Protect and secure your data from cyber attacks
Data Protection
Data Security
Data Insights
The 5 Steps to Cyber Resilience
Cloud & SaaS
Enterprise
Industries
Secure‑by‑default data protection for cyber‑resilient recovery
NetBackup Flex Appliances deliver cyber-resilient data protection as a purpose-built, turnkey platform. Rather than asking teams to build, harden, and maintain separate compute, storage, and security controls, Flex converges everything into a single appliance with zero-trust security engineered into every layer, not bolted on after deployment.
The result is a self-defending data protection platform where NetBackup runs hardened by default: access is controlled both at the instance & platform level, critical changes require multiple approvers, backups are verified clean before restoring, and recovery workflows remain intact even when credentials or administrators are compromised.
Most enterprise backup environments were not designed for today’s threat realities. They rely on customer-built servers and storage, security controls configured after deployment, and manual enforcement of policies over time. This model increases operational overhead and creates inconsistency across environments. When administrative credentials are compromised or ransomware is active, recovery infrastructure itself can become a point of failure, precisely when it is needed most. Conventional approaches assume that:
Administrators remain trustworthy
Configurations remain intact over time
Backups are clean and safe to restore
Manual controls hold under pressure
In real cyber incidents, these assumptions break down. The result: backups may exist, but recovery cannot be trusted. Organizations need a platform that assumes compromise and is built to withstand it.
Flex appliances deliver cyber‑resilient data protection through a tightly integrated, layered architecture.
Flex provides purpose‑built compute, storage, and networking integrated with a hardened operating environment. This foundation is designed for resilience, isolation, and predictable performance, removing variability introduced by general‑purpose infrastructure.
Security controls are enforced at the platform level and applied consistently across the environment, including: Strong identity and access controls, separation of duties and dual‑control for sensitive operations, Network segmentation and instance‑level isolation, and Secure defaults with documented, auditable exceptions.
These controls are designed to limit blast radius, prevent single‑admin failure modes, and preserve recovery integrity during an attack.
Designed to Defend Against the Four Stages of Attack
Unauthorized Network Access Attackers first try to reach the backup environment. Flex enforces Network Access Control (NAC), host firewalls, and subnet allow‑lists to restrict which networks and systems can connect to management and data services, blocking unauthorized traffic at the perimeter.
Compromised Credentials at Login Most breaches start with stolen usernames and passwords. Flex integrates MFA, SSO, and ECA‑based client certificates so a password alone is never enough. Authentication policies can be enforced across Flex, NetBackup Web UI, CLI, and WORM storage instances, aligning backup access with enterprise identity standards.
Privilege Escalation and Lateral Movement Even if an attacker signs in, they should not be able to move freely or gain system‑level control. Flex uses granular RBAC, non‑root containers, Mandatory Access Controls (MAC), and Secure Computing (SECCOMP) profiles so every user and service operates with only the minimum permissions required. This sharply limits lateral movement paths for ransomware and rogue administrators.
Abuse of Legitimate Privileges and Destructive Operationst Finally, Flex protects against misuse of valid admin rights. MPA enforces quorum approval for critical operations such as key management, instance deletion, and retention or immutability changes. NetBackup WORM storage combined with a tamper‑resistant compliance clock, immune to NTP or system time manipulation; ensures that backup data cannot be altered or deleted before its retention expires, even by privileged users.
These layers turn backup infrastructure into a self‑defending platform that assumes compromise and minimizes attackers’ room to maneuver.
NetBackup runs as isolated application instances on Flex, benefiting from:
Together, they help ensure that recovery workflows remain secure, available, and trustworthy, even during an active cyber event.
Flex appliances are delivered with security controls enabled by default. MFA enforcement, granular RBAC, Multi-Person Authorization (MPA), and instance-level network access control are built into the platform, not left to manual configuration. Sensitive actions like key management require quorum approval, reducing single-admin risk and strengthening governance.
Integrated malware scanning, immutable WORM storage, and instance isolation and encryption controls help prevent attackers from corrupting or hiding within backup data. Teams can more confidently identify clean recovery points and avoid reinfecting production systems.
Flex enables organizations to consolidate backup infrastructure onto fewer, high-density systems while maintaining performance and isolation. Application QoS, instance isolation, and embedded security controls preserve SLAs and limit blast radius, reducing footprint and operational overhead without weakening resilience.
Flex supports cost-optimized long-term retention while inheriting the same hardened posture. Immutable retention, encryption at rest (with SED options), and platform-enforced access controls provide a secure path forward from legacy retention architectures.
With containerized NetBackup instances, low downtime upgrades, and built‑in governance, Flex reduces day‑to‑day operational complexity and helps teams spend less time firefighting and more time delivering value.
Flex Appliances map directly to each of the five steps organizations must take to achieve true cyber resilience:
NetBackup Flex Appliances are built for organizations that need more than backup, they need assurance. Assurance that backups are clean. That no single person can compromise recovery. Security controls hold through upgrades, personnel changes, and active incidents.
By engineering zero-trust controls, dual-approval governance, and clean-recovery verification directly into the appliance platform, Flex removes the fragility of manually maintained security and replaces it with something that simply works, by default, at scale, and over time.
Protect your recovery infrastructure with NetBackup Flex Appliances. Learn more at www.cohesity.com/platform/netbackup/netbackup-flex/.
