The challenges of cloud storage security

 

In the AWS Shared Responsibility Model, AWS secures the underlying cloud infrastructure, but protecting your data is ultimately your responsibility. That’s important, because data is the real target of most malicious attacks.

 

There are seven layers to the cybersecurity model (shown in the following image), where successive layers of security protection are designed to prevent attackers from reaching the next layer:

 

 

Yet, sophisticated threats can move through these defenses systematically until they get to their real target: Your data. Without advanced protection at the data layer, after attackers bypass upstream controls, data can be exposed to theft, corruption, or ransomware encryption.

 

The four data-layer security challenges every organization must address

 

To achieve resilience, storage must have built-in security that addresses threats at the data layer. That requires addressing four critical challenges:

 

1. Threats to data integrity: Ransomware, malware, and insider threats can corrupt or encrypt critical data before traditional security tools detect the attack, leaving organizations without trustworthy recovery points.
2. Improper access control: Overly permissive storage access and weak AWS Identity and Access Management (IAM) integration create opportunities for privilege escalation and unauthorized data access, even when perimeter defenses hold.
3. Poor detection and response capabilities: Without storage-layer visibility, threats spread undetected, enabling lateral movement across resources.
4. Non-AWS security integration: Storage security siloed from AWS controls creates blind spots and prevents a unified security posture.

 

Traditional approaches often rely on a patchwork of third-party tools and manual processes to address these gaps. This adds operational overhead, cost, and risk. True resilience requires a storage layer that is agile and secure, where data is protected as actively as applications.

 

How FSx for ONTAP transforms cloud storage security

 

FSx for ONTAP is a fully managed AWS storage service that brings the enterprise-grade security and data management of NetApp® ONTAP® to the cloud.

 

Rather than relying on separate third-party tools or add-on processes, FSx for ONTAP integrates security controls natively and directly into the storage layer, addressing the four major gaps in data security with built-in, enterprise-ready capabilities.

 

The following image shows the security benefits FSx for ONTAP provides:

 

 

Data integrity that resists tampering and ransomware

 

Ransomware and malicious activity often corrupt or encrypt files, threatening trust in business systems. FSx for ONTAP preserves data integrity with four core capabilities:

 

• NetApp Snapshot™ copies are instant, point-in-time copies of data that can be used for rapid recovery and created with no performance impact.

• NetApp SnapLock® creates immutable, write-once-read-many (WORM) copies. WORM copies are tamper-proof, making them essential for aligning with regulatory requirements and protecting against ransomware.

• Encryption is automatically enabled when creating an FSx for ONTAP file system to streamline protection of data at rest and in transit. 

• NetApp cyber vault is a reference architecture that can protect your data against ransomware and other cyber threats by isolating the area of attack. These secure and isolated volumes are logically air gapped (which helps align with the 3-2-1-1-0 data protection strategy), indelible and immutable, quickly recoverable, and have strict access controls.

• NetApp Data classification identifies highly sensitive data across your storage environments and highlights where it needs added protection.

 

Integrity is enforced continuously, so that trustworthy recovery points are always available even when primary data is compromised.

Fine-grained access control aligned with your identity systems

 

FSx for ONTAP provides multiple layers of access control at the storage tier:

 

• Tenant isolation at the storage virtual machine (SVM) level creates strict boundaries between workloads and environments.
• Active Directory integration enables authentication with existing credentials and Windows-based file-level access controls.

• Protocol-level permissions and ACLs give administrators a way to align storage access with business policies.

• AWS IAM integration enables role- and resource-based access control that integrates with existing AWS security frameworks.

These features minimize the chances that data stored with FSx for ONTAP will be accessed by malicious actors.

 

Autonomous detection and rapid response to threats

 

Even the best defenses can be bypassed, which makes speed and automation essential. This is where FSx for ONTAP introduces breakthrough capabilities:

 

 

 

• Autonomous Ransomware Protection (ARP) uses advanced analytics to learn your data’s normal access patterns through entropy analysis for encryption detection, file extension monitoring for anomalies, and IOPS pattern recognition for abnormal activity.
  
  When these ARP features detect suspicious file behavior, ARP automatically creates immutable Snapshot copies of your data to preempt the potential threat.
  
  ARP is a new feature for FSx for ONTAP and as a first-of-its-kind capability on AWS, it’s a real differentiator. See ARP in action in this demo video and explore more in the ARP announcement blog post.

 

• FPolicy (the F stands for files) allows administrators to define file blocking rules for specific file types, such as those commonly used in ransomware attacks. This denies such files access before they cause damage.

 

• Vscan provides native antivirus integration for environments that require additional scanning layers.

With these features, FSx for ONTAP shifts your security stance from reactive to proactive.

Seamless integration with AWS-native security controls

 

Siloed tools create blind spots. FSx for ONTAP integrates natively with AWS security services, including:

 

• Amazon Virtual Private Cloud (VPC) security groups for network-level access control. 

• AWS IAM policies for resource and role-based permissions.

• Amazon CloudTrail logging for comprehensive audit trails.

• Amazon CloudWatch metrics for monitoring and alerting. 

• Private VPC endpoints for isolated connectivity.

This native integration means you can monitor and manage storage security through the same dashboards, policies, and workflows you use for the rest of AWS, which reduces complexity and strengthens your overall AWS posture.

 

Efficient backup and disaster recovery processes

 

Resilience depends on rapid recovery. FSx for ONTAP simplifies this with:

 

• Backup and recovery using Snapshot and AWS Backup for automated and manual backups, creating multiple recovery points stored redundantly across Availability Zones.
• Cross-AWS Region disaster recovery protects your data in the event of a disaster with rapid failover to clean replicas if your primary environment is compromised. NetApp SnapMirror® data replication keeps data synchronized between separate Regions for even more durability.

• Multi-layered audit logging through CloudTrail, ONTAP Security Audit Logs, and file access auditing captures administrative actions and end-user file access, enabling rapid incident investigation and compliance reporting. 

Recovery is fast and reliable, making resilience a built-in capability.

 

Together, these capabilities transform storage from a passive data repository into an active line of defense.

With FSx for ONTAP, security isn’t just layered around your data: it’s built into it.

 

The security benefits of FSx for ONTAP

 

Security is only effective if it protects both your business and your data. FSx for ONTAP delivers enterprise-grade protection without incurring additional costs, overhead, or performance trade-offs.

 

The following diagram shows the six key benefits of FSx for ONTAP security:

 

 

• Cost optimization: Built-in security eliminates the need for adding third-party security tools. Lightweight Snapshot copies and automated restoration features reduce downtime costs, while storage efficiencies cut the costs of storing backup and DR data. 

• Operational efficiency: Automated detection and response minimize manual intervention, while AWS-native integration further simplifies operations through an integrated workflow.

• Addressing data protection regulation: Real-time monitoring, immutable WORM storage, and comprehensive audit trails support key governance requirements.

• Performance: Instant Snapshot copies and ARP operate with zero impact on workloads, so your applications stay performant and reliable. 

• Scalability: Volumes and SVMs you add get inherent protection from AWS IAM policies, Amazon VPC security groups, and centralized monitoring through CloudWatch and CloudTrail, with no separate security infrastructure required. Security capabilities scale automatically with growing cloud workloads, requiring no reconfiguration or additional management effort. 

• AI-based protections: Features such as ARP and data classification monitor and report on activity at a scale that would not be possible for human operators within an actionable timeframe.

The result:

Resilience that scales with your workloads while keeping your data safe and secure.

 

Security capabilities checklist

 

 

The following checklist summarizes the security capabilities required to secure your data layer. Use this checklist to accelerate technical evaluation and security approval.

Data protection and recovery requirements

• Instant point-in-time recovery
• Immutable data copies
• Cross-Region disaster recovery
• Individual-file restorability

Threat detection and response requirements

• Ransomware protection
• Suspicious file types blocking
• Malware-scanning antivirus solutions

Access control and identity management requirements

• Tenant isolation
• Centralized role-based access governance
• Active Directory integration
• Granular user permission controls

Encryption and governance requirements

• Secured key-managed data encryption at rest and in transit
• End-to-end TLS/SSL protection
• Validated cryptographic standards
• Multi-layered audit visibility

Network security requirements

• Network access control
• Private connectivity between VPC endpoints
• Isolated workloads and traffic flows

Monitoring and integration requirements

• API activity logging
• System activity monitoring and alerts
• Secure automation and integrations

Your next steps to a more secure data layer with FSx for ONTAP

 

Modern storage security must actively detect threats, respond automatically, and work seamlessly within your AWS security framework.

 

FSx for ONTAP delivers these capabilities directly at the storage layer through enterprise-grade data management and data security features, including its first-of-its-kind ARP feature.

 

To learn more, watch the FSx for ONTAP security webinar and ARP demo (demo starts at 40:39).