Security best practices for DS8900F systems

To achieve your security objectives on the DS8900F storage system, follow the recommended practices and actions.

1. Review your user account management process.
2. Review your service account management process.
3. Use DS8000® data encryption facilities to provide data security for data at rest.
4. Make sure that any network connections to the DS8900F that use Secure Socket Layer (SSL) or Transport Layer Security (TLS) protocols are enabled to meet the currently recommended security strength (112 bit). This security strength includes the following requirements:
   • The connection must use TLS 1.2.
   • Client and server must negotiate a cipher suite with approved algorithms and 112-bit security strength.
   • Either the client or the server must limit hash and signature algorithms in the TLS 1.2 protocol to algorithms that have 112-bit security.
   • Digital certificates that are used must have 112-bit security.
5. After any network connections to the DS8900F that use SSL/TLS protocols are enabled to meet the currently recommended security strength (112 bit), configure the DS8900F network connections to enforce the currently recommended security strength.
   Note: NIST SP 800-131A requires the use of cryptographic algorithms that have security strengths of 112 bits to provide data security and data integrity for secure data that is created in the cryptoperiod starting in 2014. Conformance with NIST SP 800-131A depends on the use of appropriate prerequisite management software versions and appropriate configuration of the DS8900F and other network-related entities. IBM® remote service connections do not currently support NIST SP 800-131A conformance.
6. The DS8000 Storage Management GUI allows only browser connections that use HTTPS. The DS8000 Storage Management GUI is accessible through TCP port 8452.