Building the NetApp IT storage security program

Data hacks and ransomware are making security and resilience an ever-higher priority for IT professionals. Scrolling through any IT-focused timeline clearly shows how much importance is being placed on thwarting “the bad guys.”

That’s part of why NetApp® IT has launched our storage security program. The program focuses on the security of NetApp ONTAP® storage, the resilience of data if something bad happens, and actively monitoring for threats and breaches. It’s proactive and stops threats before they become a reality.

We’ve already made several improvements, but the storage security program is designed to be iterative. Work will really never stop, as we research and implement new technology and tools for continuous improvement.

This is our roadmap of what’s important today and what we will focus on tomorrow. We’re finding ways to use Ansible to automate where we can, and we’re also monitoring to ensure that our configurations are still effective. Security standards are ever evolving, and we must change with them.

We began the storage security program in FY 2020 and have continued adding steps to our roadmap. We’ve completed several parts, including some important improvements that have a significant impact on our security readiness.

We’re using a three-phase deployment to encrypt all at-rest data:

• Encrypt all plaintext volumes using a volume-level key
• Enable encryption on aggregates
• Re-encrypt volumes using an aggregate-level key

A full audit was completed and unneeded accounts were removed. Additionally, unmanaged accounts were added to our CyberArk password management integration and maintenance was automated to ensure governance compliance.

We’re actively auditing all operations done to a file, including saving, deleting, or modifying. Audit logs are forwarded to a third party for storage, so if there is an event that must be investigated, we have access to historical data. We are able to see what was done to files, how frequently they were accessed, when they were accessed, and by whom.

CIFS/SMB auditing is included in ONTAP, but it must be turned on and integrated into our larger system.

To avoid being trapped by ransomware attacks, we’re securely backing up our data using a solution that includes the SnapVault ONTAP feature and SnapLock® compliance software. This solution creates secure Snapshot™ copies of critical data and makes it impossible to alter data after the solution is executed. Our production data is covered by this solution and can be recovered if something happens.

We’re about two-thirds of the way through our initial roadmap, with several additional improvements planned for FY 2022. Security hardening should always be a perpetual effort.