User administration and security management
IBM® Storage Defender Copy Data Management provides users the opportunity to rapidly locate files and objects on IBM, Dell PowerMax Storage, Dell PowerFlex Storage, Dell PowerStore Storage, NetApp, and Pure Storage FlashArray devices along with VMware ESXi, Oracle, SQL, SAP HANA, and InterSystems hosts. IBM Storage Defender Copy Data Management then stores this information so you can report on it. The reports provide a basis for users to take administrative actions toward efficient management of the IBM, NetApp, Dell, and/or Pure Storage FlashArray storage devices, along with VMware, Oracle, InterSystems, and SQL hosts and resources.
IBM Storage Defender Copy Data Management security objectives are:
- Identify and authenticate users before providing any of its services.
- Ensure that all functions are authorized.
- Protect confidentiality of IBM, Dell, NetApp, Pure Storage FlashArray, VMWare™, Oracle, and SQL server credentials by encrypting them when stored and in transit.
- Prevent bypass of and tampering with its security functions through perimeter hardening and use of secure transmission protocols.
Remember: IBM Storage Defender Copy Data Management uses FIPS-compliant encryption algorithms.
Identification and Authentication
All services require some form of authentication.
Users are uniquely identified by entering a username and password. System Administrators have the option of adding native users or importing groups of provisioned users through LDAP authentication. Native usernames are not case-sensitive. LDAP username case sensitivity relies on the configuration of your LDAP server.
User Data Security
- Native users or members of imported LDAP groups are assigned to roles.
- Roles contain collections of permissions that allow access to IBM Storage Defender Copy Data Management functionality.
Sensitive data is encrypted when stored.
Data in transit is also protected. IBM Storage Defender Copy Data Management protects the confidentiality of the user and system credentials. Sensitive data is encrypted or transported by using TLS and HTTPS. The user login is protected via HTTPS for browser client to IBM Storage Defender Copy Data Management server login, and via LDAP/S for communication with the LDAP directory server. For backend processes, protection is secured via HTTPS authentication to the storage system and ESXi.
IBM Storage Defender Copy Data Management identifies the following types of sensitive data: native user credentials, IBM, Dell PowerMax Storage, Dell PowerFlex Storage, Dell PowerStore Storage, NetApp, and Pure Storage FlashArray storage system credentials, VMware/ESX host credentials, and user credentials.
Security Management
Security management identifies the interfaces that manage the security functions in the IBM Storage Defender Copy Data Management application. Only an authenticated, authorized user can configure the security functions. Examples of security management include adding users, assigning roles, configuring IBM Storage Defender Copy Data Management to use LDAP, and configuring IBM Storage Defender Copy Data Management to use HTTPS.
- Adding, editing, and deleting a user
- Configuring authentication mode
- Assigning roles to a user
- Importing certifications
- Configuring HTTPS
Management and Operation Functions
- The session timeout specifies the timeout period that is assigned that is for the application in minutes. If the user does not refresh or request a window within the timeout period, the session ends automatically. Session timeout is set for 30 minutes and cannot be changed.
- Users are uniquely identified by entering a username and password.
- Role-based access control is employed. Once a user is added to IBM Storage Defender Copy Data Management, either as a native user or imported as part of an LDAP group, the user is assigned to specified resource pools and roles.
Encryption
IBM Storage Defender Copy Data Management provides encryption solutions for complete security. The solution includes certificates, use of HTTPS, and safe storage of passwords in the database. Sensitive data such as data in transit is encrypted or transported by using TLS and HTTPS. User credentials such as passwords are safely stored in the IBM Storage Defender Copy Data Management database. Obtaining and storing this sensitive data constitutes the basic function of the IBM Storage Defender Copy Data Management application. This data is subject to the user data security requirements.
Ports
| Port | Service | Comment |
|---|---|---|
| 22 | OpenSSH 5.3 (protocol 2.0) | Port open within the firewall |
| 25 | smtp, non-TLS connection for Simple Mail Transfer Protocol | Service used byIBM Storage Defender Copy Data Management |
| 68 | bootpc in DHCP clients, DHCP Listener UDP | Service used byIBM Storage Defender Copy Data Management |
| 80/443 | http/https | Service used byIBM Storage Defender Copy Data Management |
| 389 | LDAP, non-TLS connection for Lightweight Directory Access Protocol | Service used byIBM Storage Defender Copy Data Management |
| 443 | smtp, TLS connection for Simple Mail Transfer Protocol | Service used byIBM Storage Defender Copy Data Management |
| 636 | LDAP, TLS connection for Lightweight Directory Access Protocol | Service used byIBM Storage Defender Copy Data Management |
| 1433 | sql, SQL Service | Service used byIBM Storage Defender Copy Data Management |
| 4369 | epmd, Erlang port mapper | Service used byIBM Storage Defender Copy Data Management |
| 5480 | ssl/http, vami | Port open within the firewall,IBM Storage Defender Copy Data Management 2.2.5 and earlier |
| 5985 | smtp, TLS connection for Simple Mail Transfer Protocol | WinRM,Windows™ Remote Management |
| 8090 | admin console,IBM Storage Defender Copy Data Management Administrative Console | Port open within the firewall |
| 8092 | adminconsole,IBM Storage Defender Copy Data Management Administrative Console | Port open within the firewall,IBM Storage Defender Copy Data Management 2.2.6 only |
| 8443 | ssl/http, Apache Tomcat/Coyote JSP engine 1.1 | Port open within the firewall |
| 8761 | Discovery Server | Service used by . Locates registered microIBM Storage Defender Copy Data Management services |
| 9090 | Liberty Server | Service used to serve the Knowledge Center documentation |
| 27017 | MongoDB mongod | Service used byIBM Storage Defender Copy Data Management |