In today’s digital landscape, safeguarding an organization’s critical data assets is not just a best practice - it is a business imperative. Cyber threats are evolving at an unprecedented pace, and traditional data protection measures are no longer sufficient to keep sensitive information secure.  That is where cyber vaulting comes in. NetApp’s cutting-edge solution combines advanced air-gapping techniques with robust data protection measures to create an impenetrable barrier against cyberthreats. By isolating the most valuable data with secure hardening technology, cyber vaulting minimizes the attack surface so that the most critical data remains confidential, intact, and readily available when needed.   Cyber vaulting is an air-gapped secure storage that consists of multiple layers of protection that safeguard vital data necessary to recover crucial business operations. The cyber vault's components regularly synchronize with the essential production data based on the vaulting policy, but otherwise remain inaccessible. This isolated and disconnected setup ensures that in the event of a cyber-attack compromising the production environment, a reliable copy of critical workloads can easily be recovered from the cyber vault.   Air-gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media off-site and/or severing connectivity, bad actors have no access to the data. Although this protects the data, it leads to slower recovery times. Not so with NetApp’s cyber vault.   NetApp enables easy creation of an air-gaped cyber vault by configuring the network, disabling LIFs, updating firewall rules, and isolating the system from external networks and the internet at the storage level. This robust approach effectively disconnects the storage system from external networks and the internet, providing unparalleled protection against remote cyber-attacks and unauthorized access attempts, making the system immune to network-based threats and intrusion.   Combining this with SnapLock Compliance protection, data cannot be modified or deleted, not even by ONTAP administrators or NetApp Support. SnapLock is regularly audited against SEC and FINRA regulations, ensuring that data resiliency meets these stringent WORM and data retention regulations of the banking industry. NetApp is the only enterprise storage validated by NSA CSfC to store top-secret data.   With SnapLock Compliance, physical separation is not required. SnapLock Compliance protects the vaulted Snapshot point-in-time, read-only copies, resulting in immutable, safe from deletion data that is quickly accessible for fast recovery of business operations.   With ONTAP One, all you need to create a cyber vault is now available at no additional cost.     This blog covers the automated configuration of NetApp’s cyber vault to protect workload in a separate air-gapped designated ONTAP storage with immutable snapshots and hardened with extra layers of protection. It also covers the Ansible and PowerShell scripts you can use to easily deploy a cyber vault with NetApp ONTAP storage. As part of this architecture, the entire configuration is applied as per ONTAP best practices.   NetApp cyber vault Architecture   Get Started   Setup a NetApp cyber vault Air-gapping backups that use traditional methods involve creating space and physically separating the primary and secondary media. By moving the media off-site and/or severing connectivity, bad actors have no access to the data. This protects the data but can lead to slower recovery times. With SnapLock Compliance, physical separation is not required. SnapLock Compliance protects the vaulted Snapshot point-in-time, read-only copies, resulting in data that is quickly accessible, safe from deletion, and immutable. For the specifics on solution components, pre-requisites and detailed steps, refer to solution components, pre-requisites and manual steps   Secure the Vault The NetApp cyber vault provides better resilience against cyber-attacks through various methods such as implementing hardened password policies, enabling RBAC, locking default user accounts, configuring firewalls, and utilizing approval flows for any changes to the vault system. Furthermore, restricting network access protocols from specific IP address can help to limit potential vulnerabilities. ONTAP provides a set of controls that allow to harden the ONTAP storage. Use the guidance and configuration settings for ONTAP to help organization meet prescribed security objectives for information system confidentiality, integrity, and availability.   Hardening best practices   Manual steps Create a designated user with pre-defined and custom administrative role. Create a new IPspace to isolate network traffic. Create a new SVM residing in the new IPspace. Ensure firewall routing policies are properly configured and that all rules are regularly audited and updated as needed. ONTAP CLI or via Automation script Protect administration with Multi Admin Approval Enable encryption for standard data “in-flight” between clusters. Secure SSH with strong encryption cipher and enforce secure passwords. Enable global FIPS. Telnet and Remote Shell (RSH) should be disabled. Lock default admin account. Disable data LIFs and secure remote access points. Disable and remove unused or extraneous protocols and services. Encrypt network traffic. Use the principle of least privilege when setting up superuser and administrative roles. Restrict HTTPS and SSH from specific IP address using allowed IP option. Quiesce and resume the replication based on the transfer schedule. Bullets 1-4 needs manual intervention like designating an isolated network, segregating the IPspace and so on and needs to be performed beforehand. Detailed information to configure the hardening can be found here. The rest can be easily automated for easy deployment and monitoring purposes. The objective of this orchestrated approach is to provide a mechanism to automate the hardening steps to future proof the vault controller. The timeframe the CyberVault is open is as short as possible. SnapVault leverages incremental forever technology, which will only move the changes since the last update into the Cyber Vault, thereby minimizing the amount of time the Cyber Vault must stay open. To further optimize the workflow, the Cyber Vault opening is coordinated with the replication schedule to ensure the smallest connection window.   Simplifying with automation What this script does is: Cluster Peering SVM Peering DP Volume creation SnapMirror Relationship and Initialization Harden the ONTAP system used for the cyber vault Quiesce and resume the relationship based on the transfer schedule Validate the security settings periodically and generate a report showing any anomalies How to use it   Ansible (new addition) Prerequisites: Ansible installed. This script was tested using "ansible [core 2.15.0]" NetApp ONTAP Ansible collection installed. This script was tested using "netapp.ontap collection (version 22.13.0)" ansible-galaxy collection install netapp.ontap Clone the GitHub repository to your local system git clone https://github.com/NetApp/ransomeware-cybervault-automation.git Go to "ansible" directory cd ansible​ ​ Configure "vars.yml". Sample file is already provided, update values as needed. DESTINATION_ONTAP_CLUSTER_MGMT_IP: "10.10.10.101" VALIDATE_CERTS: false DESTINATION_ONTAP_CLUSTER_NAME: "NTAP915_Dest" SOURCE_VSERVER: "svm_NFS" SOURCE_VOLUME_NAMES: - "Demo_RP_Vol01" - "Demo_RP_Vol02" DESTINATION_VSERVER: "SVM_File" DESTINATION_VOLUME_NAMES: - "Demo_RP_Vol01_CyberVault" - "Demo_RP_Vol02_CyberVault" DESTINATION_AGGREGATE_NAMES: - "NTAP915_Dest_01_VM_DISK_1" - "NTAP915_Dest_01_VM_DISK_1" DESTINATION_VOLUME_SIZES_GB: - "1" - "1" SNAPLOCK_MIN_RETENTION: "15minutes" SNAPLOCK_MAX_RETENTION: "30minutes" SNAPMIRROR_SCHEDULE: "5min" SNAPMIRROR_POLICY: "XDPDefault" # List of management services to disable DEFAULT_MANAGEMENT_SERVICES_TO_DISABLE: - management-snmp-server - management-ntp-server - management-log-forwarding - management-nis-client - management-ad-client - management-autosupport - management-ems - management-ntp-client - management-dns-client - management-ldap-client - management-http # ONTAP connection details (adjust as needed) SOURCE_ONTAP_ALLOWED_INTERCLUSTER_IPS: - "172.21.166.101/32" - "172.21.166.102/32" ALLOWED_IPS: - "10.10.10.11/32" - "10.10.10.12/32" AUDIT_LOGS_VOLUME_SIZE_GB: "5" AUDIT_LOGS_AGGREGATE_NAME: "NTAP915_Dest_01_VM_DISK_1" # Multi-Admin Approval Variables MULTI_ADMIN_APPROVAL_GROUP_NAME: "vaultadmins" MULTI_ADMIN_APPROVAL_USERS: - "vaultadmin1" - "vaultadmin2" MULTI_ADMIN_APPROVAL_EMAIL: "vaultadmins@netapp.com"  Configure "credentials.yml" and encrypt using ansible-vault. Sample file is already provided, update values as needed DESTINATION_ONTAP_CREDS: Username: “” Password: “” ​ Ansible-vault encrypt credential.yml Execute "playbook.yml" using ansible-playbook. Use the passphrase used to encrypt the credentials.yml when prompted. Note: Ansible module will run in Configure mode (default). Analyze and cron functionality will be added in the next update.   Powershell Prerequisites: Download the PowerShell toolkit from the NetApp Support site or from PowerShell gallery . Ensure the import of PSTK module works Clone the GitHub repository to your local system git clone https://github.com/NetApp/ransomeware-cybervault-automation.git Go to "PowerShell" directory cd Powershell​  Launch Windows PowerShell as an Administrator. Navigate to the directory containing the script. Execute the script using .\ syntax along with the required parameters ./cybervault.ps1 -SOURCE_ONTAP_CLUSTER_MGMT_IP "cluster1.demo.netapp.com" -SOURCE_ONTAP_INTERCLUSTER_IPS "192.168.0.141/32,192.168.0.142/32" -SOURCE_ONTAP_CLUSTER_NAME "cluster1" -SOURCE_VSERVER "svm1" -SOURCE_VOLUME_NAME "svm1_legal","svm1_marketing" -DESTINATION_ONTAP_CLUSTER_MGMT_IP "cluster2.demo.netapp.com" -DESTINATION_ONTAP_CLUSTER_NAME "cluster2" -DESTINATION_VSERVER "svm2" -DESTINATION_AGGREGATE_NAMES "cluster2_01_SSD_1","cluster2_01_SSD_1" -AUDIT_LOG_AGGREGATE_NAME "cluster2_01_SSD_1" -DESTINATION_VOLUME_NAME "cvault_legal","cvault_marketing" -DESTINATION_VOLUME_SIZE "25g","5g" -SNAPLOCK_MIN_RETENTION "15minutes" -SNAPLOCK_MAX_RETENTION "30minutes" -SNAPMIRROR_PROTECTION_POLICY "XDPDefault" -SNAPMIRROR_SCHEDULE "5min" -MULTI_ADMIN_APPROVAL_GROUP_NAME "vaultadmins" -MULTI_ADMIN_APPROVAL_USERS "vaultadmin,vaultadmin2" -MULTI_ADMIN_APPROVAL_EMAIL "vaultadmins@demo.netapp.com" -ALLOWED_IPS_FOR_MANAGEMENT "192.168.0.5/32,192.168.0.6/32" -CRON_SCHEDULE 5min -SNAPMIRROR_RESUME_MINUTES_BOFORE_SM 2 -SNAPMIRROR_QUIESCE_MINUTES_POST_SM 2 -DOMAIN_ADMINISTRATOR_USERNAME "administrator@demo.netapp.com" -SCRIPT_MODE configure Note: Please ensure all information entered. On the first run (configure mode), it will ask for credentials for both, the production and the new cyber vault system. After that, it will create the SVM Peering’s (if not existent), the volumes and the SnapMirrors between the system and initialize them. Note: Cron mode can be used to schedule the quiesce and resume of data transfer.   The automation script provides 3 modes for execution – Configure, Analyze and Cron. if($SCRIPT_MODE -eq "configure") { configure } elseif ($SCRIPT_MODE -eq "analyze") { analyze } elseif ($SCRIPT_MODE -eq "cron") { runCron } Configure – Performs the validation checks and configures the system as air gapped. Analyze – Automated monitoring and reporting feature to send out information to monitoring groups for anomalies and suspicious activities​ to ensure the configurations are not drifted. Cron – To enable disconnected infrastructure, cron mode automates disabling the LIF and quiesces the transfer relationship. It will take time to transfer the data in those selected volumes depending on both systems performance and the amount of data.   Validation A robust cyber vault should be able to withstand a sophisticated attack, even when the attacker has credentials to access the environment with elevated privileges.   Once the rules are in place, an attempt (assuming somehow the attacker was able to get in) to delete a snapshot on the vault side will fail. Same applies with all hardening settings by placing on the necessary restrictions and safeguarding the system.   Screenshot shows there are no connections on the vault controller. Screenshot shows there is no ability to tamper with the snapshots. To validate and confirm air gapping functionality, follow the below steps: Test network isolation capabilities, and the ability to quiesce a connection when data is not being transferred. Verify the management interface cannot be accessed from any entities apart from the allowed IP addresses. Verify Multi admin approval are in place to provide additional layer of approval. Validate the ability to access via CLI and REST API From the source, trigger a transfer operation to vault and ensure the vaulted copy cannot be modified. Try to delete the immutable snapshot copies that are transferred to the vault. Try to modify the retention period by tampering the system clock.   Data Recovery If data is destroyed in the production data center, the data from the cyber vault can be securely recovered to the chosen environment. Unlike a physically air-gapped solution, the air-gapped NetApp cyber vault is built using native ONTAP features like SnapLock Compliance and SnapMirror. The result is a recovery process that is both fast and easy to execute. In the event of ransomware attack and need for recovering from the cyber vault, the recovery process is simple and easy as the snapshot copies housed in the cyber vault are used to restore the encrypted data. If the requirement is to provide a faster method of bringing data back online when necessary to quickly validate, isolate and analyze the data for recovery, the this can be easily achieved by using with FlexClone with the snaplock-type option set to non-snaplock type. Note: Practicing recovery procedures from the Cyber Vault will ensure the proper steps are established for connecting to the Cyber Vault and retrieving data. Planning and testing the procedure is essential for any recovery during a cyber-attack event.   Conclusion By leveraging air-gapping with robust hardening methodologies provided by ONTAP, NetApp enables to create secure, isolated storage environments that are resilient against evolving cyber threats. All of this is accomplished while maintaining the agility and efficiency of existing storage infrastructure. This secure access empowers companies to achieve their stringent safety and uptime goals with minimal change to their existing people, process, and technology framework.   NetApp cyber vault using native ONTAP features is an easy approach for additional protection to create immutable and indelible copies of your data. Adding NetApp’s cyber vault to the overall security posture will:  Create an environment that is separate and disconnected to the production and backup networks and restrict user access to it. Store immutable and indelible copies of data in a secure, isolated vault and enable processes to establish an operational air gap between production environment and the vault. Ensure that data is always available for synchronization into the cyber vault and available for immediate recovery in case of a production cyber-attack. ... View more

BlueXP Backup and Recovery April '25 Updates v4.0.2 ... View more

AdvisorEngine is a major fintech company, so performance issues with its Microsoft SQL Server database weren’t acceptable. A deep analysis of the system’s architecture showed that replacing the storage layer would improve the situation. In this post I’ll explain how turning to FSx for ONTAP led to a sixfold performance improvement, a 50% cost reduction, and much more. ... View more

AI requires scalable, accessible, and efficient data management; but many enterprises struggle to manage data seamlessly across hybrid and multi-cloud environments. The latest integration of Domino Volumes for NetApp ONTAP (DVNO) provides a solution – enabling rapid access to data across environments without DevOps overhead and reducing costs and processing times by up to 50%.   How? Domino’s first-party integration with NetApp’s intelligent data infrastructure doubles read performance and GPU throughput over previous configurations. For resource-intensive AI use cases requiring distributed GPU training, like computer vision and LLM training/fine-tuning, Domino customers can now run GPUs for half as long.   Create DVNO Volumes from Domino With Domino's new DVNO feature, users can create storage volumes powered by NetApp ONTAP and BlueXP. This allows data scientists to provision scalable storage volumes directly within the Domino interface without IT involvement or DevOps work. This capability is especially valuable for large enterprise data science teams, who need quick and reliable access to data without waiting for infrastructure provisioning. By simplifying the volume creation process, teams can reduce delays, allowing them to focus on experimenting and iterating faster.   Figures 1 and 2: Creating a Domino Volume for NetApp ONTAP (DVNO) from Domino’s platform   Collaborate and Control Access to DVNO Volumes from Domino DVNO volumes can be shared directly with other users through Domino. Data scientists can share volumes across projects, enabling straightforward access to shared datasets. Sharing data in this manner is crucial for enterprise-scale collaboration, allowing different teams and stakeholders to access consistent, up-to-date datasets without duplication or manual data transfer. This not only improves collaboration but also reduces storage overhead and potential inconsistencies. Figure 3: Data scientists have self-service access to attach shared data volumes to executions, accelerating iteration and innovation across the model lifecycle.   Monitor DVNO Volumes from Domino DVNO provides straightforward access control, enabling IT administrators to monitor permissions and data usage effectively through secure, consistent management across all environments. Standard data access patterns for developers and API users ensure seamless access, so users can securely share, update, or restrict access to volumes, ensuring sensitive data remains protected.   For data science teams, this level of control is essential to maintain compliance and meet enterprise security requirements, while still allowing the flexibility needed to work efficiently. IT teams can ensure that only authorized users have access, minimizing the risk of data breaches. Figure 4: Domino application admins can see a list of all DVNO volumes and metadata, such as size and who has access.   Enhance Data Organization with User and Project-based Storage Volumes By empowering data scientists to self-manage ONTAP volumes, DVNO enables teams to create dedicated storage volumes tailored to specific users, projects, or workflows. This structure simplifies data organization and enhances data governance by isolating access to sensitive datasets.   For IT teams, the ability of data scientists to independently manage volumes reduces the provisioning and maintenance workload, freeing up valuable resources for strategic initiatives rather than day-to-day support. It also means that each project has its own space, minimizing the risk of data conflicts, reducing storage overhead, and ensuring that each team member can work with the most relevant, up-to-date data—improving both productivity and security. Figure 5: IT admins can see a list of all DVNO volumes and metadata, such as size, in BlueXP.   Conclusion The Domino and NetApp partnership continues to evolve with deeper integrations to enhance AI lifecycle management and productivity. Intelligent data mobility, optimized hybrid operations, and seamless access to critical data are now available through the Domino Volumes for NetApp ONTAP integration. This allows data science teams to focus on building models without being slowed by data bottlenecks. Stay tuned for more developments as we expand our AI infrastructure capabilities. Ready to learn more? Check out the Domino Volumes for NetApp ONTAP demo, read Domino’s recent press release, and discover more insights at domino.ai/partners/netapp. ... View more

The release of ONTAP tools for VMware vSphere 10.4 brings new features, security updates, and enhancements with expanded support for NetApp’s newest generation of ASA systems. ... View more