You can configure connectivity to clustered external key management servers on an storage VM. With clustered key servers, you can designate primary and secondary key servers on a storage VM. When registering keys, ONTAP will first attempt to access a primary key server before sequentially attempting to access secondary servers until the operation completes successfully, preventing duplication of keys.

Learn to configure clustered external key servers.

You can use one or more KMIP servers to secure the keys the cluster uses to access encrypted data.

The role assigned to an administrator determines which functions the administrator can perform. Predefined roles for cluster administrators and storage VM administrators are provided by System Manager. You assign the role when you create the administrator’s account, or you can assign a different role later.

ONTAP uses standard methods to secure client and administrator access to storage and to protect against viruses. Advanced technologies are available for encryption of data at rest and for WORM storage. ONTAP authenticates a client machine and user by verifying their identities with a trusted source. ONTAP authorizes a user to access a file or directory by comparing the user's credentials with the permissions configured on the file or directory.

Learn about client authentication and authorization.

You can use the Open Authorization (OAuth 2.0) framework to control access to your ONTAP clusters. OAuth 2.0 restricts and controls access to protected resources using signed access tokens.

Learn about OAuth 2.0 authentication.

You can configure and enable Security Assertion Markup Language (SAML) authentication for web services. SAML authenticates users by an external Identity Provider (IdP) instead of the directory service providers such as Active Directory and LDAP.

Learn to Configure SAML authentication.

ONTAP is compliant in the Federal Information Processing Standards (FIPS) 140-2 for all SSL connections. You can turn SSL FIPS mode on and off, set SSL protocols globally, and turn off any weak ciphers such as RC4 within ONTAP.

Beginning with ONTAP 9.18.1 postquantum computing cryptographic algorithms are supported for SSL. These algorithms provide additional protection against potential future quantum computing attacks, and are available when SSL FIPS mode is disabled.

An interface group, also known as a Link Aggregation Group (LAG), is created by combining two or more physical ports on the same node into a single logical port. The logical port provides increased resiliency, increased availability, and load sharing.

Learn about Link Aggregation Groups.