Cyber vault hardening
-
PDF of this doc site
- Artificial Intelligence
- Public and Hybrid Cloud
- Virtualization
-
Containers
- Red Hat OpenShift with NetApp
Collection of separate PDF docs
Creating your file...
These are the additional recommendations to harden an ONTAP cyber vault. Please consult the ONTAP hardening guide below for more recommendations and procedures.
Cyber vault hardening recommendations
-
Isolate the cyber vault's management planes
-
Do not enable data LIFs on the destination cluster as they are an additional attack vector
-
On the destination cluster, limit intercluster LIF access to the source cluster with a service policy
-
Segment the management LIF on the destination cluster for limited access with a service policy and a bastion host
-
Restrict all data traffic from the source cluster to the cyber vault to allow only the ports required for SnapMirror traffic
-
Where possible, disable any unneeded management access methods within ONTAP to decrease the attack surface
-
Enable audit logging and remote log storage
-
Enable multi-admin verification and require verification from an admin outside your regular storage administrators (e.g. CISO staff)
-
Implement role-based access controls
-
Require administrative multifactor authentication for System Manager and ssh
-
Use token based authentication for scripts and REST API calls
Please refer to the ONTAP hardening guide, Multi-admin verification overview and ONTAP multifactor authentication guide for how to accomplish these hardening steps.