Tech ONTAP Blogs
Tech ONTAP Blogs
In today’s digital landscape, safeguarding an organization’s critical data assets is not just a best practice - it is a business imperative. Cyber threats are evolving at an unprecedented pace, and traditional data protection measures are no longer sufficient to keep sensitive information secure. That is where cyber vaulting comes in. NetApp’s cutting-edge solution combines advanced air-gapping techniques with robust data protection measures to create an impenetrable barrier against cyberthreats. By isolating the most valuable data with secure hardening technology, cyber vaulting minimizes the attack surface so that the most critical data remains confidential, intact, and readily available when needed.
Cyber vaulting is an air-gapped secure storage that consists of multiple layers of protection that safeguard vital data necessary to recover crucial business operations. The cyber vault's components regularly synchronize with the essential production data based on the vaulting policy, but otherwise remain inaccessible. This isolated and disconnected setup ensures that in the event of a cyber-attack compromising the production environment, a reliable copy of critical workloads can easily be recovered from the cyber vault.
Air-gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media off-site and/or severing connectivity, bad actors have no access to the data. Although this protects the data, it leads to slower recovery times. Not so with NetApp’s cyber vault.
NetApp enables easy creation of an air-gaped cyber vault by configuring the network, disabling LIFs, updating firewall rules, and isolating the system from external networks and the internet at the storage level. This robust approach effectively disconnects the storage system from external networks and the internet, providing unparalleled protection against remote cyber-attacks and unauthorized access attempts, making the system immune to network-based threats and intrusion.
Combining this with SnapLock Compliance protection, data cannot be modified or deleted, not even by ONTAP administrators or NetApp Support. SnapLock is regularly audited against SEC and FINRA regulations, ensuring that data resiliency meets these stringent WORM and data retention regulations of the banking industry. NetApp is the only enterprise storage validated by NSA CSfC to store top-secret data.
With SnapLock Compliance, physical separation is not required. SnapLock Compliance protects the vaulted Snapshot point-in-time, read-only copies, resulting in immutable, safe from deletion data that is quickly accessible for fast recovery of business operations.
With ONTAP One, all you need to create a cyber vault is now available at no additional cost.
This blog covers the automated configuration of NetApp’s cyber vault to protect workload in a separate air-gapped designated ONTAP storage with immutable snapshots and hardened with extra layers of protection. It also covers the Ansible and PowerShell scripts you can use to easily deploy a cyber vault with NetApp ONTAP storage. As part of this architecture, the entire configuration is applied as per ONTAP best practices.
Air-gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media off-site and/or severing connectivity, bad actors have no access to the data. This protects the data but can lead to slower recovery times. With SnapLock Compliance, physical separation is not required. SnapLock Compliance protects the vaulted Snapshot point-in-time, read-only copies, resulting in data that is quickly accessible, safe from deletion, and immutable.
For the specifics on solution components, pre-requisites and detailed steps, refer to solution components, pre-requisites and manual steps
The NetApp cyber vault provides better resilience against cyber-attacks through various methods such as implementing hardened password policies, enabling RBAC, locking default user accounts, configuring firewalls, and utilizing approval flows for any changes to the vault system. Furthermore, restricting network access protocols from specific IP address can help to limit potential vulnerabilities. ONTAP provides a set of controls that allow to harden the ONTAP storage. Use the guidance and configuration settings for ONTAP to help organization meet prescribed security objectives for information system confidentiality, integrity, and availability.
Bullets 1-4 needs manual intervention like designating an isolated network, segregating the IPspace and so on and needs to be performed beforehand. Detailed information to configure the hardening can be found here. The rest can be easily automated for easy deployment and monitoring purposes. The objective of this orchestrated approach is to provide a mechanism to automate the hardening steps to future proof the vault controller. The timeframe the CyberVault is open is as short as possible. SnapVault leverages incremental forever technology, which will only move the changes since the last update into the Cyber Vault, thereby minimizing the amount of time the Cyber Vault must stay open. To further optimize the workflow, the Cyber Vault opening is coordinated with the replication schedule to ensure the smallest connection window.
What this script does is:
git clone https://github.com/NetApp/ransomeware-cybervault-automation.git
cd ansible
DESTINATION_ONTAP_CLUSTER_MGMT_IP: "10.10.10.101"
VALIDATE_CERTS: false
DESTINATION_ONTAP_CLUSTER_NAME: "NTAP915_Dest"
SOURCE_VSERVER: "svm_NFS"
SOURCE_VOLUME_NAMES:
- "Demo_RP_Vol01"
- "Demo_RP_Vol02"
DESTINATION_VSERVER: "SVM_File"
DESTINATION_VOLUME_NAMES:
- "Demo_RP_Vol01_CyberVault"
- "Demo_RP_Vol02_CyberVault"
DESTINATION_AGGREGATE_NAMES:
- "NTAP915_Dest_01_VM_DISK_1"
- "NTAP915_Dest_01_VM_DISK_1"
DESTINATION_VOLUME_SIZES_GB:
- "1"
- "1"
SNAPLOCK_MIN_RETENTION: "15minutes"
SNAPLOCK_MAX_RETENTION: "30minutes"
SNAPMIRROR_SCHEDULE: "5min"
SNAPMIRROR_POLICY: "XDPDefault"
# List of management services to disable
DEFAULT_MANAGEMENT_SERVICES_TO_DISABLE:
- management-snmp-server
- management-ntp-server
- management-log-forwarding
- management-nis-client
- management-ad-client
- management-autosupport
- management-ems
- management-ntp-client
- management-dns-client
- management-ldap-client
- management-http
# ONTAP connection details (adjust as needed)
SOURCE_ONTAP_ALLOWED_INTERCLUSTER_IPS:
- "172.21.166.101/32"
- "172.21.166.102/32"
ALLOWED_IPS:
- "10.10.10.11/32"
- "10.10.10.12/32"
AUDIT_LOGS_VOLUME_SIZE_GB: "5"
AUDIT_LOGS_AGGREGATE_NAME: "NTAP915_Dest_01_VM_DISK_1"
# Multi-Admin Approval Variables
MULTI_ADMIN_APPROVAL_GROUP_NAME: "vaultadmins"
MULTI_ADMIN_APPROVAL_USERS:
- "vaultadmin1"
- "vaultadmin2"
MULTI_ADMIN_APPROVAL_EMAIL: "vaultadmins@netapp.com"
DESTINATION_ONTAP_CREDS:
Username: “”
Password: “”
Ansible-vault encrypt credential.yml
Note: Ansible module will run in Configure mode (default). Analyze and cron functionality will be added in the next update.
git clone https://github.com/NetApp/ransomeware-cybervault-automation.git
cd Powershell
./cybervault.ps1 -SOURCE_ONTAP_CLUSTER_MGMT_IP "cluster1.demo.netapp.com" -SOURCE_ONTAP_INTERCLUSTER_IPS "192.168.0.141/32,192.168.0.142/32" -SOURCE_ONTAP_CLUSTER_NAME "cluster1" -SOURCE_VSERVER "svm1" -SOURCE_VOLUME_NAME "svm1_legal","svm1_marketing" -DESTINATION_ONTAP_CLUSTER_MGMT_IP "cluster2.demo.netapp.com" -DESTINATION_ONTAP_CLUSTER_NAME "cluster2" -DESTINATION_VSERVER "svm2" -DESTINATION_AGGREGATE_NAMES "cluster2_01_SSD_1","cluster2_01_SSD_1" -AUDIT_LOG_AGGREGATE_NAME "cluster2_01_SSD_1" -DESTINATION_VOLUME_NAME "cvault_legal","cvault_marketing" -DESTINATION_VOLUME_SIZE "25g","5g" -SNAPLOCK_MIN_RETENTION "15minutes" -SNAPLOCK_MAX_RETENTION "30minutes" -SNAPMIRROR_PROTECTION_POLICY "XDPDefault" -SNAPMIRROR_SCHEDULE "5min" -MULTI_ADMIN_APPROVAL_GROUP_NAME "vaultadmins" -MULTI_ADMIN_APPROVAL_USERS "vaultadmin,vaultadmin2" -MULTI_ADMIN_APPROVAL_EMAIL "vaultadmins@demo.netapp.com" -ALLOWED_IPS_FOR_MANAGEMENT "192.168.0.5/32,192.168.0.6/32" -CRON_SCHEDULE 5min -SNAPMIRROR_RESUME_MINUTES_BOFORE_SM 2 -SNAPMIRROR_QUIESCE_MINUTES_POST_SM 2 -DOMAIN_ADMINISTRATOR_USERNAME "administrator@demo.netapp.com" -SCRIPT_MODE configure
Note: Please ensure all information entered. On the first run (configure mode), it will ask for credentials for both, the production and the new cyber vault system. After that, it will create the SVM Peering’s (if not existent), the volumes and the SnapMirrors between the system and initialize them.
Note: Cron mode can be used to schedule the quiesce and resume of data transfer.
The automation script provides 3 modes for execution – Configure, Analyze and Cron.
if($SCRIPT_MODE -eq "configure") {
configure
} elseif ($SCRIPT_MODE -eq "analyze") {
analyze
} elseif ($SCRIPT_MODE -eq "cron") {
runCron
}
It will take time to transfer the data in those selected volumes depending on both systems performance and the amount of data.
A robust cyber vault should be able to withstand a sophisticated attack, even when the attacker has credentials to access the environment with elevated privileges.
Once the rules are in place, an attempt (assuming somehow the attacker was able to get in) to delete a snapshot on the vault side will fail. Same applies with all hardening settings by placing on the necessary restrictions and safeguarding the system.
Screenshot shows there are no connections on the vault controller.
Screenshot shows there is no ability to tamper with the snapshots.
To validate and confirm air gapping functionality, follow the below steps:
If data is destroyed in the production data center, the data from the cyber vault can be securely recovered to the chosen environment. Unlike a physically air-gapped solution, the air-gapped NetApp cyber vault is built using native ONTAP features like SnapLock Compliance and SnapMirror. The result is a recovery process that is both fast and easy to execute.
In the event of ransomware attack and need for recovering from the cyber vault, the recovery process is simple and easy as the snapshot copies housed in the cyber vault are used to restore the encrypted data.
If the requirement is to provide a faster method of bringing data back online when necessary to quickly validate, isolate and analyze the data for recovery, the this can be easily achieved by using with FlexClone with the snaplock-type option set to non-snaplock type.
Note: Practicing recovery procedures from the Cyber Vault will ensure the proper steps are established for connecting to the Cyber Vault and retrieving data. Planning and testing the procedure is essential for any recovery during a cyber-attack event.
By leveraging air-gapping with robust hardening methodologies provided by ONTAP, NetApp enables to create secure, isolated storage environments that are resilient against evolving cyber threats. All of this is accomplished while maintaining the agility and efficiency of existing storage infrastructure. This secure access empowers companies to achieve their stringent safety and uptime goals with minimal change to their existing people, process, and technology framework.
NetApp cyber vault using native ONTAP features is an easy approach for additional protection to create immutable and indelible copies of your data. Adding NetApp’s cyber vault to the overall security posture will: