Menu

Building the NetApp IT storage security program

Table Of Contents

Share this page

Faisal Salam
139 views

Data hacks and ransomware are making security and resilience an ever-higher priority for IT professionals. Scrolling through any IT-focused timeline clearly shows how much importance is being placed on thwarting “the bad guys.”

That’s part of why NetApp® IT has launched our storage security program. The program focuses on the security of NetApp ONTAP® storage, the resilience of data if something bad happens, and actively monitoring for threats and breaches. It’s proactive and stops threats before they become a reality.

We’ve already made several improvements, but the storage security program is designed to be iterative. Work will really never stop, as we research and implement new technology and tools for continuous improvement.

Our identified risks

 

Track Security Risks
Access management

Domain authentication configuration
Audit log management

Account management
Authentication

Suspicious client identification

Data protection NetApp SnapVault® standards
SnapVault relationship for production volumes
Automation Management of user accounts
Security monitoring Enhance and Improve auditing and logging for increased forensics
Security and compliance Detection of infected files
Syslog management
Periodic scanning to discover risks
Storage data encryption Protection of data from physical theft
Security alerts and review Share security initiatives and technology

This is our roadmap of what’s important today and what we will focus on tomorrow. We’re finding ways to use Ansible to automate where we can, and we’re also monitoring to ensure that our configurations are still effective. Security standards are ever evolving, and we must change with them.

Our execution so far

We began the storage security program in FY 2020 and have continued adding steps to our roadmap. We’ve completed several parts, including some important improvements that have a significant impact on our security readiness.

ONTAP at-rest encryption

We’re using a three-phase deployment to encrypt all at-rest data:

  • Encrypt all plaintext volumes using a volume-level key
  • Enable encryption on aggregates
  • Re-encrypt volumes using an aggregate-level key

Clean up ONTAP admin accounts

A full audit was completed and unneeded accounts were removed. Additionally, unmanaged accounts were added to our CyberArk password management integration and maintenance was automated to ensure governance compliance.

CIFS/SMB auditing

We’re actively auditing all operations done to a file, including saving, deleting, or modifying. Audit logs are forwarded to a third party for storage, so if there is an event that must be investigated, we have access to historical data. We are able to see what was done to files, how frequently they were accessed, when they were accessed, and by whom.

CIFS/SMB auditing is included in ONTAP, but it must be turned on and integrated into our larger system.

Immutable data recovery infrastructure

To avoid being trapped by ransomware attacks, we’re securely backing up our data using a solution that includes the SnapVault ONTAP feature and SnapLock® compliance software. This solution creates secure Snapshot™ copies of critical data and makes it impossible to alter data after the solution is executed. Our production data is covered by this solution and can be recovered if something happens.

Future enhancements

We’re about two-thirds of the way through our initial roadmap, with several additional improvements planned for FY 2022. Security hardening should always be a perpetual effort.

Faisal Salam

Faisal Salam is a Senior Storage Engineer in NetApp’s corporate IT team and is a member of the NetApp Customer-1 team, which acts as the first adopter of NetApp solutions and services. Faisal supports software-defined storage solutions for enterprise data management and has more than 10 years of experience.

View all Posts by Faisal Salam

Next Steps