The internet touches pretty much every aspect of our lives these days, but typically we don’t devote a whole lot of mind share to cybersecurity. So, without further ado, I’m going to give you, dear reader, a rundown of the security enhancements made in ONTAP 9.3.
First up, encryption. Specifically, data at rest encryption using NetApp Volume Encryption (NVE). First introduced with 9.1, NVE only supported the onboard key manager introduced in 9.0. With 9.3 however, NVE has reached parity support with the key managers supported for use with NetApp self-encrypting drives (NSE). As before, NVE and NSE can be used together; each unique XTS-AES-256 data encryption key is automatically stored in the key manager, and NetApp offers FIPS 140-2* compliant key management solutions.
Introducing multifactor authentication
Let’s move over to access control for a moment and discuss the introduction of multifactor authentication (MFA) for web access to both System Manager and OnCommand Unified Manager, as well as in SSH for command line access. For the security conscious, implementing MFA is a great decision and helps protect against both brute force attacks and weak passwords. Web-based MFA is implemented via SAML using an identity provider and Active Directory. SSH, however, is actually 2FA, does not require an identity provider and is only available for local admin accounts. The two factors here are SSH key exchange combined with username and password challenge/response.
Finally, for the compliancy-minded out there, SnapLock gets three new features:
- Legal hold
- Event-based retention
- Volume append mode
Legal hold is used to hold files in a tamperproof state for an indefinite period for litigation purposes. It can be applied at the file, folder or volume level and prevents deletion or modification until the hold is removed.
Event-based retention helps customers reduce the risk of failing to protect records according to legal requirements. This is useful for protecting records that must be protected for a certain time period after an event occurs. This can be applied at both the file and directory level.
Volume append mode protects data in 256KB increments, on ingest, not just on close. Useful for protecting audio or video capture.
That wraps up the security updates to NetApp ONTAP 9.3; hopefully, you’re a little more cybersecure having read it.
*FIPS 140-2, Level 1, currently under review.
