Security overview
IBM Storage Virtualize based storage systems are secure storage platforms that implement various security-related features for both system-level security and data-level security.
The security features are broadly categorized as System security and Data security. These security features protect and prevent unauthorized access and use of the system, its resources, and the data that is stored on the system.
IBM Storage Virtualize provides the following security features on the storage systems.
System Security
System security describes the controls that protect the system and its resources from both internal and external disruption. In general, these features prevent unauthorized access to system resources and provide event notifications and alerts that warn security administrators of any unauthorized access attempts. IBM Storage Virtualize systems support the following system security features:
- User authentication
- The system supports both local users, and remote users who are authenticated to the system through a remote authentication service. You can create local users who can access the system. These user types are defined based on the administrative privileges that they have on the system. Local users must provide either a password, a Secure Shell (SSH) key, or both. Local users are authenticated through the authentication methods that are configured on the system. If the local user needs access to the management GUI, a password is needed for the user. If the user requires access to the command-line interface (CLI) through SSH, either a password or a valid SSH key file is necessary. Local user passwords are securely stored by using the PBKDF2 hashing algorithm. Local users must be part of a user group that is defined on the system. User groups define roles that authorize the users within that group to a specific set of operations on the system. For more information, see User authentication.
- Remote authentication
- Remote authentication allows users to authenticate to the system using credentials that are stored on an external authentication service. When you configure remote authentication, you do not need to configure users on the system or assign more passwords. Instead, you can use your existing passwords and user groups that are defined on the remote service to simplify user management and access to enforce password policies more efficiently, and to separate user management from storage management. For more information, see Remote Authentication.
- Role-based access control
- Each user of the management GUI must provide a username and a password to sign on. Each user also has an associated role, such as monitor or security administrator. These roles are defined at the system level. For example, a user can be the administrator for one system, but the security administrator for another system. For more information, see Users.
- Default user
-
When a system is created, a single local user with Security Administrator privileges, called superuser, is created. The superuser contains maximum privileges to complete system setup and configuration. For new systems, the default superuser password must be changed on first login to the system. Although the superuser cannot be deleted, you may want to lock or disable the superuser to prevent access to the system. For more information, see Locking user accounts.
- Object-based access control
- An ownership group defines a subset of users and objects within the system. For more information on configuring an ownership group, see Configuring ownership groups.
- Login interfaces
-
The system provides several management interfaces that allow user to authenticate and manage the system and its objects. These interfaces include the management GUI, command-line interface, service assistant interface and commands, and REST APIs. All interfaces use in-flight encryption for data to secure the login and all subsequent connections with system. You can create a user group with specific roles to allow or restrict the user group to interfaces. With this capability, you can also control access from scripts or automated services, as well as individual users. For more information, see Changing user groups.
- Password Policy
- With password policy support, system administrators can set security requirements that are related to password creation and expiration, timeout for inactivity, and actions after failed logon attempts. For more information, see Password policy.
- Account locking
-
The Security Administrator can manually lock or unlock a user account at any time. By default, the superuser is exempt from the system-wide policy for manual or automatic account locking. For more information, see Locking user accounts.
- Session timeouts
-
You can configure session timeout for both the management GUI and the CLI. Session timeouts automatically signs a user out of a session if it has been idle for a specified amount of time. The timeout values can be 5 - 240 minutes. For more information, see the chsecurity command.
- Login banner
-
You can create or change a message that displays when users log on to the system. When users log on to the system with the management GUI, command-line interface, or service assistant, the message displays before they log on to the system. For more information, see Login message.
- Multifactor authentication
- Multifactor authentication requires users to provide multiple pieces of information when they log in to the system to prove their identity. Multifactor authentication uses any combination of two or more methods, called factors, to authenticate users to your resources and protect those resources from unauthorized access. For more information, see Multifactor authentication.
- Single sign-on
- Single Sign-on (SSO) authentication requires users to register their credentials only once when the user signs on to the application for the first time. The user information is stored at the Identity Provider (IdP) that manages the user credentials and determines whether the user is required to authenticate again or not. For more information, see Single Sign-on.
- Secured IP partnership
-
Secured IP partnerships secure the data as it travels through an untrusted network between production and recovery systems. Secured IP partnerships minimize the risk of hackers manipulating or intercepting data in untrusted networks as replicated data travels between partnered systems. For more information, see Partnerships using IP Connectivity.
- Auditing and reporting
-
The system includes an internal tamper-proof audit log that traces all successful commands and identifies the user who issued the commands. This information includes the user details, the IP address where they connected to the system, and timestamps. For more information, see Audit log commands.
- Secure and trusted boot
-
Secure boot encrypts the file systems and relies on a hardware root of trust that extends all the way through to the operating system and initrd to unlock the file system. The system supports hardware root of trust and secure boot operations, which protects against unauthorized physical access to the hardware and prevents malicious software from running on the system.
- Secure sockets and Secure Shell settings
-
Secure sockets (SSL/TLS) and Secure Shell (SSH) are used to establish secure connection to management interfaces, such as the management GUI, CLI, and REST APIs. These security protocols are also used to authenticate to remote servers, such as email, LDAP, and key management servers. The system supports different levels of these security protocols that define the cipher suites and key exchange algorithms that can be used. For more information, see Security protocol levels.
- SSL/TLS certificates
- During system initialization and set up an initial internally signed certificate is created to secure connections between nodes on the system and a supported web browser for management GUI access. After system setup, you can either create internally signed certificate from the native certificate authority or generate a certificate signing request to an external, third-party CA. For more information, refer to Configuring system certificates.
- Disabling USB ports
-
This feature can be combined with encryption key management on local USB flash drives to keep the ports disabled during day-to-day use and only reenabled when a key must be provided. For more information, see the chnodeusb command.
- Network Time Protocol
-
To mitigate against attacks that are based on the system time/date being out of sync with other services, the system supports a configurable Network Time Protocol (NTP) server to control the system time. An NTP server can be configured only by a user with the Security Administrator role. For more information, see the chsystem command.
- Preventing access as root
-
The management software runs as an internal Linux user without root privileges, preventing unauthorized users from accessing the system. Although external users cannot access this software, an attacker might use a weakness to compromise the system. Even in this circumstance, they do not have root privileges.
- Disabling service assistant password reset
-
The superuser is the only user account that is permitted to run service assistant commands on the system. You can use the command-line interface (CLI) to view and change the status of the password reset feature for the system. .
Data security
Data security protects the data that is stored on the system against theft, loss, or attack.
- Encrypting data at rest
-
All NVMe drives that are supported by the system, including IBM FlashCore® Modules (FCMs) and a range of other third-party drives, are self-encrypting drives (SEDs) that encrypt data within the electrical circuit of each individual drive.
- Secure data deletion
- The system provides methods to securely erase data from a drive or from a boot drive when a node or node canister is decommissioned. For more information, refer to Secure data deletion.
- Volume protection
- Volume protection prevents active volumes or host mappings from being deleted inadvertently if the system detects recent I/O activity. For more information, see Volume protection.
- Safeguarded Copy function
Safeguarded Copy function supports the ability to create cyber-resilient point-in-time copies of volumes that cannot be changed or deleted through user errors, malicious actions, or ransomware attacks. Safeguarded snapshots are supported on the system through an internal scheduler that is defined in the snapshot policy. When the policy is assigned to a volume group, you can select Safeguarded option. The policy creates immutable snapshots of all volumes in the volume group. The system supports internal and external snapshot scheduling applications such as IBM Copy Services Manager and IBM® Storage Copy Data Management.
For more information, refer to the Configuring Safeguarded Copy function.- Logical port isolation
-
The system provides means to define logical port sets. These port sets can be used to further restrict the login traffic from a host, or set of hosts, to isolate traffic to specific SAN paths. Portsets are groupings of logical addresses that are associated with the specific traffic types. For more information, refer to Portsets.
- Encrypting data in flight
- If you use secured IP partnerships to secure connections between partnered systems, you also require an encryption license. If you have not purchased a license, contact a customer representative to purchase an encryption license. For more information, refer to Configuring encryption.