Transcription
DATASHEETSecurity features in ONTAPSecuring the world’s most vitalresource: dataNetApp ONTAP data management softwarecontinues to evolve, with security as an integral partof the solution. The latest releases of ONTAP containmany new security features that are invaluable for yourorganization to protect its data across your hybridcloud, prevent ransomware attacks, and adhere toindustry best practices. These new features alsosupport your organization’s move toward a ZeroTrust model.To learn more about hardening the ONTAP solution, seeTR-4569: Security Hardening Guide for NetApp ONTAP.
The challengeBusinesses today are under pressure from theirdigital transformation. They need to effectivelymanage data across their hybrid cloud that isbecoming distributed, dynamic, and diverse.Each day, the threat landscape becomes moresophisticated and increasingly dangerous for ITenvironments. As administrators and operatorsof data and information, IT teams are expected tomanage and to maintain data in a secure mannerthroughout its lifecycle.The solutionNetApp ONTAP software is central to protectingyour data and meeting compliance requirements.This datasheet and TR-4569: Security HardeningGuide for NetApp ONTAP are essential elements forcreating an industry-proven security posture for yourmost important resource: data.Key benefitsEnhance data confidentiality, integrity, and availabilityProtect your organization’s most important resource –data – with ONTAP hybrid cloud security technologies.Strengthen Your organization’s security postureEstablish a secure foundation across your organization’shybrid cloud by leveraging the visibility and securityfunctions that create a secure infrastructure.Apply NetApp and industry best practices forsecurity and ransomware protectionEstablish a vetted security footprint with help fromNetApp expertise and industry knowledge.Meet governance and compliance requirementsUse established security best practices to adhere to andsupport industry regulation and security compliance.Security features in ONTAPSoftware or featuresFunctionImpactAutonomous ransomware protectionAutonomous ransomware protection is an onbox capability with machine learning preemptivedetenction against attacks.If an anomaly is detected, ONTAP automatically takes aSnapshot copy and alerts the administrator.NetApp Snapshot copiesAn ONTAP Snapshot is an efficient, point-in-time,read-only copy of your data. A Snapshot representsexactly what your data looked like at the moment thatthe Snapshot was taken, whether it was hours, days,weeks, months, or even years ago.Because Snapshot copies are read only, they can’t beinfected by ransomware. To recover from a ransomwareattack, you can simply restore from a Snapshot thatwas taken before the attack occurred.NetApp SnapLock technologyNetApp SnapLock protects Snapshot copies usingNetApp SnapVault by enabling a truly indeliblelogical air-gapped backup.SnapLock eliminates the risk of Snapshot copies beingdeleted by an administrator through human error, adisgruntled employee, or a bad actor leveraging stolencredentials.NetApp FPolicy technologyFPolicy is an infrastructure component of ONTAP thatenables partner applications to monitor and to set fileaccess permissions. File policies can be based onfile type. FPolicy determines how the storage systemhandles requests from individual client systems foroperations such as create, open, rename, and delete.Access control is a key security construct. Therefore,visibility and the ability to respond to file access andfile operations are critical for maintaining your securityposture. To provide visibility and access control to files,the ONTAP solution uses the FPolicy feature. ExternalFPolicy servers, including NetApp Cloud Insights/Cloud Secure, make use of user behavioral analyticsto identify malware and ransomware to mitigate theeffects of broader compromise to data.Note: In ONTAP, the FPolicy file access notificationframework is enhanced with filtering controls andresiliency against short network outages.2NetApp Volume Encryption (NVE)NVE is a software-based encryption mechanism thatenables you to encrypt data on any type of disk with aunique key per volume.Data encryption at rest remains an industry focus. NVEsatisfies this focus while also maintaining a strong securityposture across the full breadth of your hybrid cloud.NVE secure purgeThis feature enables a command to cryptographicallyshred deleted files on NVE volumes by moving goodfiles and deleting the key used to encrypt infected files.You can remediate data spillage online while the systemis still in use. This feature also provides state-of-the-art“right-to-erasure” capability for General Data ProtectionRegulation (GDPR).NetApp Aggregate Encryption (NAE)NAE is a software-based encryption mechanism thatenables you to encrypt data on any type of disk withunique keys per aggregate shared across encryptedvolumes.Like NVE, NAE enables data encryption at rest.Aggregate deduplication is enabled with NAE becausevolumes share keys across the aggregate, thus providinggreater storage efficiency.Datasheet
Security Features in ONTAP3Software or featuresFunctionImpactData at Rest (DAR) Encryptionby DefaultDAR encryption by default is enabled if either anexternal key manger or the onboard key manager isdefined. Either NVE or NAE software-based encryptionwill be used. If NSE drives are part of the clusterconfiguration, DAR encryption is in place and softwarebased encryption will not be used by default.DAR encryption by default simplifies the maintenance ofa strong security posture across the full breadth of yourhybrid cloud.NetApp Storage Encryption (NSE)NSE is the NetApp implementation of full diskencryption (FDE) by using FIPS-140-2 level 2self-encrypting drives. Furthermore, NSE providesa nondisruptive encryption implementation thatsupports the entire suite of NetApp storage efficiencytechnologies.Data encryption at rest remains an industry focus. NSEprovides FDE, which satisfies this focus. The NetAppData Fabric maintains a strong security posture fromend to end.SMB encryption that uses Intel AESNew Instructions (AES-NI) accelerationIntel AES-NI improves on the AES algorithm andaccelerates data encryption with supportedprocessor families.Accelerating security functions increases efficiency.Efficient use of resources is vital to providing successfulsecurity solutions.NetApp cryptographic security moduleThis module provides FIPS 140-2 validatedcryptographic operations for select Secure SocketsLayer (SSL)–based management services. Startingwith ONTAP 9.11.1 and TLS 1.3 support, FIPS 140-2can be validated.Dedicated security modules improve resource efficiency.In addition, FIPS 140 is the recognized industry standardfor cryptography products and solutions.NetApp CryptoModThis module provides FIPS 140-2 validatedcryptographic operations for NVE, NAE, and theonboard key manager (OKM).FIPS 140-2 is the recognized industry standard forcryptography products and solutions.SHA-2 (SHA-512) supportTo enhance password security, ONTAP supportsthe SHA-2 password hash function and defaults tousing SHA‑512 for hashing newly created orchanged passwords.SHA-2 has become the industry standard for hashfunctions because of its much-improved security posturerelative to the often-infiltrated SHA-1 standard.Secure log forwarding(syslog over TransportLayer Security [TLS])The log-forwarding function enables youradministrators to provision targets or destinations sothat they can receive syslog and audit information.Because of the secure nature of syslog and auditinformation, ONTAP can send this information securelythrough TLS by using the TCP-encrypted parameter.Log and audit information is invaluable to yourorganization from a support and availability standpoint.In addition, the information that’s contained in logs(syslog) and in audit reports and output is typicallysensitive in nature. To maintain your security controlsand security posture, you must manage log and auditdata securely.TLS 1.1 and TLS 1.2ONTAP uses TLS 1.1 and TLS 1.2 for securecommunication and administration functions.NetApp does not recommend the use of TLS1.0, because its significant vulnerabilities make itincompatible with compliance standards such asPCI-DSS. NetApp does recommend the use of TLS 1.1and TLS 1.2 because of their strength and integrity.Online Certificate StatusProtocol (OCSP)When OCSP is enabled, ONTAP applications that useTLS communications, such as LDAP or TLS, can receivethe digital certificate status. The application receives asigned response that signifies whether the certificaterequested is good, revoked, or unknown.OCSP helps determine the current status of a digitalcertificate without requiring certificate revocationlists (CRLs).Onboard key manager (OKM)OKM in ONTAP provides a self-contained encryptionsolution for data at rest. OKM works with NVE, whichoffers a software-based encryption mechanism thatallows you to encrypt data and use any type of disk.OKM also works with NSE, which performs FDE byusing self-encrypting drives.OKM provides key management for NSE and NVE. Inaddition, the use of this encryption technology in ONTAPallows you to secure data at rest, which provides apivotal data security solution.OKM secure bootThis option can require a passphrase for unlockingdrives and decrypting volumes after a node is rebooted.When NSE and NVE use the OKM, secure rebootprovides protection against the entire storage array beingstolen, not just the drives. It also allows secure physicaltransport of entire clusters and secure equipment return.Datasheet
Security Features in ONTAPSoftware or featuresFunctionImpactExternal key managementExternal key management is handled by using athird‑party system in the storage environment. Thisthird-party system securely manages the authenticationkeys and encryption keys that are used by encryptionfeatures in the storage system, such as NSE, NVE,or NAE. The storage system uses an SSL connectionto contact the external key management server tostore and retrieve authentication keys or volumedata encryption keys through the Key ManagementInteroperability Protocol (KMIP).With external key management, you can centralize yourorganization’s key management functions while inherentlyconfirming that keys are not stored near the assets. Thisapproach decreases the possibility of compromise.Secure multitenancySecure multitenancy is the use of secure virtualpartitions within a shared physical storageenvironment for the purpose of sharing the physicalenvironment among multiple distinct tenants. InONTAP, these partition are called storage virtualmachines (SVMs).Secure multitenancy enables ONTAP as a sharedplatform with SVMs securely isolating all tenants withinthe platform.Multitenant external key managementMultitenant external key management provides the abilityfor individual tenants or storage virtual machines (SVMs)to maintain their own keys through KMIP for NVE.With multitenant external key management, you cancentralize your organization’s key management functionsby department or tenant while inherently confirmingthat keys are not stored near the assets. This approachdecreases the possibility of compromise.Clustered external key managersExternal KMIP server redundancy is supported byclustering capabilities provided by NetApp KMIP keyserver partners. Prior to ONTAP 9.11.1, up to fourexternal KMIP servers could be defined where ONTAPwrote keys to each server to provide redundancy.Clustered external key managers are being widelyadopted by ONTAP customers. ONTAP support allowsthese customers to flawlessly use this capability.Enhanced file system auditingONTAP increases the number of auditing events anddetails that are reported across the solution. The followingkey details are logged with the creation of events:NAS file systems have increased their footprint in today’sthreat landscape. Therefore, the visibility that auditfunctions provide remains critically important, and theincreased audit capability in ONTAP provides moreCIFS audit details than ever before.FileFolderShare accessFiles created, modified, or deletedSuccessful file read accessFailed attempts to read fields or write filesFolder permission changes4CIFS SMB signing and sealingSMB signing helps protect the security of your DataFabric by protecting the traffic between storagesystems and clients from replay or man-in-the-middleattacks. It also confirms that SMB messages havevalid signatures. In addition, ONTAP supports SMBencryption, also known as sealing.A common threat vector for file systems andarchitectures lies within the SMB protocol. Signing andsealing allow unadulterated validation of traffic in additionto secure data transport on a share-by-share basis.Kerberos 5 and krb5p supportONTAP supports 128-bit and 256-bit AESencryption for Kerberos. The privacy serviceincludes the verification of received data integrity,user authentication, and data encryption beforetransmission.Krb5p authentication protects against data tamperingand snooping by using checksums to encrypt all trafficbetween the client and the server.Lightweight Directory Access Protocol(LDAP) SMB signing and sealingONTAP supports signing and sealing to protect sessionsecurity on queries to an LDAP server.Signing confirms the integrity of the LDAP payload databy using secret key technology. Sealing encrypts theLDAP payload data to avoid the transmission of sensitiveinformation in cleartext.Ed25519 and NIST curves in SecureShell (SSH) (updated algorithms andhash-based method authenticationcodes [HMACs])ONTAP provides updated SSH ciphers and keyexchanges, including AES, 3DES, SHA-256, andSHA-512.As the threat landscape continues to evolve, the strengthof the protocol algorithm, cipher, and key exchangesis vital to the integrity of the protocol and the productfunction.Ability to configure the maximumnumber of unsuccessful SSH loginattemptsONTAP adds parameter-max-authentication-retrycount with the security ssh modify command to setthe maximum number of login attempts. The defaultmaximum that is allowed per SSH connection is six, butNetApp recommends three as a security best practice.This feature helps protect against brute-force attacks.Datasheet
Security Features in ONTAPSoftware or featuresFunctionImpactMultifactor authentication (MFA)MFA is enabled for NetApp ONTAP System Managerand NetApp Active IQ Unified Manager foradministrative web access through Security AssertionMarkup Language (SAML) and through externalidentity providers. Administrative command-lineaccess to ONTAP is enabled through local two-factorauthentication methods that employ user ID/passwordand a public key as the two factors. You can usensswitch with public key as one of the two factorsfor SSH command‑line administrative access.Weak administrative access credentials account formost system compromises. MFA makes it impossibleto gain administrative access with simple passwordbased accounts.NetApp SnapLock technologywith NSE and NVEONTAP supports NSE and NVE with the SnapLockfeature, which provides administration and storagefor write once, read many (WORM) data.SnapLock technology creates special-purpose volumesin which files can be stored and committed to anonerasable, nonrewritable state. SnapLock can preservethis state indefinitely or for a designated retention periodwhile maintaining the secure posture (encryption) of theNSE and NVE solution.Upgrade image validationUpgrades for ONTAP verify that an image is genuineONTAP at upgrade time.This validation detects corrupt or counterfeit imagesbeing used as part of the upgrade process.Unified Extensible Firmware Interface(UEFI) secure bootImage validation is done each time the system boots.Signed ONTAP images are verified by the boot loader,thus preventing counterfeit images at every boot.Cluster peer encryptionCluster peer encryption uses TLS 1.2 to encrypt alldata in transport over the wire between cluster peersand the underlying ONTAP features that use clusterpeering for replication of data (NetApp SnapMirror ,SnapVault , FlexCache ).Data-in-flight encryption is available for ONTAP featuresthat replicate data. In addition, customers who usedata at rest encryption (NVE/NSE) can use end-to-endencryption between ONTAP clusters that use clusterpeer encryption.IPsec encryptionIPsec offers data encryption in flight for all IP trafficincluding the NFS, iSCSI, and SMB/CIFS protocols.IPsec ensures data in transit is continuously secureand encrypted. Network traffic between the client andONTAP is protected with preventive measures to combatreplay and man-in-the-middle (MITM) attacks.Role-based access control (RBAC)RBAC in ONTAP enables your administrators to limit orto restrict users' administrative access to the level thatis granted for their defined role. With this feature, youradministrators can manage users by their assigned role.Access control is a foundational element for creatinga security posture. Functions such as RBAC help yourorganization determine who has data access and towhat extent they have such access. This feature limitsvulnerabilities and exploitation opportunities, includingdata exfiltration and escalation of privileges.Multi-admin verification (MAV)MAV prevents a single cluster administrator fromexecuting sensitive commands such as “volumesnapshot delete” or “volume delete” without approvalsfrom one or more administrators.MAV stops malicious or compromised administratorsfrom destroying valuable data. This is essential forfortifying the ONTAP data centric Zero Trust environment.Antivirus connector (virus scanning)Virus scanning is performed on Vscan servers that runthe antivirus connector and antivirus software. Typically,the system that runs ONTAP is configured to scan fileswhen they are modified or accessed by a client.Threat and attack vectors continue to grow. Therefore,inline virus scanning of accessed or modified files helpsprotect the integrity of your organization’s files.Login and message-of-the-day(MOTD) bannersLogin banners are printed in the output beforeauthentication. These banners enable your organizationand administrators to communicate with system users.Login banners enable your organization to presentoperators, administrators, and even miscreants withthe terms and conditions of acceptable use for a system.These banners also indicate who is permitted toaccess the system.Disk sanitizationDisk sanitization allows you to remove data from a diskor a set of disks so that the data can never be recovered.Security protocols often require you to make dataunrecoverable from a disk. The disk sanitizationfunction provides this capability. 1 877 263 8277 2022 NetApp, Inc. All Rights Reserved. NETAPP, the NETAPP logo, and the marks listed at http://www.netapp.com/TM are trademarksof NetApp, Inc. Other company and product names may be trademarks of their respective owners. DS-3846-0522
NetApp Storage Encryption (NSE) NSE is the NetApp implementation of full disk encryption (FDE) by using FIPS-140-2 level 2 self-encrypting drives. Furthermore, NSE provides a nondisruptive encryption implementation that supports the entire suite of NetApp storage efficiency technologies. Data encryption at rest remains an industry focus. NSE
