Tech ONTAP Blogs

Self-Managing Storage: Part 5 Understanding Security Lifecycle Management

jacoba
NetApp

Welcome to the last part of the “Self-Managing Storage” blog series. In this blog, let us try to understand how Active IQ Unified Manager simplifies Security Management through lifecycle management.

 

Security Lifecycle Management.

 

If you ask your storage IT admins what keeps them up at night, 9 out of 10 will most likely say security of their storage and the data on them.  The security of the storage systems is of great importance to IT admins and storage administrators. Active IQ Unified Manager has been focusing to bring in Security Lifecycle Management to solidify and verify if the NetApp systems are adhering to the NetApp security best practices.

 

In Active IQ Unified Manager 9.8, we have enhanced the preventive management of the security lifecycle. (The proactive and reactive management of the security lifecycle will be supported in future releases.)

 

blog5-1.png

Figure 1:  Security Lifecycle Management

 

Preventive  Management  Remediations

For the Active IQ Unified Manager 9.8 release, we built upon the infrastructure first introduced in 9.7 to place more preventive management actions. These actions include:

 

  • Check for proper NTP servers
  • Verifying proper cluster logging
  • Check if proper security login banners are set on the cluster level and storage VM level
  • Securing cluster access using the correct ciphers

Active IQ Unified Manager 9.8 gives you the option for remediating these security issues using a simple “Fix It” button on the Management Actions card on the dashboard.

 

Below are examples of each new Security LifeCycle action and its solution.

 

Audit Log Disable Events

This event is generated when the audit log is not enabled for the storage VM. Active IQ Unified Manager provides a remediation by enabling audit logging for the storage VM in a single click. Note that the storage VM must already have either a local or remote audit log location configured.

 

blog5-2.png

Figure 2: Audit Log Example

 

Login Banner Disabled Event

This event is generated when the banner for the cluster and the SVM is not enabled and set for making access restrictions more clear. Active IQ Unified Manager provides remediation by setting the login banner to “Access Restricted to authorized users” on the cluster and storage VM.

 

blog5-4.png

Figure 3: Login Banner for Storage VM example

 

blog5-3.png

Figure 4 :Login Banner for Cluster example

 

SSH Using Insecure Ciphers Event

This event is generated when ciphers with the suffix “-cbc” which are considered insecure are used.  Active IQ Unified Manager provides remediation by removing insecure ciphers from the cluster and storage VM.

 

blog5-5.png

Figure 5: Insecure Ciphers for Cluster example

 

blog5-6.png

Figure 6 :Insecure Ciphers for Storage VM example

AutoSupport HTTPS transport disabled event

 

This event is generated when the transport protocol used to send AutoSuport messages to NetApp’s technical support is not encrypted.  Active IQ Unified Manager provides remediation by setting the transport protocol for AutoSupport messages on the cluster as HTTPS.

 

blog5-7.png

Figure 7 :AutoSupport HTTPS example

 

There is More!

 

We hope that you now have an overall understanding of the Security Management Lifecycle Management feature that we have introduced in Active IQ Unified Manager 9.8.

 

Make sure to read the blogs in this blog series for an in-depth understanding of performance, capacity, and security lifecycle management.

 

  • Self-Managing Storage: Part 1 – Understanding Active IQ Unified Manager LifeCycle Management
  • Self-Managing Storage: Part 2 – Understanding Storage Resource Performance LifeCycle Management
  • Self-Managing Storage: Part 3 – Understanding Workload Performance LifeCycle Management
  • Self-Managing Storage: Part 4 – Understanding Capacity LifeCycle Management
  • Self-Managing Storage: Part 5 – Understanding Security Manager LifeCycle Management

 

We know that you may have questions as we couldn’t cover the entire topic so please connect with us and we will try to answer all of your questions.

Public