diff --git a/manifests/backend/netapp.pp b/manifests/backend/netapp.pp
index 9f13a5ad..c63a9578 100644
--- a/manifests/backend/netapp.pp
+++ b/manifests/backend/netapp.pp
@@ -147,6 +147,23 @@
 #   application.
 #   Defaults to '/devmgr/v2'
 #
+# [*nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*manage_volume_type*]
 #   (Optional) Whether or not manage Cinder Volume type.
 #   If set to true, a Cinde Volume type will be created
@@ -228,6 +245,8 @@ define cinder::backend::netapp (
   $manage_volume_type               = false,
   $extra_options                    = {},
   $netapp_pool_name_search_pattern  = '(.+)',
+  $nas_secure_file_operations       = $::os_service_default,
+  $nas_secure_file_permissions      = $::os_service_default,
   # DEPRECATED PARAMETERS
   $netapp_eseries_host_type         = undef,
   $netapp_storage_pools             = undef,
@@ -290,6 +309,8 @@ define cinder::backend::netapp (
     "${name}/netapp_pool_name_search_pattern":  value => $netapp_pool_name_search_pattern_real;
     "${name}/netapp_host_type":                 value => $netapp_host_type_real;
     "${name}/netapp_webservice_path":           value => $netapp_webservice_path;
+    "${name}/nas_secure_file_operations":       value => $nas_secure_file_operations;
+    "${name}/nas_secure_file_permissions":      value => $nas_secure_file_permissions;
   }
 
   if $manage_volume_type {
diff --git a/manifests/backend/nfs.pp b/manifests/backend/nfs.pp
index ceb92da9..5587d687 100644
--- a/manifests/backend/nfs.pp
+++ b/manifests/backend/nfs.pp
@@ -49,6 +49,23 @@
 #   longer be valid.
 #   Defaults to $::os_service_default
 #
+# [*nas_secure_file_operations*]
+#   (Optional) Allow network-attached storage systems to operate in a secure
+#   environment where root level access is not permitted. If set to False,
+#   access is as the root user and insecure. If set to True, access is not as
+#   root. If set to auto, a check is done to determine if this is a new
+#   installation: True is used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
+# [*nas_secure_file_permissions*]
+#   (Optional) Set more secure file permissions on network-attached storage
+#   volume files to restrict broad other/world access. If set to False,
+#   volumes are created with open permissions. If set to True, volumes are
+#   created with permissions for the cinder user and group (660). If set to
+#   auto, a check is done to determine if this is a new installation: True is
+#   used if so, otherwise False. Default is auto.
+#   Defaults to $::os_service_default
+#
 # [*manage_volume_type*]
 #   (Optional) Whether or not manage Cinder Volume type.
 #   If set to true, a Cinde Volume type will be created
@@ -62,18 +79,20 @@
 #     { 'nfs_backend/param1' => { 'value' => value1 } }
 #
 define cinder::backend::nfs (
-  $volume_backend_name  = $name,
-  $nfs_servers          = [],
-  $nfs_mount_attempts   = $::os_service_default,
-  $nfs_mount_options    = $::os_service_default,
-  $nfs_disk_util        = $::os_service_default,
-  $nfs_sparsed_volumes  = $::os_service_default,
-  $nfs_mount_point_base = $::os_service_default,
-  $nfs_shares_config    = '/etc/cinder/shares.conf',
-  $nfs_used_ratio       = $::os_service_default,
-  $nfs_oversub_ratio    = $::os_service_default,
-  $manage_volume_type   = false,
-  $extra_options        = {},
+  $volume_backend_name         = $name,
+  $nfs_servers                 = [],
+  $nfs_mount_attempts          = $::os_service_default,
+  $nfs_mount_options           = $::os_service_default,
+  $nfs_disk_util               = $::os_service_default,
+  $nfs_sparsed_volumes         = $::os_service_default,
+  $nfs_mount_point_base        = $::os_service_default,
+  $nfs_shares_config           = '/etc/cinder/shares.conf',
+  $nfs_used_ratio              = $::os_service_default,
+  $nfs_oversub_ratio           = $::os_service_default,
+  $nas_secure_file_operations  = $::os_service_default,
+  $nas_secure_file_permissions = $::os_service_default,
+  $manage_volume_type          = false,
+  $extra_options               = {},
 ) {
 
   include ::cinder::deps
@@ -85,17 +104,21 @@ define cinder::backend::nfs (
   }
 
   cinder_config {
-    "${name}/volume_backend_name":  value => $volume_backend_name;
-    "${name}/volume_driver":        value =>
+    "${name}/volume_backend_name":         value => $volume_backend_name;
+    "${name}/volume_driver":               value =>
       'cinder.volume.drivers.nfs.NfsDriver';
-    "${name}/nfs_shares_config":    value => $nfs_shares_config;
-    "${name}/nfs_mount_attempts":   value => $nfs_mount_attempts;
-    "${name}/nfs_mount_options":    value => $nfs_mount_options;
-    "${name}/nfs_disk_util":        value => $nfs_disk_util;
-    "${name}/nfs_sparsed_volumes":  value => $nfs_sparsed_volumes;
-    "${name}/nfs_mount_point_base": value => $nfs_mount_point_base;
-    "${name}/nfs_used_ratio":       value => $nfs_used_ratio;
-    "${name}/nfs_oversub_ratio":    value => $nfs_oversub_ratio;
+    "${name}/nfs_shares_config":           value => $nfs_shares_config;
+    "${name}/nfs_mount_attempts":          value => $nfs_mount_attempts;
+    "${name}/nfs_mount_options":           value => $nfs_mount_options;
+    "${name}/nfs_disk_util":               value => $nfs_disk_util;
+    "${name}/nfs_sparsed_volumes":         value => $nfs_sparsed_volumes;
+    "${name}/nfs_mount_point_base":        value => $nfs_mount_point_base;
+    "${name}/nfs_used_ratio":              value => $nfs_used_ratio;
+    "${name}/nfs_oversub_ratio":           value => $nfs_oversub_ratio;
+    "${name}/nas_secure_file_operations":  value =>
+      $nas_secure_file_operations;
+    "${name}/nas_secure_file_permissions": value =>
+      $nas_secure_file_permissions;
   }
 
   if $manage_volume_type {
diff --git a/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml b/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml
new file mode 100644
index 00000000..1be3f97b
--- /dev/null
+++ b/releasenotes/notes/add_nas_secure_parameters-780423667cda878a.yaml
@@ -0,0 +1,5 @@
+---
+features:
+  - Add new "nas_secure_file_operations" and "nas_secure_file_permissions"
+    parameters for controlling the similarly named settings in the NFS and
+    NetApp driver back ends.
diff --git a/spec/defines/cinder_backend_netapp_spec.rb b/spec/defines/cinder_backend_netapp_spec.rb
index 670ac3e8..ef895995 100644
--- a/spec/defines/cinder_backend_netapp_spec.rb
+++ b/spec/defines/cinder_backend_netapp_spec.rb
@@ -36,6 +36,8 @@ describe 'cinder::backend::netapp' do
       :nfs_shares_config            => '/etc/cinder/shares.conf',
       :nfs_mount_options            => '<SERVICE DEFAULT>',
       :netapp_webservice_path       => '/devmgr/v2',
+      :nas_secure_file_operations   => '<SERVICE DEFAULT>',
+      :nas_secure_file_permissions  => '<SERVICE DEFAULT>',
     }
   end
 
diff --git a/spec/defines/cinder_backend_nfs_spec.rb b/spec/defines/cinder_backend_nfs_spec.rb
index 5ee02174..f0aa8e13 100644
--- a/spec/defines/cinder_backend_nfs_spec.rb
+++ b/spec/defines/cinder_backend_nfs_spec.rb
@@ -6,15 +6,17 @@ describe 'cinder::backend::nfs' do
 
   let :params do
     {
-      :nfs_servers          => ['10.10.10.10:/shares', '10.10.10.10:/shares2'],
-      :nfs_mount_attempts   => '4',
-      :nfs_mount_options    => 'vers=3',
-      :nfs_shares_config    => '/etc/cinder/other_shares.conf',
-      :nfs_disk_util        => 'du',
-      :nfs_sparsed_volumes  => true,
-      :nfs_mount_point_base => '/cinder_mount_point',
-      :nfs_used_ratio       => '0.7',
-      :nfs_oversub_ratio    => '0.9'
+      :nfs_servers                 => ['10.10.10.10:/shares', '10.10.10.10:/shares2'],
+      :nfs_mount_attempts          => '4',
+      :nfs_mount_options           => 'vers=3',
+      :nfs_shares_config           => '/etc/cinder/other_shares.conf',
+      :nfs_disk_util               => 'du',
+      :nfs_sparsed_volumes         => true,
+      :nfs_mount_point_base        => '/cinder_mount_point',
+      :nfs_used_ratio              => '0.7',
+      :nfs_oversub_ratio           => '0.9',
+      :nas_secure_file_operations  => 'auto',
+      :nas_secure_file_permissions => 'false',
     }
   end
 
@@ -41,6 +43,10 @@ describe 'cinder::backend::nfs' do
         '0.7')
       is_expected.to contain_cinder_config('hippo/nfs_oversub_ratio').with_value(
         '0.9')
+      is_expected.to contain_cinder_config('hippo/nas_secure_file_operations').with_value(
+        'auto')
+      is_expected.to contain_cinder_config('hippo/nas_secure_file_permissions').with_value(
+        'false')
       is_expected.to contain_file('/etc/cinder/other_shares.conf').with(
         :content => "10.10.10.10:/shares\n10.10.10.10:/shares2",
         :require => 'Anchor[cinder::install::end]',