Isolate the cyber vault's management planes

Do not enable data LIFs on the destination cluster as they are an additional attack vector

On the destination cluster, limit intercluster LIF access to the source cluster with a service policy

Segment the management LIF on the destination cluster for limited access with a service policy and a bastion host

Restrict all data traffic from the source cluster to the cyber vault to allow only the ports required for SnapMirror traffic

Where possible, disable any unneeded management access methods within ONTAP to decrease the attack surface

Enable audit logging and remote log storage

Enable multi-admin verification and require verification from an admin outside your regular storage administrators (e.g. CISO staff)

Implement role-based access controls

Require administrative multifactor authentication for System Manager and ssh

Use token based authentication for scripts and REST API calls