risk of security breaches.

Secure peering is particularly useful in complex and growing backup environments where administrators manage many different clients and regularly install new ones.

Administrators can also use the REST API to securely connect Data Protector with applications such as Microsoft SQL Server, SAP databases, Oracle databases, file systems, web portals, and virtualization and storage platforms. This enables application owners to use these third party systems to perform data restores and some other backup operations.

• Encrypts Backups at Rest and in Flight: IT administrators can use Data Protector to encrypt backups. The software achieves this by taking advantage of the encryption capabilities in HPE LTO Tape and StoreOnce devices and Dell EMC Data Domain backup devices.

Administrators can use this capability to stop an unauthorized person accessing information on a lost or stolen backup drive. For example, they could use the 256-bit Advanced Encryption Standard (AES) or the U.S. Government’s Federal Information Processing Standard 140-1 to encrypt backup drives located in remote offices with less physical security. That encryption could prevent a costly data breach if a contractor working at one of the remote offices misplaced a backup drive.

Companies can also use this capability to safeguard critical data while it is being transferred to and from backup devices. Data Protector does this by using the encryption capabilities within backup devices to protect the data while it is in flight. A company could use the Internet Security protocol to protect backups while they are being replicated from one HPE StoreOnce appliance to another, for example.

• Speeds up Recovery after a Breach: Data Protector has multiple features that help administrators quickly recover systems after a security breach. For example, the no-cost bare-metal recovery feature enables centralized recovery from or to a physical or virtual system from any backup set. Integrated at the core of Data Protector, Enhanced Automated Disaster Recovery (EADR) provides backup of application data as well as system data including operating system files, drivers, and files required for the initial boot process. Enabled with a simple check box in the Data Protector GUI, EADR includes the necessary image information in full backups for a full system recovery. Backup administrators can also restore data from a specific point in time, rather than relying on daily backups, with the point-in-time recovery feature.

The above features are some of the security functionalities embedded in Data Protector that are particularly useful for companies with heterogeneous environments that continually generate lots of data. Because security matters, when using Data Protector’s capabilities and by employing these safeguards, customers could reduce the risk of losing valuable backup data no matter if it´s due to a cyber-attack, data corruption or natural disasters.

More information:

Have technical questions about Data Protection? Visit the Data Protector User Discussion Forum. Keep up with the latest product announcements and Tips & Info about Data Protection. We’d love to hear your thoughts on this blog. Log in or register to comment below.