Veritas MPA Enforcement | Angela Design Space

Malware Prevention: Multiperson Authorization Enforcement

Optimizing global data security and compliance of Veritas backup-based applications with Multiperson Authorization enforcement, preventing user actions from malware attacks.

OVERVIEW

With urgent concerns from our customers, Multi-person authorization (MPA) is enforced on Veritas' backup-based platform NetBackup Flex Appliance to help protect, prevent, and manage ransomware attacks from undesirable malicious acts to external key management servers (eKMS). With MPA enforcement, users (security administrators only) can securely manage their backup policies and operations.

COLLABORATORS

2 product managers, 1 chief architect, 4 engineers, 1 technical writer

RESPONSIBILITIES

Lead designer 1) Strategy, 2) UX Research, 3) Visual Design, 4) Platform Design

TOOLS

Figma, FigJam, Jira, Confluence

DURATION

May ~ November 2024 (shipped)

Problem

Long-time loyal customers of Veritas have raised urgent concerns that unauthorized users can hold the encrypted data for ransom. Ransomware is the most urgent threat and the focus for cybersecurity.

Customer quote

"Without proper secure method, we worry that a person with access to could easily configure a random external key management server (eKMS), create and distribute keys to encrypt NBU / Flex assets, then delete keys and essentially hold the encrypted data for ransom. "

— Security Administrator from Morgan Stanley

Customer quote

Vision

Multiperson Authorization to drive security and compliance:

Vision

Fix the ransomware attacks by adding multi-person authorization as a critical security control in the backup-based platform, so security administrators can comfortably manage data policies and operations in the console. Additionally, Alta Copilot offers an AI-assisted approach to enhance efficiency, security, and scalability for security admins to streamline operations protected by MPA.

Research

Understanding context

From user findings to design objectives, we found that our customers are worried about unauthorized or random users hold encrypted secure data for ransom. In the current product phase, there lacked a shield to protect their data, even our engineers are concerned with it. It's emphasized that an extra layer is pivotal to secure the configuration within hybrid-cloud environment.

Enterprise customers were concerned that someone can hold encrypted data for ransom.
- customer trust
Enterprise customers need a way to ensure that their configurations are protected, safely and securely.
- malicious acts
- management efforts
- scalability
- zero-trust principles, such as role-based access controls, and privileged user management.

Enforce MPA to manage backup policies

Iteration

Design challenge 1

- how MPA enforces

In first ideation, MPA page includes lots of steps with a scrollbar. Though the design provided a table-primary approach, users found it time-consuming to understand how MPA enforcement works. After several iterations and user validation, we ensured that simplicity and visual consistency were among our core design principles, and decided the second approach where a built-in IAM policy activates MPA and users can access custom policies.

Design challenge 2

- efficient workflow modals

Another challenge we faced was the policy modal was inefficient. Both users and our solution architect complained that version may not support complex requirements. We switched from foldable columns into side menu, allowing users to streamline their workflow progress, and include tabs design support multi-purpose function requirements.

Solution

Persona

We created a representative persona modeled for the final prototypes. With MPA enforcement, Arthur creates backup policies and operations, and as a security admin, he can approve or decline tickets from other users as a role-based access control.

Enable IAM for access-control policies

With a unified MPA system for tracking access-controlled policies and operations, security admin, Authur first enables the built-in identity and access management (IAM) in order to validate his identity and thereby viewing the custom policies protected by MPA.

Access MPA and enable IAM

Create a custom policy

Arthur goes on two steps: define his financial policy properties and policy operations. The operations include key management, role management and token management that are designed in tabs, while he enters information for required columns.

Approve tickets via ticketing system

By integrating ticketing with MPA enforcement, the appliance allows the Arthur to manually review the tickets created by other security admins or normal users. This step, we called a second shield, is the second step of MPA enforcement to protect malware attack from a random malicious act. For Arthur, his ticket has to wait until another security admin to approve, and the console will notify him after approval.

Impact

After launching in late October 2024, MPA enforcement and Copilot integration proved significant success across our major customer enterprises. We experienced substantial recognition and customer retention, establishing us as a top player in the cybersecurity industry.

Improved adoption

among 90% of Fortune 100 customers

4 Veritas products

adopting new MPA enforcement workflows to prevent data malware attacks in each own platform

Top 5

method at Veritas' cybersecurity and recovery solutions in year 2024

AI Copilot integration

More opporunity: AI-assisted Copilot Integration

We integrated the superstar Veritas Copilot to assist Arthur to manage policy operations. Arthur creates an intelligent query to ask the AI assistant about pending MPA tickets, and requests to access MPA table where he will approve or reject a pending MPA ticket. The whole process is streamlined by AI to assist Arthur in accessing and managing MPA tickets.