Seguridad: Política y procedimientos

Abril de 2022

La seguridad de los datos es la base sobre la cual se construyen la privacidad y las normativas. En el Centro de confianza, explicamos las políticas y los procedimientos de seguridad de datos que rigen la forma en que gestionamos la seguridad de nuestros propios sistemas y los datos que nos confían nuestros clientes.

NetApp cumple los requisitos de las leyes de seguridad de datos globales que exigen medidas de seguridad razonables para almacenar, transmitir y procesar los datos. Tomamos medidas que están ampliamente reconocidas como parte integral de una seguridad adecuada, incluidos el cifrado, la autenticación y los controles de autorización, la notificación de infracciones, la prevención de la pérdida de datos y la gestión de revisiones.

NetApp ofrece una amplia gama de soluciones de cifrado, así como la gestión de claves de cifrado. Entre otras medidas cuenta con numerosas estrategias y herramientas que ayudan a tu organización a mantenerse resiliente frente a las amenazas de ransomware, y estrictas políticas de retención y eliminación de datos que respaldan la minimización de datos. Los investigadores de seguridad de NetApp trabajan diligentemente para detectar y mitigar los ataques de errores de software y vulnerabilidades de seguridad, y poder responder ante ellos.

NetApp implementa estas medidas de seguridad para proteger sus sistemas de información y los datos que se encuentran almacenados en ellos. Asimismo, siguiendo el modelo de responsabilidad compartida, también ofrecemos estrategias, herramientas y servicios que permitan a nuestros clientes hacer lo mismo.

Sharing responsibility in a data-driven world

When an organization transforms itself from an on-premises infrastructure to a hybrid, private, or public cloud infrastructure, sharing responsibility with the cloud service provider for the security of data is key to this fundamental shift. The shared responsibility model addresses which parties in this cloud computing environment are responsible for managing the security of data—its confidentiality, integrity, and availability.

NetApp, as the service provider, is responsible for the secure operations of NetApp cloud services, such as the physical security of NetApp data centers and patching vulnerabilities in our SaaS solutions. 

You, our customer, may be responsible for secure operations in the cloud, such as ensuring that corporate policies like password complexity are enabled and followed across virtual deployments just as they were on premises.

NetApp also offers a choice of partner cloud infrastructure providers, including Amazon Web Services, Microsoft Azure, and Google Cloud, who manage the secure operations of their offerings.

Secure data processing for privacy compliance

Global privacy laws require reasonable security measures for storing, transmitting, and processing personal information. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and other personal data. It underpins laws governing fair business practices as well as privacy laws outside the United States, such as the EU GDPR. 

Although there is no defined standard or engineering control set attached to reasonable security, regulators and courts recognize certain measures as integral to it. These measures include encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp implements these safeguards to protect its information systems and their stored data, and also builds products and services to empower our customers to do the same.

Ransomware mitigation

Ransomware attacks, a threat to organizational security and data availability, cost far more than the ransom price demanded. There are also the costs of recovery, operational disruption and lost revenue, potential legal implications, and even loss of brand value. 

Ransomware response strategies are vital to preparing for such attacks, and business continuity plans that include data backup and recovery can be instrumental in reducing the impact of a ransomware attack. Viable backups, isolated from a ransomware attack loop, are a key component, and streamlining recovery point objectives to uninfected data points helps protect against reinfecting systems. 

As a global leader in data storage, NetApp offers a broad range of strategies, tools, and services to help your organization stay resilient against ransomware threats, mitigate recovery efforts, and reduce recovery time.

NetApp Secure Development Lifecycle

Security vulnerabilities are widely recognized throughout the computer industry and by businesses and organizations around the world. NetApp has addressed security vulnerabilities by establishing a Secure Development Lifecycle (SDL). NetApp’s SDL is a repeatable 6-step process for developing secure software based on industry best practices and standards. It provides a framework and a process to help product teams evaluate and respond to potential security vulnerabilities in the development of all NetApp products and services.

Rigorous security training and the appointment of security champions lay the foundation for the SDL. The SDL process itself begins with a security assessment and release of the compliance and test plans. It follows with a thorough evaluation of product security vulnerabilities, implementation of solutions, and validation that any identified vulnerabilities have been resolved. It ends with risk communication procedures and monitoring through a Product Security Incident Response Team (PSIRT).

Vulnerabilities and patch management with NetApp

Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability. NetApp security researchers work diligently to protect our products and services. They participate in security communities that track published vulnerabilities. They also manage a program through which customers and researchers outside these communities submit information about potential security vulnerabilities. NetApp scores and tracks these submissions according to our vulnerability handling policy and regularly releases patches through Security Advisories.

Management of these patches is an integral part of the reasonable security measures necessary to secure your networks and data. NetApp’s vulnerability and patch management operations are also designed to support customers at all positions in the shared responsibility model.

Encryption

Encryption is widely acknowledged to be fundamental to the security of personal information. Some regulations, such as U.S. IRS Publication 1075, require certain information to be encrypted using specified technology while the data is at rest or in transit. Other regulations, such as the EU GDPR and California Consumer Privacy Act (CCPA), don’t require encryption, but they do recognize the important role it plays in mitigating against data breaches involving personal information.

NetApp offers an array of encryption solutions. These include both hardware and software encryption, at either the volume or disk level, as well as encryption key management for administering the keys used to encrypt and decrypt data.

Data deletion and disposal

A fundamental principle of data security is that organizations should not collect or hold more personal information than is necessary, and that data should be deleted when it’s no longer needed for authorized purposes. This principle of data minimization reduces compliance complexity and protects data against harm in the event of a security breach. 

The most common data minimization method is to enact and enforce data retention and data deletion policies that direct which information a company should retain, for how long, and when and how to delete it.

NetApp’s own data deletion policies support data minimization for data stored on drives that customers return: Customers are instructed to delete, encrypt, or render unrecoverable all data stored on returned media before it is returned.