Hello,
third and last part of my article where I wanted to provide some information about immutability flowchart for HPE StoreOnce and use it with Veeam.
Here are the previous posts:
Now I want to conclude with the workflow for HPE Dual Authorization and what is needed to consider when you want to complete a secure environment and minimize the chanches of data exfiltration.
DOUBLE AUTHORIZATION WORKFLOW
The following dual authorization process applies within the immutable backup infrastructure built with Veeam and HPE StoreOnce.
- Backup Admin submits one of the dual-authorization tasks to Veeam/HPE StoreOnce infrastructure.
- The user submits the request by specifying the tasks they wish to execute.
- The Security Officer gets involved if the request falls into the category of protected actions below:
- Enabling or disabling dual authorization
- Modifying the catalyst store
- Deleting the catalyst store
- System date and time settings
- Creating, editing, and deleting OS role users
- Edit and delete stores
- Notice is emailed to the distribution list of security administrators, who can log into the StoreOnce GUI and find a notice in the appropriate section.
- Based on technical eligibility and their own evaluation, one of the Security Officers approves or denies the Backup Admin request. Approval and rejection occur via a connection to the StoreOnce console.
As shown below, the process can be illustrated graphically.
NOTES:
- Dual authorization works by approving requests within a specified time period.
- Dual Authorization requests and approvals are reported as alerts. Alerts must be set up in the email notification settings.
- The Security Officer reviews the request and approves or denies the operation. The requester and approvers are notified via an email alert and a display notification in the GUI.
- If approved, the request is executed and an event log entry is generated.
- If the request is denied, or if the request is not approved within a specified time, the request is not executed.
- There is a limit of 200 requests awaiting approval at any one time. Once a request has been submitted to the Security Officer for approval, it cannot be withdrawn.
- All requests, regardless of their status, are retained if storage reboot.
OPERATIONS THAT REQUIRE DUAL AUTHORIZATION
The following operations are considered "protected" and require dual authorization, in order of priority
- Enabling or Disabling Dual Authorization
- Edit Catalyst store
- Catalyst store deletion
- System Date and Time settings
- Creating, modifying, and deleting users with Security Officer role
- Storage modification and deletion
NOTE: Dual authorization is also supported for operations on VTLs starting with firmware version 4.3.7.
The following is the list of operations that require authorization for VTLs.Delete a specific library
- Delete a specific cartridge
- Delete all cartridges
- Modify (Edit) a specific library
- Modify (Edit, Erase) a specific cartridge
- Modify (Edit) a specific drive
- Modify (Edit) Media Changer
DUAL AUTHORIZATION REQUEST STATUS
As an administrator user, it is possible to filter the requests on the corresponding page in order to check the status of them. It is also possible to sort them by expiration date.
For the Approver role, pending, approved, or rejected requests are listed, along with the sender name and expired date. The following is the list of request statuses as they are found in the official HPE documentation:
| Status | Description |
|---|---|
| PENDING | Once a request gets added to the request queue, the request is assigned a PENDING state. |
| IN PROGRESS | Once a request gets approved and the command execution is in progress, the request is assigned an IN PROGRESS state. |
| REJECTED | If the Security Officer rejects a request, the request is assigned a REJECTED state. |
| EXECUTED | If a request gets executed, it is assigned an EXECUTED state. |
| EXPIRED | If a request gets expired, it is assigned an EXPIRED state. |
| DELETED | If a request gets deleted from the queue, it is assigned a DELETED state. |
| CANCELLED | If a request gets cancelled, the request is assigned a CANCELLED state. |
AUDIT ENTRIES FOR DUAL AUTHORIZATION EVENTS
The event log records and creates events for the following dual authorization operations:
- Enabling and disabling the Dual Authorization feature.
- User submitting a protected request.
- Security Officer approving or denying the protected request.
- Request completion success notifiction
- Request expiry notification.
OPERATIONS NOT ALLOWED WITH DUAL AUTHORIZATION
When Dual Authorization is enabled, it is not possible to:
- Delete the last Security Officer user. There must be at least one Security Officer when Dual Authorization is enabled.
- Perform more than one protected operation on the same Catalyst. For example, if Catalyst store1 has a pending change request, you cannot proceed with a new request until the previous one is complete.
- Change the manual time and date. The time delta is applied instead of the absolute time.
NOTE: It is recommended to have at least two Security Officer users when Dual Authorization is enabled.
FINAL WORDS
At this point, I would say that all observations have been verified from a logical and legal point of view, and we can proceed with the drafting of the project document, following the best practices of HPE for the StoreOnce and Veeam for the backup component, and as a result get immutability that complies with the 3-2-1-1-0 rule valid for our backup data.
Happy reading to all
