보안: 데이터 보안 정책 및 절차

2022년 4월

데이터 보안은 개인 정보 보호 및 규정 준수를 위한 토대가 됩니다. NetApp Trust Center에서는 고객이 NetApp에 제공하는 데이터와 자체 시스템의 보안 관리 방식을 규정하는 데이터 보안 정책 및 절차가 명확히 명시되어 있습니다.

NetApp은 데이터의 저장, 전송 및 처리를 위한 합당한 보안 조치를 요구하는 글로벌 데이터 보안법의 요구사항을 준수합니다. 암호화, 인증 및 권한 부여 제어, 위반 보고, 데이터 손실 방지 및 패치 관리를 비롯하여 필수적이고 적절한 것으로 광범위하게 인식되는 보안 조치를 취하고 있습니다.

NetApp은 암호화 키 관리뿐만 아니라 다양한 암호화 솔루션을 제공합니다. 그 밖에도, 랜섬웨어 위협에 대한 조직의 복원력을 유지하는 데 도움이 되는 다양한 전략과 툴, 데이터 최소화를 지원하는 엄격한 데이터 보존 및 삭제 정책을 제공합니다. NetApp 보안 연구원은 소프트웨어 버그 및 보안 취약점을 탐지, 완화 및 해결하기 위해 심혈을 기울이고 있습니다.

NetApp은 이러한 보호 수단을 구현하여 정보 시스템과 그 시스템에 저장된 데이터를 보호합니다. 또한, 공동 책임 모델에 따라 고객도 동일한 작업을 수행할 수 있도록 전략, 툴 및 서비스를 제공합니다.

Sharing responsibility in a data-driven world

When an organization transforms itself from an on-premises infrastructure to a hybrid, private, or public cloud infrastructure, sharing responsibility with the cloud service provider for the security of data is key to this fundamental shift. The shared responsibility model addresses which parties in this cloud computing environment are responsible for managing the security of data—its confidentiality, integrity, and availability.

NetApp, as the service provider, is responsible for the secure operations of NetApp cloud services, such as the physical security of NetApp data centers and patching vulnerabilities in our SaaS solutions. 

You, our customer, may be responsible for secure operations in the cloud, such as ensuring that corporate policies like password complexity are enabled and followed across virtual deployments just as they were on premises.

NetApp also offers a choice of partner cloud infrastructure providers, including Amazon Web Services, Microsoft Azure, and Google Cloud, who manage the secure operations of their offerings.

Secure data processing for privacy compliance

Global privacy laws require reasonable security measures for storing, transmitting, and processing personal information. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and other personal data. It underpins laws governing fair business practices as well as privacy laws outside the United States, such as the EU GDPR. 

Although there is no defined standard or engineering control set attached to reasonable security, regulators and courts recognize certain measures as integral to it. These measures include encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp implements these safeguards to protect its information systems and their stored data, and also builds products and services to empower our customers to do the same.

Ransomware mitigation

Ransomware attacks, a threat to organizational security and data availability, cost far more than the ransom price demanded. There are also the costs of recovery, operational disruption and lost revenue, potential legal implications, and even loss of brand value. 

Ransomware response strategies are vital to preparing for such attacks, and business continuity plans that include data backup and recovery can be instrumental in reducing the impact of a ransomware attack. Viable backups, isolated from a ransomware attack loop, are a key component, and streamlining recovery point objectives to uninfected data points helps protect against reinfecting systems. 

As a global leader in data storage, NetApp offers a broad range of strategies, tools, and services to help your organization stay resilient against ransomware threats, mitigate recovery efforts, and reduce recovery time.

NetApp Secure Development Lifecycle

Security vulnerabilities are widely recognized throughout the computer industry and by businesses and organizations around the world. NetApp has addressed security vulnerabilities by establishing a Secure Development Lifecycle (SDL). NetApp’s SDL is a repeatable 6-step process for developing secure software based on industry best practices and standards. It provides a framework and a process to help product teams evaluate and respond to potential security vulnerabilities in the development of all NetApp products and services.

Rigorous security training and the appointment of security champions lay the foundation for the SDL. The SDL process itself begins with a security assessment and release of the compliance and test plans. It follows with a thorough evaluation of product security vulnerabilities, implementation of solutions, and validation that any identified vulnerabilities have been resolved. It ends with risk communication procedures and monitoring through a Product Security Incident Response Team (PSIRT).

Vulnerabilities and patch management with NetApp

Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability. NetApp security researchers work diligently to protect our products and services. They participate in security communities that track published vulnerabilities. They also manage a program through which customers and researchers outside these communities submit information about potential security vulnerabilities. NetApp scores and tracks these submissions according to our vulnerability handling policy and regularly releases patches through Security Advisories.

Management of these patches is an integral part of the reasonable security measures necessary to secure your networks and data. NetApp’s vulnerability and patch management operations are also designed to support customers at all positions in the shared responsibility model.

Encryption

Encryption is widely acknowledged to be fundamental to the security of personal information. Some regulations, such as U.S. IRS Publication 1075, require certain information to be encrypted using specified technology while the data is at rest or in transit. Other regulations, such as the EU GDPR and California Consumer Privacy Act (CCPA), don’t require encryption, but they do recognize the important role it plays in mitigating against data breaches involving personal information.

NetApp offers an array of encryption solutions. These include both hardware and software encryption, at either the volume or disk level, as well as encryption key management for administering the keys used to encrypt and decrypt data.

Data deletion and disposal

A fundamental principle of data security is that organizations should not collect or hold more personal information than is necessary, and that data should be deleted when it’s no longer needed for authorized purposes. This principle of data minimization reduces compliance complexity and protects data against harm in the event of a security breach. 

The most common data minimization method is to enact and enforce data retention and data deletion policies that direct which information a company should retain, for how long, and when and how to delete it.

NetApp’s own data deletion policies support data minimization for data stored on drives that customers return: Customers are instructed to delete, encrypt, or render unrecoverable all data stored on returned media before it is returned.