It is vitally important to ensure that enterprise data security controls are in place to safeguard high-risk data, such as personal customer data, financial and payment information, employee records, and all other private data within an organization. These controls, which cover security at the storage, network, and access level, protect against data breaches and malicious attacks. Cloud Volumes ONTAP users aren’t immune to such events, unless they take the proper precautions. These precautions are a central concern when it comes to cloud file sharing.
In this article, we will take a look at how Cloud Volumes ONTAP can be hardened to ensure maximum enterprise data security all the while maintaining storage economy.
Why is data security important?
Every organization should understand the importance of data security as it protects the lifeblood of enterprise applications—data. A data breach could occur due to loopholes at the network layer or through a lack of proper storage security measures, exposing a company to huge financial and business issues such as reputation damage, customer churn, lawsuits, and compliance violations.
Such incidents have long-lasting financial implications and have brought the curtains down on even the most influential businesses. Proper enterprise data security precautions will protect against unauthorized use, be it from ransomware attacks, rogue users, or other malicious events. Multitenancy in cloud environments is another growing data security concern for companies. Since underlying resources are shared by multiple customers in multitenancy, a company’s data architecture should also be designed for multitenancy security.
Types of Data Security Layers and Cloud Volumes ONTAP
To ensure end-to-end security of your Cloud Volumes ONTAP deployments, various cloud access control mechanisms should be applied to three layers: at the storage layer, at the network layer, and at the management level, to ensure proper data authentication & authorization.
Cloud Security at the Storage Level
The storage level is where the actual data resides. There are multiple configuration options available with Cloud Volumes ONTAP to ensure security of that data.
Encryption of data in flight for SMB3+/NFS4.1+ protocols and of data at rest is supported out of the box in Cloud Volumes ONTAP through the use of multiple encryption technologies. NetApp Volume encryption is supported using an external key management server. Data, snapshot copies, and metadata can be encrypted using a unique XTS-AES-256 key, one per volume. When Cloud Volumes ONTAP is deployed in AWS, customers can enable encryption using AWS Key Management Service (KMS) to ensure encryption and security.
While deploying in Azure, Storage Service Encryption is automatically enabled for data in CVO. It is a transparent process where all data written to storage is encrypted using a strong 256-bit AES encryption. There are no additional configuration settings to be completed by the customer for security of data at rest while using Cloud Volumes ONTAP in Azure.
Cloud Volumes ONTAP users can also take advantage of NetApp Volume Encryption (NVE) to encrypt data at rest at the ONTAP level. This gives users the ability to manage their own keys within their organization rather than with the public cloud provider.
NTFS / Share Permissions and EXT / Export Permissions
For secure access of files in Cloud Volume ONTAP over the SMB / CIFS protocol, NTFS permissions should be configured to limit access to the file system so only authorized users can access files. Cloud Volumes ONTAP supports all native NTFS ACLs. Share permissions should be applied to give another layer of protection for protocol level access.
For secure access of files in Cloud Volume ONTAP over NFS, EXT permissions should be configured to limit access to the file system so only authorized users can access the files. Cloud Volumes ONTAP supports all native EXT ACLs. Export permissions should be applied to give another layer of protection for protocol level access.
Cloud Manager highlights the volumes not protected by snapshot policies so that customers can activate the default snapshot backup policy, whether for Azure backup or AWS backup. Snapshots that are read-only are immune to ransomware attacks. They help recover data from uninfected backup if any data corruption occurs due to ransomware attacks. It also offers granular recovery options in the event of data loss using the SnapRestore® feature which can recover either a single file or multiple data volumes.
Via SnapLock®, Cloud Volumes ONTAP makes it possible to get immutable, write-once/read-many (WORM) storage in the cloud. These undeletable, unchangeable copies are a surefire way to prevent ransomware attackers from keeping you locked out of your data.
The ONTAP FPolicy component enables you to filter and get alerts about suspicious file extensions in order to protect against common ransomware extensions. FPolicy can also be configured to operate in file-blocking mode which is enabled via Cloud Manager at no additional charge.
Vscan Antivirus Integration
Virus scanning functionality is available in Cloud Volumes ONTAP out of the box via Vscan. Vscan protects data in your data volumes from virus attacks or malicious codes. It integrates with leading third-party antivirus solutions such as McAfee, Symantec, Sophos, and TrendMicro, all while providing flexibility for the customer to decide which files are getting scanned and when. While on-access scanning is used to protect against possible virus attacks when a file is open, read, closed, etc., on-demand can be used for virus scanning on a scheduled or ad-hoc basis.
Network Layer Security
Network security in cloud computing can be implemented using first-party cloud service provider tools or using third-party appliances. While deploying in AWS, security groups are created for Cloud Manager and Cloud Volumes ONTAP to restrict the inbound and outbound network traffic. The rules can be configured to allow only the required traffic to reach the data and control plane. Similarly, network security groups that protect the network layer should be created in Azure deployments as well.
These security groups should also be created in client subnets to ensure that only clients from authorized networks can access the volumes. Inbound rules should be created for SSH and HTTPS ports so that connections to Cloud Volumes ONTAP happen only over an encrypted channel. This is to protect management-layer traffic that reaches the Cloud Volumes ONTAP system.
If you have selected NFS or dual-protocol for creating a volume in Cloud Volumes ONTAP, you could create an export policy for the volume to secure network level access. The export policy can be configured to allow only clients with specific IP addresses or within an IP range (CIDR) to access the volume. For example, if the VMs using the NFS Volume reside in a specific subnet, an export policy should be created in Cloud Volumes ONTAP to allow access to only those subnets. This is to prevent unauthorized mounting of volumes and shares. Such steps, combined with the security groups mentioned earlier, provides network layer security to the last mile.
Management Layer Security: Authentication and Authorization
OnCommand® Cloud Manager is the single-pane control panel for Cloud Volumes ONTAP to manage storage resources, alerts, automation, and more.
Users can be assigned different roles in Cloud Manager that define the Cloud Volumes ONTAP management functions they are authorized to use. The three different user roles are: Cloud Manager Admin, Tenant Admin, and Working Environment Admin. The thumb rule for managing authentication and authorization is to provide only the minimum level of permissions to users required to complete activities they are expected to perform. While Cloud Manager Admin has the highest level of authorization and should be limited to admin users, Tenant Admin and Working Environment Admin can be used to restrict the level of user access to a specific tenancy workspace or a specific Cloud Volumes ONTAP instance working environment.
SSO and Identity Federation
Cloud Manager integration with NetApp Cloud Central provides a single deployment and management pane for multiple Cloud Manager systems. It uses a centralized user authentication mechanism which allows you to use the same set of credentials for multiple Cloud Manager systems. Using NetApp Cloud Central identity federation, users can use a single sign on (SSO) to manage Cloud Volumes ONTAP using their corporate identity credentials. Identity federation uses open standards including Security Assertion Markup Language 2.0 (SAML) and OpenID Connect (OIDC) and currently supports integration with Active Directory Federation Services (ADFS) and Microsoft Azure Active Directory for SSO.
The FPolicy auditing option will send an event to an external system about any file activity. With this advanced auditing enabled, users get visibility into data usage patterns. FPolicy auditing also helps organizations meet compliance, privacy, and security requirements by providing a way to see who is using data in order to implement appropriate data usage policies.
File Level Permissions
In addition to the implementation of network layer security using export policies and security groups, as explained in the previous section, setting the right permissions at the file level is important while managing NFS or SMB / CIFS shares. This can prevent unauthorized access even from permitted subnets.
With SMB / CIFS shares, individual cloud volumes can be integrated with Windows Active Directory if users select the SMB dual protocol during volume creation. This allows you to provide file share permissions using existing AD user accounts, thereby seamlessly integrating with your existing identity and access management solutions.
When it comes to NFS exports, ONTAP restricts permissions to clients based on the export policy defined. The export policy can regulate client access based on criteria such as file access protocol, client identifier (host name/IP), or the authentication method (Kerberos v5/NTLM/AUTH_SYS, etc.). Based on the export policy, users are assigned read-only, read-write, or superuser access levels
Cloud Volumes ONTAP offers multiple configuration options to ensure enterprise data protection and security controls deployed in cloud environments. Snapshots, data encryption, ransomware protection and more take care of the storage layer, while traffic restrictions should be implemented to ensure security at the network layer. Additional measures should be taken to make sure that only authorized personnel can access the management interfaces and data volumes.
Organizations need to carefully analyze their security requirements and adopt the best practices explained in this article to ensure end-to-end enterprise data protection and security while using Cloud Volumes ONTAP. Your data is important, so you should never put it at risk.
Solving file share data security is important but not the only concern for storage admins. Visit our blog on NetApp Cloud Central for more of the challenges of running a file service in the cloud, including backup and archiving, scalability and agility, and cloud availability issues.
To get started with enterprise data security and data management features offered by Cloud Volumes ONTAP, sign up for this 30-day trial on AWS or Azure.