Tech ONTAP Blogs
Tech ONTAP Blogs
ONTAP Essentials, provided by Cloud Insights is NetApp's cloud based monitoring solution and as stated above is included with every advantage support license. Starting in June, it includes security monitoring for your on-prem ONTAP systems as well as Cloud Volumes ONTAP. ONTAP Essentials will monitor your systems setup against the ONTAP 9 Hardening Guide, helping you insure your systems are always securely configured. ONTAP Essentials also helps you understand your system access control methods and keep your workload safe from theft and ransomware. Let's find out more.
You can access the security dashboard under ONTAP Essentials by selecting 'Security' from the left hand navigation:
Let's quickly break down what we see here. The first two cards are focused on your data. Is the data itself protected? Is it encrypted at rest, either via hardware encrypted drives or ONTAP internal data encryption features? When data is encrypted at rest that data on the drive cannot be accessed when the drive is removed, even if moved to another system. Physical security of data is step one.
There is of course a 3rd kind of encryption - encryption we don't want - namely ransomware. Protecting data from ransomware is what the second focuses on. Like software and hardware encryption, NetApp offers two Anti-Ransomware protection solutions:
Click through the links above to learn about both or sign up immediately with workload security through ONTAP Essentials in-product integration. Whether you use both or just one, the security dashboard identifies workloads that are not protected, helping you either get them protected, or letting you validate their status as non-critical workloads. Throughout the dashboard, clicking on any of the numbers you see will lead to progressively more detailed screens.
Encryption and Anti-Ransomware are two critical legs of our stool, but all that starts with basic configuration setup. The ONTAP 9 hardening guide documents NetApp's best practices to help you ensure that your workloads sit on a safe configuration. ONTAP Essentials both helps insure you achieve that and informs you if something happens to render a system non-compliant.
Our last card on top of the security dashboard is a precursor to that - it helps us understand how users are being authenticated and given access to your NetApp clusters:
On production systems we'd likely see all ONTAP systems using the same identity provider, e.g. your organization may have standardized on LDAP. In this example that one outlying SAML system could be a misconfiguration or even an attacker setting up an alternate identity system in your org. Security starts with validating proper authentication. Only the right users should have access to your ONTAP systems.
Compliance with the Hardening Guide is exactly what it sounds like, you're either compliant (secure) or you're not. In the table at the bottom of your screen each cluster is labelled with its compliance. Compliance status can be 'Compliant', 'Not Compliant' and 'Not Checked'. We'll talk about 'Not Checked' in detail later. As we're giving cluster level detail here, we added metrics on workload status for the individual clusters as well.
Hovering over a cluster shows the view details hint as we see in the last row above. Clicking on it or the magnifying glass allows us to look at a cluster's compliance status in detail, so we can understand what needs to be corrected.
Details appear as a card from the right hand side of the screen, allowing us to look at general cluster settings, per-SVM settings and also Anti-Ransomware settings for the selected cluster. Each checked criteria is listed and the compliance status for that check is noted.
The Storage Virtual Machine (SVM) and SVM Anti-Ransomware pages display similar data:
One item of note, on the SVM Anti-Ransomware page, clicking the 'Protect' button on an SVM will take to you Cloud Insights: Workload Security and help you setup Anti-Ransomware protection on that volume immediately.
That's how we view compliance and configuration status. ONTAP Essentials is of course, all about monitoring so you don't have to go and look. Lets move on and talk about how Cloud Insights: ONTAP Essentials informs you of a compliance violation and also how we can make adjustments to what compliance means.
While Cloud Insights does a great job in reporting and visualization of data, in the context of security, monitoring is crucial. We need to be informed - aware - when a security related event takes place. If you've read our previous posts in this series you know we've covered setting up monitors and how to get notifications. Security monitoring is no different.
Each of the settings monitored and displayed in the security details page above corresponds to a monitor supplied in our ONTAP Infrastructure monitors group (Or CVO Infrastructure Group). In previous posts we've shown you how to turn them on, and even how to create new monitors. Security monitors are more of the same. While our Security Dashboard is a great way to visualize security related monitors, the monitors themselves are how we control what the security dashboard displays.
If you're not using monitors, and even if you are, the first time you goto the security dashboard you may see an alert at the top of the page similar to this:
In this case , because CVO infrastructure monitoring wasn't fully enabled, the security monitors were not enabled. Go turn those on. Cloud Insights will start monitoring your security compliance as data comes in. If you were in this state, you might have also received a dashboard that looks something like the dashboard below and wondered: "What does 'Not Checked' mean?". Lets walk that through and answer the 'See Belows' from above.
'Not Checked' is ONTAP Essentials' way of telling you: The monitor for this attribute is disabled. ONTAP Essentials is ignoring this value when judging your cluster's compliance against the ONTAP 9 Hardening Guide. Disabling a monitor allows you to ignore a check in your compliance report. This can be useful if you absolutely must use the default local admin user. (Don't do this, We will all know your username. That's 1/2 of what we need to access your machine.) So while disabling checks is something you can do, we don't recommend it.
Disabled checks will also show as 'Not Checked' in details views. We hope you never see a screen like the one below. Turn on your monitors!
The link to monitors is important. As each of these is a monitor, each of these will also become an alert whenever the monitor detects a non-compliance event. In the screenshot below we see that an Alert has been created for a system that is using that default admin user we all know about. Instructions are provided right up front on how to disable it. The description says a bit more briefly on why.
We also note at the bottom of the screenshot in the Expert view when this happened, and the shaded 'orange' area indicates how long its been occuring for. Still occurring in this example. An expert user might use this to look back in time and see the admin use was enabled for a brief time, and then disabled. During that window the cluster was 'less secure', and we all might want to know just what was going on during that period.
If we scroll down on the alert to the related alerts section we might see other security related alerts:
In this case, we might see they all have the triggered time, and it reminds us: Oh, I turned on all monitors for a demo at that time, no need to sound the alarm.
A reminder - Cloud Insights as a rule does not send email or other notifications out when an Alert is created. We recommend you setup notification on all monitors in the Infrastructure group, so that you're informed as security events occur.
With that, we hope today's post helps you keep your systems secure. Its time to try it out. Any surprises in your data or system security? Did you sign up for a trial of Workload Security? What did ONTAP Essentials help you find? Please share your feedback in the comments your feedback helps us manage your systems better. Stay safe out there!