When you work on a product as big as NetBackup, you get to work with a lot of talented and interesting characters. One of those people is Bill Browning, a Senior Principal Software Engineer focused on Security. Since I couldn’t cajole Bill into writing his own blog posts I decided to interview him.
Q) Bill, tell us a little about your background. What are you doing now, how long have you been working with NetBackup and what do you do?
A) Currently I spend my days working on security related issues within NetBackup, and coordinating vulnerabilities as they are reported. I've been working on NetBackup and NetBackup related products since 1999.
Q) What is the most interesting security related trend you have seen in the datacenter in the last year?
A) I find it interesting that the trend is continuing away from attacking server platforms towards middle ware and client side applications, particularly media players, office applications, and of course browsers and their related technologies. You're also seeing a big focus on poisoning web servers to perform more drive by attacks, generally to create botnets. It's also not surprising to see that profit continues to be the number one reason.
Q) What is the one thing you would like every customer to do in order to use NetBackup in a more secure fashion?
A) I'd promote the use of NBAC to avoid the requirement of root or administrator account access for administration. In fact, it is simple enough that we might cook up a comic book to show people how easy it is to setup and configure. Failing that they can look at the yellow book produced by our SWIFT lab that covers it quite nicely.
Q) What is the number one "best practice" you would like our customer's to adopt?
A) It's a simple rule: If it goes out the door, encrypt it. It doesn't matter who it goes to or how it gets there.
Q) What is the scariest "worst practice" you have run into?
A) I'm continually shocked to find that many reputable corporations and governments that seem to misunderstand how to securely store their backups off site. This should be a fairly well understood problem by all but the most junior of Administrators. Your car or home is not a good spot to store backup tapes!
Q) Do you think disk backup is inherently more secure than tape?
A) That really depends. It used to be harder to remove disk than a tape, however, almost all rack mounted servers feature hot swap disks today. Personally I am partial to the encrypting tape drives. You can use tools like gpg to encrypt your hard drive if required. It's less a question of which is better and more a question of knowing what data you have. If it's a disk or a tape that contains all your public web pages (say a backup of your web server) then does it really mater if someone steals it? Does it mater if it's your financial records? You need to know what data you have where, and what the risk is of exposing that data. Many of the lost/stolen social security number stories in the media really come down to people not understanding the data they had, where they had it, and the risks associated with it's location.
Editorial Comment: For instance, Bill probably knows that my wife was recently notified of a security breech involving a charity and a stolen laptop. Thanks for rubbing it in Bill.
Q) Why did bpgp go away? Will it come back some day?
A) Bpgp is gone for good. Get over it. It was an undocumented tool added early in NetBackup's life cycle to help install the product. Once people understood what it did they started to abuse it to violate their own corporate security practices. Symantec is not in the business of helping Administrators violate their corporate policy, so to help our customers we removed it.
Editorial Comment: As you can tell Bill is passionate about security and doesn’t pull his punches. If you think you need bpgp to get your job done, let us know why by leaving a comment explaining how you use it.
Q) What is the next big thing you are working on for securing NetBackup?
A) One of the more interesting items for end users is better non-root administration, and better non-root authentication. This will tie back nicely with auditing features that are also being worked on by security team members.
Special thanks to Bill for consenting to be interviewed.
Message Edited by TimBur on 04-04-2008 04:01 PM
Message Edited by TimBur on 04-04-2008 04:02 PM
Message Edited by Turlas on 04-15-2008 10:47 AM