top of page

Veritas Malware Prevention: Multi-person authorization

Protecting global security settings of Veritas backup-based product NetBackup and appliances, preventing malicious change in infra components to strengthen cyber resilience.

Veritas MPA.png

OVERVIEW

With urgent concerns from our customers, Multi-person authorization (MPA) on Veritas' backup-based platform Flex Appliance helps protect, prevent, and manage ransomware attacks from undesirable malicious acts to external key management servers (eKMS).

Users (security administrators only) can configure MPA and manage Veritas NetBackup (#1 backup) global security operations to be protected by MPA.

COLLABORATORS

2 product managers, 1 chief architect, 4 engineers, 1 technical writer

RESPONSIBILITIES

Lead designer 1) Strategy, 2) UX Research, 3) Visual Design, 4) Platform Design

TOOLS

Figma, Jira, Confluence

DURATION

May ~ October 2024 (shipped)

Problem

Problem

Customers of Veritas have raised urgent concerns that unauthorized users can hold the encrypted data for ransom. Ransomware is the most urgent threat and the focus for cybersecurity. 

data privacy illustration.png

Customer quote

"Without proper secure method, we worry that a person with access to could easily configure a random external key management server (eKMS), create and distribute keys to encrypt NBU / Flex assets, then delete keys and essentially hold the encrypted data for ransom. "

— Security Administrator from Morgan Stanley

Customer quote

Vision

Multi-person Authorization for NetBackup & appliances:

Vision

Fix the ransomware attacks by adding multi-person authorization (MPA) as a critical security control in the backup-based platform, so that users can more comfortably configure and manage operations in the console.

Imagine two people with separate keys to open a bank vault or safety deposit box. It's safer, isn't it? MPA takes people with separate keys to prevent an individual from unilaterally changing critical data backup setting and retention periods. This safeguard ensures that customers have critical data to resume operations.

MPA - Product vision picture.png
Research

Understanding context

From user findings to design objectives, we found that our customers are worried about unauthorized or random users hold encrypted secure data for ransom. In the current product phase, there lacked a shield to protect their data, even our engineers are concerned with it. It's emphasized that an extra layer is pivotal to secure the configuration within hybrid-cloud environment.

  1. Enterprise customers were concerned that someone can hold encrypted data for ransom. 

    • customer trust​

  2. Enterprise customers need a way to ensure that their configurations are protected, safely and securely.

    • malicious acts​

    • management efforts

    • scalability

    • zero-trust principles, such as role-based access controls, and privileged user management.

Screenshot 2025-01-14 at 22.54.36.png

Security admin workflow

security admin workflow
Solution

Solution

Persona

We created a representative persona modeled for the final prototypes. With MPA enforcement, Arthur is safely able to create backup policies and operations, and as a security admin, he can approve or decline tickets from other users as a role-based enforcement

MPA persona.png

Configure MPA for custom policies

With a centralized MPA system for tracking policy and operations, security admin, Authur needs to enable the pre-installed identity and access management first, and then he can easily create and manage policies in the table below. One thing to note is, Arthur has to wait until another security admin to manually approve his ticket in order to successfully creating a new custom policy or editing an existing operation.

Access MPA
Enable identity & access management
Create custom policy
Edit policy operations

Approve tickets

By integrating ticketing with MPA enforcement, the appliance allows the security admin to manually review the tickets created by other security admins or normal users. This step, we called a second shield, is the second step of MPA enforcement to protect malware attack from a random malicious act. For Arthur, his ticket has to wait until another security admin to approve, and the console will notify him after approval.

Impact

Impact

After launching in October 2024, MPA enforcement proved significant success across our major customer enterprises. We experienced substantial recognition and customer retention, establishing us as a top player in the cybersecurity industry.

Enhanced trust

among 90% of Fortune 100 customers

4 horizontal
products

adopting new MPA configuration and enforcement to prevent malicious malware attacks

Top 5

method at Veritas' cybersecurity and recovery solutions

bottom of page