BlueXP is now NetApp Console
Monitor and run hybrid cloud data services
[Music] howdy my name is Justin Welch and I am a cyber resilience specialist here at net app and today I'd like to talk you through some of the solutions that we have in place that are secure by design nup has designed our solution to be secure right out of the box and there's a lot of things you can take advantage of that you may not be aware of today it kind of reminds me of um when my kids were young U my son he was really into fixing and tinkering with things withmy tools so I didn't want to have that so I bought him his own toolbox I gave it to him and he would take that toolbox andyou know come out and work with Dad on the car or on the lwn or whatever it was fast forward one day we came home all the door knobs were taken off of Every Door in our house that was not a great use of those tools and we really learned a lesson at that point it's one thing to have tools and it's another thing to understand how to implement and use them in the right scenarios and in the right place so as we walk through the solutions today we're going to talk about these things and how we can use them in a more effective and secure manner so to start out today we're going to talk about encryption net apppp can do encryptionis at the core of every all of our Solutions you can have dat at rest encryption you can have data in Flight encryption and we can do encryption at the hardware layer at the software layer it doesn't really matter encryption is a table stake solution for us you configure your key man management system you enable encryption on the storage and you don't have to forget you don't have to worry about it after that um it's important to note encryption of data at rest is all about protecting a physical device if somebody comes in and they pull one of those devices out and try to run away with it or an entire shelf they can't plug that drive in anywhere else and get any meaningful data off of it because that data is encrypted now the encryption of data at rest is very important is it protects from physical device but we also need to encrypt our data in flight data that is moving from one system to another to and from our endpoint uh ourend users and we have multiple Solutions in multiple uh things we have multiple solutions that can help achieve that goal so for example we can do IP SEC we can do CFT signing and ceiling we can do curos with KB 5p for NFS encryption we can also do uh encryption of NFS over TLS andmany other solutions that are out there let us know if this is a requirement in your environment we can help you solve that problem now one of the other tools that we have available to us are snapshots net apppp snapshots are the number one way to recover from a ransomware attack if you have a snapshot taken prior to an attack you will be able to recover your data and it's that simple net app snapshots by default are immutable they always have been a ransomware or malware attack can come through and wipe out all the data in the active file system but they cannot change the data that's captured in that snapshot it is in a readon state so if you have a snapshot after a ransom or attack you can use single file snap restore volume snap restore any manydifferent ways create a clone copy data out you have lots of recovery options if you have a snapshot in place prior so make sure you're taking plenty of snapshots in your environment and storing those for as long as you can as that will be your recovery mechanism after an attack now snapshots are awesomehowever if an administrator comes in and says hey guess what I hate this place I'm out of here um they can delete snapshots so how do we protect against a deleted snapshot that brings forth our snap lock solution snap lock compliance is the last line of defense an attacker can come in internal attack external attack it doesn't matter with SNAP loock compliance you cannot delete that data it is immutable and indelible can't be changed can't be deleted so snaplock compliance in fact we believe in snaplock compliance so much it is the basis for our ransomware recovery guarantee and we'll have other sessions that go into that a little bit deeper but again snap lock is our defense the last line of defense and we want to make sure that you have that in place snaplock Enterprise is just snaplock is just like Snap s loock compliance however it is a little bit softer uh it allows an administrator account to go in and modify some of the attributes of that snap lock snaplock Enterprise is it is useful in many instances thereare quite a few use cases where that is uh the only mechanism that they that folks want to use to protect their data and then the third uh solution Under the snaplock Umbrella is our tamperproof snapshots now snaplock compliance and Enterprise you have to create this third copy of the data this addition bucket of data you'll replicate data into there it'll inherit thatretention policy that you set and that data is locked for that amount of time with tamperproof snapshots however those are built into the solution you can run them in production you can run them in your secondary site and it's going to take those immutable snapshots that you're already taking and add that indelible attribute on top of them so you take a snapshot and now nobody can delete that snapshot for X number of days and we typically like to keep the retention on a camper snapshot shorter than you would say a tamper a snap lock compliance solution so if you need shortterm think one day two days three days tamperproof snapshot is your best bet if you say hey I want to keep data around for 5 years 10 years 30 years or anywhere between one day to 100 years snaplock compliance is could probably be the better solution for that now we came out with another solution another tool and that is called the autonomous ransomware protection ARP is named this because we knew that nobody else in the industry was using ARP for any type of acronym right we're the first ones to come up with it and ARP means autonomous ransomware protection just know it um now built into uh ontap is this ability to detect a malware or ransomware attack autonomous ransomware protection or ARP can be run at the individual volume level you can enable it it's going to come up in a learning mode you're going to run it for a preconfigured amount of time and it's going to learn the Baseline activities that happen on that volume then when it comes into active mode and as additional files are written andchanges are being made we will analyze whether that looks like normal activity or whether that looks like suspicious activity and then we will immediately if we detect a suspicious activity immediately take a snapshot and then we will raise alerts and let everybody know hey we think we found something that's going on and we've added features to tune up or tune down the sensitivity of that and there's some really exciting features coming up in future releases of ontap around autonomous ransomware protection so stay tuned for more information around ARP now before I continue on too much I do want to recognize that all of these Solutions have auditing and logging capabilities built into them and we can integrate with your seam system or you can have audit logs being sent to specific locations uh if you want to know more about Auto logging please let us know we'd be happy to help you configure the auto ating andlogging component of all of these internal Solutions but just know we do want to be able to integrate with the other components that are out there in the world so F policy is the next to Tool we're going to talk about there are two modes of f policy there is the native mode and there's also the external mode native mode F policy allows us to block files based on file extension so as files are being written to the storage and you as a storage administrator don't want to have MP3 files being uploaded to your storage you can create a policy with MP3 extension and say deny all MP3 extension or files that try to be written and they will not be able to be uh landed on the storage the enduser will get a right denied error very effective way if you have a good list of known bad file extensions you can put those in those polic in that polic and deny the right of those files right from the get-go now there's also an include capability so that if somebody wants to write uh say you have an application that writes a specific file type like a PDF or a tiff or something like that you can allow only those file types to be written and no other file type can be written to the storage except for what you specify in that allow list in F policy native mode now F policy external mode is much more powerful with f policy as files are being written and stored on the storage we analyze everything that happens to a file so file right file create file delete file move file copy file modify access time update um permissions change any single one of those actions is going to generate an event and that event gets sent from the storage controller to an external F policy server and in net app's case we have a tool called Cloud insights our workload security tool can specifically plug into those events and analyze them and it is a user and entity behavioral Analytics tool a ueba and those tools are fantastic because they use AI to analyze the type of access that's happening and determine yes that is approved in normal usage or no that is abnormal we want to stop it anduh the workload security tool can actually stop an attack it can quarantine a user it can ban an IP address andstop an attack in process that is all based onthis F policy engine that we have the next tool that we have is secure multi-tenancy and secure multi-tenancy is one of those uh capabilities that a lot of our customers take for granted let's say you have your blue group over here and your green group over here and you don't want them to see each other's data they don't want to be able to access each other's information or anything like that you can create a storage virtual machine that is completely isolated over here has its own network has its own permissions has its own storage on the storage side you can create a second svm over here same thing it's just like a virtual machine that can't be influenced or impacted by anything else on the outside of it and it is a fantastic way to implement secure multi tendency and you can have manyof these svms on your storage as many as you need so that you can protect that data that that's there and ensure that um you're not getting crossover from one group uh to another group it'sa fantastic use case for uh service providers and those types of solutions that are out there now the final tool I'd like to talk about today is multi- admin verification MAV is a tool set that allows us to have checks and balances on the commands that are being run and there are two fold benefits here that we'll talk about one it'll stop a command from being run the way it works is for a command a destructive command such as snapshot delete or volume delete you configure MAV to say all right if somebody runs this command three four five anywhere between 1 and 10 approvers have to approve that command before it takes effect on the storage so let's say I decide I want to delete data because I'm going to leave the company and I want to I don't I you know I want to destroy everything behind me so I'm going to run the volume delete command with MAV configured that command will get sent to a pool of approvers that are up here and those approvers have to sign in and approve that command before it takes effect on the storage and you can figure how many approvers you need threeor four or five again from 1 to 10 the MAV command set again itwill stop that attack until that approval comes in thatoriginal person that ran the command will have to run it again after approval comes in if it doesn't come in then they can't run it and it will not take effect on the storage so thecommand gets approved now they run it and it will delete the volume or delete the snapshot or do whatever it is you need to do now I said there were two benefits one is it'll stop that command from being run the second benefit is every body in that approver pool that's up here will get notification thatcommand was run so hey why is somebody trying to delete a volume in the middle of night at 3:00 in the morning hey why is somebody create trying to create new logins for the storage all of those commands get captured in this MAV uh command set that's out there and so you can see what are people trying to do why are they why are you up at 3: in the morning trying to run this command and what what's going on what'sbehind it gives you an opportunity as an admin to stop it or to address it andmove on if that's what you need donow all of these commands are part of the control plane or the management planesorry so as an administrator logs into the storage and they want to uh get in andmake changes andutilize all these wonderful tools that we have they first have to go through MFA multiactor Authenticationso if they are not prepared to go through MFA if they are you know trying to log in from somewhere they shouldn't or they don't have the second authentication mechanism they can't log in to access any of these controls orcapabilities that we have any of these tools after that they also have to have rolls so roll back is another component that is in place to help validate those that are coming in through the management plane to touch the storage and make changes into our security tool set now the usersare pretty happy up here right we want to keep them happy and so they access the storage and as they're coming in they're going to have to approve first through uh well ldap usually and there are multiple ways active directory right lots of different ways that they can be authenticated but before they can touch that data they have to go through those authentication pieces MFA ro-based access this is how we authenticate through themanagement plane and if you're wanting togain access from the um management side so in conclusion to wrap this all up we talked about multi- admin verification uh how multiple admins have to approve a command we talked about secure multi-tenancy how you can create secure environments that don't bleed over into each other F policy autonomous ransomware protection engine snap lock defense snapshots and encryption right these are all tools that are in our toolbag and if you want to know more about them you can check out security.net app.com we have our best practices hardening guide in there around how to harden ontap and configure all these different configurations and options in there and ensure that your environment is as secure as possible and just like my son who has progressed on to being a great mechanic who fixes ATVs and can do wondrous things with that toolbox of tools you too can configure your environment to be secure from the ground up and ensure that when you roll this out you are in a secure by Design environment that is going to protect you from the attacks andthedifferent harm that people want to do to yourenvironment thanks
Is your storage environment secure by design? See how NetApp technology and capabilities ensure your can detect, respond, and recover from cyber incidents and keep our data safe.