安全性：数据安全策略和程序

2022 年 4 月

数据安全是隐私与合规的基础。在信任中心，我们阐明了数据安全策略和程序，这些策略和程序用于监管我们如何管理自己系统的安全性以及客户委托给我们的数据。

NetApp 遵循全球数据安全法律的要求，这些法律要求采取合理的安全措施来存储、传输和处理数据。我们采取被广泛认为是适当安全性不可或缺的措施，包括加密、身份验证和授权控制、违规报告、数据丢失防护和修补程序管理。

NetApp 提供了一系列加密解决方案以及加密密钥管理。其他措施包括一系列可帮助您的组织保持抵御勒索软件威胁的弹性的策略和工具，以及支持数据最小化的严格数据保留和删除策略。NetApp 安全研究人员努力检测、防范和响应软件错误和安全漏洞。

NetApp 实施这些保护措施来保护其信息系统和存储在其中的数据。此外，按照共担责任的模式，我们还提供战略、工具和服务，让我们的客户也能做到这一点。

Sharing responsibility in a data-driven world

When an organization transforms itself from an on-premises infrastructure to a hybrid, private, or public cloud infrastructure, sharing responsibility with the cloud service provider for the security of data is key to this fundamental shift. The shared responsibility model addresses which parties in this cloud computing environment are responsible for managing the security of data—its confidentiality, integrity, and availability.

NetApp, as the service provider, is responsible for the secure operations of NetApp cloud services, such as the physical security of NetApp data centers and patching vulnerabilities in our SaaS solutions. 

You, our customer, may be responsible for secure operations in the cloud, such as ensuring that corporate policies like password complexity are enabled and followed across virtual deployments just as they were on premises.

NetApp also offers a choice of partner cloud infrastructure providers, including Amazon Web Services, Microsoft Azure, and Google Cloud, who manage the secure operations of their offerings.

Secure data processing for privacy compliance

Global privacy laws require reasonable security measures for storing, transmitting, and processing personal information. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and other personal data. It underpins laws governing fair business practices as well as privacy laws outside the United States, such as the EU GDPR. 

Although there is no defined standard or engineering control set attached to reasonable security, regulators and courts recognize certain measures as integral to it. These measures include encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp implements these safeguards to protect its information systems and their stored data, and also builds products and services to empower our customers to do the same.

Ransomware mitigation

Ransomware attacks, a threat to organizational security and data availability, cost far more than the ransom price demanded. There are also the costs of recovery, operational disruption and lost revenue, potential legal implications, and even loss of brand value. 

Ransomware response strategies are vital to preparing for such attacks, and business continuity plans that include data backup and recovery can be instrumental in reducing the impact of a ransomware attack. Viable backups, isolated from a ransomware attack loop, are a key component, and streamlining recovery point objectives to uninfected data points helps protect against reinfecting systems. 

As a global leader in data storage, NetApp offers a broad range of strategies, tools, and services to help your organization stay resilient against ransomware threats, mitigate recovery efforts, and reduce recovery time.

NetApp Secure Development Lifecycle

Security vulnerabilities are widely recognized throughout the computer industry and by businesses and organizations around the world. NetApp has addressed security vulnerabilities by establishing a Secure Development Lifecycle (SDL). NetApp’s SDL is a repeatable 6-step process for developing secure software based on industry best practices and standards. It provides a framework and a process to help product teams evaluate and respond to potential security vulnerabilities in the development of all NetApp products and services.

Rigorous security training and the appointment of security champions lay the foundation for the SDL. The SDL process itself begins with a security assessment and release of the compliance and test plans. It follows with a thorough evaluation of product security vulnerabilities, implementation of solutions, and validation that any identified vulnerabilities have been resolved. It ends with risk communication procedures and monitoring through a Product Security Incident Response Team (PSIRT).

Vulnerabilities and patch management with NetApp

Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability. NetApp security researchers work diligently to protect our products and services. They participate in security communities that track published vulnerabilities. They also manage a program through which customers and researchers outside these communities submit information about potential security vulnerabilities. NetApp scores and tracks these submissions according to our vulnerability handling policy and regularly releases patches through Security Advisories.

Management of these patches is an integral part of the reasonable security measures necessary to secure your networks and data. NetApp’s vulnerability and patch management operations are also designed to support customers at all positions in the shared responsibility model.

Encryption

Encryption is widely acknowledged to be fundamental to the security of personal information. Some regulations, such as U.S. IRS Publication 1075, require certain information to be encrypted using specified technology while the data is at rest or in transit. Other regulations, such as the EU GDPR and California Consumer Privacy Act (CCPA), don’t require encryption, but they do recognize the important role it plays in mitigating against data breaches involving personal information.

NetApp offers an array of encryption solutions. These include both hardware and software encryption, at either the volume or disk level, as well as encryption key management for administering the keys used to encrypt and decrypt data.

Data deletion and disposal

A fundamental principle of data security is that organizations should not collect or hold more personal information than is necessary, and that data should be deleted when it’s no longer needed for authorized purposes. This principle of data minimization reduces compliance complexity and protects data against harm in the event of a security breach. 

The most common data minimization method is to enact and enforce data retention and data deletion policies that direct which information a company should retain, for how long, and when and how to delete it.

NetApp’s own data deletion policies support data minimization for data stored on drives that customers return: Customers are instructed to delete, encrypt, or render unrecoverable all data stored on returned media before it is returned.