In today’s digital landscape, safeguarding an organization’s critical data assets is not just a best practice - it is a business imperative. Cyber threats are evolving at an unprecedented pace, and traditional data protection measures are no longer sufficient to keep sensitive information secure.  That is where cyber vaulting comes in. NetApp’s cutting-edge solution combines advanced air-gapping techniques with robust data protection measures to create an impenetrable barrier against cyberthreats. By isolating the most valuable data with secure hardening technology, cyber vaulting minimizes the attack surface so that the most critical data remains confidential, intact, and readily available when needed.

 

Cyber vaulting is an air-gapped secure storage that consists of multiple layers of protection that safeguard vital data necessary to recover crucial business operations. The cyber vault's components regularly synchronize with the essential production data based on the vaulting policy, but otherwise remain inaccessible. This isolated and disconnected setup ensures that in the event of a cyber-attack compromising the production environment, a reliable copy of critical workloads can easily be recovered from the cyber vault.

 

Air-gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media off-site and/or severing connectivity, bad actors have no access to the data. Although this protects the data, it leads to slower recovery times. Not so with NetApp’s cyber vault.

 

NetApp enables easy creation of an air-gaped cyber vault by configuring the network, disabling LIFs, updating firewall rules, and isolating the system from external networks and the internet at the storage level. This robust approach effectively disconnects the storage system from external networks and the internet, providing unparalleled protection against remote cyber-attacks and unauthorized access attempts, making the system immune to network-based threats and intrusion.

 

Combining this with SnapLock Compliance protection, data cannot be modified or deleted, not even by ONTAP administrators or NetApp Support. SnapLock is regularly audited against SEC and FINRA regulations, ensuring that data resiliency meets these stringent WORM and data retention regulations of the banking industry. NetApp is the only enterprise storage validated by NSA CSfC to store top-secret data.

 

With SnapLock Compliance, physical separation is not required. SnapLock Compliance protects the vaulted Snapshot point-in-time, read-only copies, resulting in immutable, safe from deletion data that is quickly accessible for fast recovery of business operations.

 

With ONTAP One, all you need to create a cyber vault is now available at no additional cost.

 

 

This blog covers the automated configuration of NetApp’s cyber vault to protect workload in a separate air-gapped designated ONTAP storage with immutable snapshots and hardened with extra layers of protection. It also covers the Ansible and PowerShell scripts you can use to easily deploy a cyber vault with NetApp ONTAP storage. As part of this architecture, the entire configuration is applied as per ONTAP best practices.

 

NetApp cyber vault Architecture

 

Get Started

 

Setup a NetApp cyber vault

Air-gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media off-site and/or severing connectivity, bad actors have no access to the data. This protects the data but can lead to slower recovery times. With SnapLock Compliance, physical separation is not required. SnapLock Compliance protects the vaulted Snapshot point-in-time, read-only copies, resulting in data that is quickly accessible, safe from deletion, and immutable.

For the specifics on solution components, pre-requisites and detailed steps, refer to solution components, pre-requisites and manual steps

 

Secure the Vault

The NetApp cyber vault provides better resilience against cyber-attacks through various methods such as implementing hardened password policies, enabling RBAC, locking default user accounts, configuring firewalls, and utilizing approval flows for any changes to the vault system. Furthermore, restricting network access protocols from specific IP address can help to limit potential vulnerabilities. ONTAP provides a set of controls that allow to harden the ONTAP storage. Use the guidance and configuration settings for ONTAP to help organization meet prescribed security objectives for information system confidentiality, integrity, and availability.

 

Hardening best practices

 

Manual steps

1. Create a designated user with pre-defined and custom administrative role.
2. Create a new IPspace to isolate network traffic.
3. Create a new SVM residing in the new IPspace.
4. Ensure firewall routing policies are properly configured and that all rules are regularly audited and updated as needed.

ONTAP CLI or via Automation script

1. Protect administration with Multi Admin Approval
2. Enable encryption for standard data “in-flight” between clusters.
3. Secure SSH with strong encryption cipher and enforce secure passwords.
4. Enable global FIPS.
5. Telnet and Remote Shell (RSH) should be disabled.
6. Lock default admin account.
7. Disable data LIFs and secure remote access points.
8. Disable and remove unused or extraneous protocols and services.
9. Encrypt network traffic.
10. Use the principle of least privilege when setting up superuser and administrative roles.
11. Restrict HTTPS and SSH from specific IP address using allowed IP option.
12. Quiesce and resume the replication based on the transfer schedule.

Bullets 1-4 needs manual intervention like designating an isolated network, segregating the IPspace and so on and needs to be performed beforehand. Detailed information to configure the hardening can be found here. The rest can be easily automated for easy deployment and monitoring purposes. The objective of this orchestrated approach is to provide a mechanism to automate the hardening steps to future proof the vault controller. The timeframe the CyberVault is open is as short as possible. SnapVault leverages incremental forever technology, which will only move the changes since the last update into the Cyber Vault, thereby minimizing the amount of time the Cyber Vault must stay open. To further optimize the workflow, the Cyber Vault opening is coordinated with the replication schedule to ensure the smallest connection window.

 

Simplifying with automation

What this script does is:

• Cluster Peering
• SVM Peering
• DP Volume creation
• SnapMirror Relationship and Initialization
• Harden the ONTAP system used for the cyber vault
• Quiesce and resume the relationship based on the transfer schedule
• Validate the security settings periodically and generate a report showing any anomalies

How to use it

 

Ansible (new addition)

Prerequisites:

• Ansible installed. This script was tested using "ansible [core 2.15.0]"
• NetApp ONTAP Ansible collection installed. This script was tested using "netapp.ontap collection (version 22.13.0)" ansible-galaxy collection install netapp.ontap

1. Clone the GitHub repository to your local system

   git clone https://github.com/NetApp/ransomeware-cybervault-automation.git

2. Go to "ansible" directory

   cd ansible​
   ​

3. Configure "vars.yml". Sample file is already provided, update values as needed.

   DESTINATION_ONTAP_CLUSTER_MGMT_IP: "10.10.10.101"
   VALIDATE_CERTS: false
   DESTINATION_ONTAP_CLUSTER_NAME: "NTAP915_Dest"
   SOURCE_VSERVER: "svm_NFS"
   SOURCE_VOLUME_NAMES:
     - "Demo_RP_Vol01"
     - "Demo_RP_Vol02"
   DESTINATION_VSERVER: "SVM_File"
   DESTINATION_VOLUME_NAMES:
     - "Demo_RP_Vol01_CyberVault"
     - "Demo_RP_Vol02_CyberVault"
   DESTINATION_AGGREGATE_NAMES:
     - "NTAP915_Dest_01_VM_DISK_1"
     - "NTAP915_Dest_01_VM_DISK_1"
   DESTINATION_VOLUME_SIZES_GB:
     - "1"
     - "1"
   SNAPLOCK_MIN_RETENTION: "15minutes"
   SNAPLOCK_MAX_RETENTION: "30minutes"
   SNAPMIRROR_SCHEDULE: "5min"
   SNAPMIRROR_POLICY: "XDPDefault"
   # List of management services to disable
   DEFAULT_MANAGEMENT_SERVICES_TO_DISABLE:
     - management-snmp-server
     - management-ntp-server
     - management-log-forwarding
     - management-nis-client
     - management-ad-client
     - management-autosupport
     - management-ems
     - management-ntp-client
     - management-dns-client
     - management-ldap-client
     - management-http
   # ONTAP connection details (adjust as needed)
   SOURCE_ONTAP_ALLOWED_INTERCLUSTER_IPS:
     - "172.21.166.101/32"
     - "172.21.166.102/32"
   ALLOWED_IPS:
     - "10.10.10.11/32"
     - "10.10.10.12/32"
   AUDIT_LOGS_VOLUME_SIZE_GB: "5"
   AUDIT_LOGS_AGGREGATE_NAME: "NTAP915_Dest_01_VM_DISK_1"
   # Multi-Admin Approval Variables
   MULTI_ADMIN_APPROVAL_GROUP_NAME: "vaultadmins"
   MULTI_ADMIN_APPROVAL_USERS: 
     - "vaultadmin1"
     - "vaultadmin2"
   MULTI_ADMIN_APPROVAL_EMAIL: "vaultadmins@netapp.com"
   

4.  Configure "credentials.yml" and encrypt using ansible-vault. Sample file is already provided, update values as needed

   DESTINATION_ONTAP_CREDS:
     Username: “”
     Password: “”
   ​
   

5. Ansible-vault encrypt credential.yml

6. Execute "playbook.yml" using ansible-playbook. Use the passphrase used to encrypt the credentials.yml when prompted.

Note: Ansible module will run in Configure mode (default). Analyze and cron functionality will be added in the next update.

 

Powershell

Prerequisites:

• Download the PowerShell toolkit from the NetApp Support site or from PowerShell gallery .
• Ensure the import of PSTK module works

1. Clone the GitHub repository to your local system

   git clone https://github.com/NetApp/ransomeware-cybervault-automation.git
   

2. Go to "PowerShell" directory

   cd Powershell​

3.  Launch Windows PowerShell as an Administrator.
4. Navigate to the directory containing the script.
5. Execute the script using .\ syntax along with the required parameters

   ./cybervault.ps1 -SOURCE_ONTAP_CLUSTER_MGMT_IP "cluster1.demo.netapp.com" -SOURCE_ONTAP_INTERCLUSTER_IPS "192.168.0.141/32,192.168.0.142/32" -SOURCE_ONTAP_CLUSTER_NAME "cluster1" -SOURCE_VSERVER "svm1" -SOURCE_VOLUME_NAME "svm1_legal","svm1_marketing" -DESTINATION_ONTAP_CLUSTER_MGMT_IP "cluster2.demo.netapp.com" -DESTINATION_ONTAP_CLUSTER_NAME "cluster2" -DESTINATION_VSERVER "svm2" -DESTINATION_AGGREGATE_NAMES "cluster2_01_SSD_1","cluster2_01_SSD_1" -AUDIT_LOG_AGGREGATE_NAME "cluster2_01_SSD_1" -DESTINATION_VOLUME_NAME "cvault_legal","cvault_marketing" -DESTINATION_VOLUME_SIZE "25g","5g" -SNAPLOCK_MIN_RETENTION "15minutes" -SNAPLOCK_MAX_RETENTION "30minutes" -SNAPMIRROR_PROTECTION_POLICY "XDPDefault" -SNAPMIRROR_SCHEDULE "5min" -MULTI_ADMIN_APPROVAL_GROUP_NAME "vaultadmins" -MULTI_ADMIN_APPROVAL_USERS "vaultadmin,vaultadmin2" -MULTI_ADMIN_APPROVAL_EMAIL "vaultadmins@demo.netapp.com" -ALLOWED_IPS_FOR_MANAGEMENT "192.168.0.5/32,192.168.0.6/32" -CRON_SCHEDULE 5min -SNAPMIRROR_RESUME_MINUTES_BOFORE_SM 2 -SNAPMIRROR_QUIESCE_MINUTES_POST_SM 2 -DOMAIN_ADMINISTRATOR_USERNAME "administrator@demo.netapp.com" -SCRIPT_MODE configure

Note: Please ensure all information entered. On the first run (configure mode), it will ask for credentials for both, the production and the new cyber vault system. After that, it will create the SVM Peering’s (if not existent), the volumes and the SnapMirrors between the system and initialize them.

Note: Cron mode can be used to schedule the quiesce and resume of data transfer.

 

The automation script provides 3 modes for execution – Configure, Analyze and Cron.

if($SCRIPT_MODE -eq "configure") {
        configure
    } elseif ($SCRIPT_MODE -eq "analyze") {
        analyze
    } elseif ($SCRIPT_MODE -eq "cron") {
        runCron
    }

• Configure – Performs the validation checks and configures the system as air gapped.
• Analyze – Automated monitoring and reporting feature to send out information to monitoring groups for anomalies and suspicious activities​ to ensure the configurations are not drifted.
• Cron – To enable disconnected infrastructure, cron mode automates disabling the LIF and quiesces the transfer relationship.

It will take time to transfer the data in those selected volumes depending on both systems performance and the amount of data.

 

Validation

A robust cyber vault should be able to withstand a sophisticated attack, even when the attacker has credentials to access the environment with elevated privileges.

 

Once the rules are in place, an attempt (assuming somehow the attacker was able to get in) to delete a snapshot on the vault side will fail. Same applies with all hardening settings by placing on the necessary restrictions and safeguarding the system.

 

Screenshot shows there are no connections on the vault controller.

Screenshot shows there is no ability to tamper with the snapshots.

To validate and confirm air gapping functionality, follow the below steps:

• Test network isolation capabilities, and the ability to quiesce a connection when data is not being transferred.
• Verify the management interface cannot be accessed from any entities apart from the allowed IP addresses.
• Verify Multi admin approval are in place to provide additional layer of approval.
• Validate the ability to access via CLI and REST API
• From the source, trigger a transfer operation to vault and ensure the vaulted copy cannot be modified.
• Try to delete the immutable snapshot copies that are transferred to the vault.
• Try to modify the retention period by tampering the system clock.

 

Data Recovery

If data is destroyed in the production data center, the data from the cyber vault can be securely recovered to the chosen environment. Unlike a physically air-gapped solution, the air-gapped NetApp cyber vault is built using native ONTAP features like SnapLock Compliance and SnapMirror. The result is a recovery process that is both fast and easy to execute.

In the event of ransomware attack and need for recovering from the cyber vault, the recovery process is simple and easy as the snapshot copies housed in the cyber vault are used to restore the encrypted data.

If the requirement is to provide a faster method of bringing data back online when necessary to quickly validate, isolate and analyze the data for recovery, the this can be easily achieved by using with FlexClone with the snaplock-type option set to non-snaplock type.

Note: Practicing recovery procedures from the Cyber Vault will ensure the proper steps are established for connecting to the Cyber Vault and retrieving data. Planning and testing the procedure is essential for any recovery during a cyber-attack event.

 

Conclusion

By leveraging air-gapping with robust hardening methodologies provided by ONTAP, NetApp enables to create secure, isolated storage environments that are resilient against evolving cyber threats. All of this is accomplished while maintaining the agility and efficiency of existing storage infrastructure. This secure access empowers companies to achieve their stringent safety and uptime goals with minimal change to their existing people, process, and technology framework.

 

NetApp cyber vault using native ONTAP features is an easy approach for additional protection to create immutable and indelible copies of your data. Adding NetApp’s cyber vault to the overall security posture will: 

• Create an environment that is separate and disconnected to the production and backup networks and restrict user access to it.
• Store immutable and indelible copies of data in a secure, isolated vault and enable processes to establish an operational air gap between production environment and the vault.
• Ensure that data is always available for synchronization into the cyber vault and available for immediate recovery in case of a production cyber-attack.