セキュリティ：データ セキュリティのポリシーと手順

2022年4月

データ セキュリティはプライバシーとコンプライアンスの基盤です。NetAppはTrust Centerを通じて、自社システムのセキュリティとお客様からお預かりしたデータの管理方法を規定する、データ セキュリティのポリシーと手順を明確に定めています。

NetAppは、データの保存、転送、処理に適正なセキュリティ対策を求める国際的なデータ セキュリティ法やデータ セキュリティ規則の要件に準拠し、暗号化、認証や許可の管理、侵入の報告、データ損失防止、パッチ管理など、適切なセキュリティに不可欠と広く認識されている対策を講じています。

NetAppは、暗号化キー管理のほか、さまざまな暗号化ソリューションを提供しています。ほかにも、ランサムウェアの脅威に組織がいつでも対抗できるよう、多種多様な手法やツールを提供したり、データの保持と削除に関する厳格なポリシーでデータ最小化を規定するなどの対策をとっています。NetAppのセキュリティの研究者は、ソフトウェアのバグやセキュリティ上の脆弱性の検出、影響の軽減、対応に熱心に取り組んでいます。

NetAppは、こうした保護対策を講じることで、社内の情報システムとそこに保存されているデータを保護しています。また、共有責任モデルに従って、お客様も同じ方法でデータを保護できるよう、必要な戦略、ツール、サービスを提供しています。

Sharing responsibility in a data-driven world

When an organization transforms itself from an on-premises infrastructure to a hybrid, private, or public cloud infrastructure, sharing responsibility with the cloud service provider for the security of data is key to this fundamental shift. The shared responsibility model addresses which parties in this cloud computing environment are responsible for managing the security of data—its confidentiality, integrity, and availability.

NetApp, as the service provider, is responsible for the secure operations of NetApp cloud services, such as the physical security of NetApp data centers and patching vulnerabilities in our SaaS solutions. 

You, our customer, may be responsible for secure operations in the cloud, such as ensuring that corporate policies like password complexity are enabled and followed across virtual deployments just as they were on premises.

NetApp also offers a choice of partner cloud infrastructure providers, including Amazon Web Services, Microsoft Azure, and Google Cloud, who manage the secure operations of their offerings.

Secure data processing for privacy compliance

Global privacy laws require reasonable security measures for storing, transmitting, and processing personal information. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and other personal data. It underpins laws governing fair business practices as well as privacy laws outside the United States, such as the EU GDPR. 

Although there is no defined standard or engineering control set attached to reasonable security, regulators and courts recognize certain measures as integral to it. These measures include encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp implements these safeguards to protect its information systems and their stored data, and also builds products and services to empower our customers to do the same.

Ransomware mitigation

Ransomware attacks, a threat to organizational security and data availability, cost far more than the ransom price demanded. There are also the costs of recovery, operational disruption and lost revenue, potential legal implications, and even loss of brand value. 

Ransomware response strategies are vital to preparing for such attacks, and business continuity plans that include data backup and recovery can be instrumental in reducing the impact of a ransomware attack. Viable backups, isolated from a ransomware attack loop, are a key component, and streamlining recovery point objectives to uninfected data points helps protect against reinfecting systems. 

As a global leader in data storage, NetApp offers a broad range of strategies, tools, and services to help your organization stay resilient against ransomware threats, mitigate recovery efforts, and reduce recovery time.

NetApp Secure Development Lifecycle

Security vulnerabilities are widely recognized throughout the computer industry and by businesses and organizations around the world. NetApp has addressed security vulnerabilities by establishing a Secure Development Lifecycle (SDL). NetApp’s SDL is a repeatable 6-step process for developing secure software based on industry best practices and standards. It provides a framework and a process to help product teams evaluate and respond to potential security vulnerabilities in the development of all NetApp products and services.

Rigorous security training and the appointment of security champions lay the foundation for the SDL. The SDL process itself begins with a security assessment and release of the compliance and test plans. It follows with a thorough evaluation of product security vulnerabilities, implementation of solutions, and validation that any identified vulnerabilities have been resolved. It ends with risk communication procedures and monitoring through a Product Security Incident Response Team (PSIRT).

Vulnerabilities and patch management with NetApp

Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability. NetApp security researchers work diligently to protect our products and services. They participate in security communities that track published vulnerabilities. They also manage a program through which customers and researchers outside these communities submit information about potential security vulnerabilities. NetApp scores and tracks these submissions according to our vulnerability handling policy and regularly releases patches through Security Advisories.

Management of these patches is an integral part of the reasonable security measures necessary to secure your networks and data. NetApp’s vulnerability and patch management operations are also designed to support customers at all positions in the shared responsibility model.

Encryption

Encryption is widely acknowledged to be fundamental to the security of personal information. Some regulations, such as U.S. IRS Publication 1075, require certain information to be encrypted using specified technology while the data is at rest or in transit. Other regulations, such as the EU GDPR and California Consumer Privacy Act (CCPA), don’t require encryption, but they do recognize the important role it plays in mitigating against data breaches involving personal information.

NetApp offers an array of encryption solutions. These include both hardware and software encryption, at either the volume or disk level, as well as encryption key management for administering the keys used to encrypt and decrypt data.

Data deletion and disposal

A fundamental principle of data security is that organizations should not collect or hold more personal information than is necessary, and that data should be deleted when it’s no longer needed for authorized purposes. This principle of data minimization reduces compliance complexity and protects data against harm in the event of a security breach. 

The most common data minimization method is to enact and enforce data retention and data deletion policies that direct which information a company should retain, for how long, and when and how to delete it.

NetApp’s own data deletion policies support data minimization for data stored on drives that customers return: Customers are instructed to delete, encrypt, or render unrecoverable all data stored on returned media before it is returned.