Security
Suggest changes
PDFs
Cloud Volumes ONTAP supports data encryption and provides protection against viruses and ransomware.
Encryption of data at rest
Cloud Volumes ONTAP supports the following encryption technologies:
-
NetApp Volume Encryption (starting with Cloud Volumes ONTAP 9.5)
-
AWS Key Management Service
-
Azure Storage Service Encryption
-
Google Cloud Platform default encryption
You can use NetApp Volume Encryption with native AWS, Azure, or GCP encryption, which encrypt data at the hypervisor level.
NetApp Volume Encryption
NetApp Volume Encryption (NVE) is a software-based technology for encrypting data at rest one volume at a time. Data, Snapshot copies, and metadata are encrypted. Access to the data is given by a unique XTS-AES-256 key, one per volume.
Cloud Volumes ONTAP supports NetApp Volume Encryption with an external key management server. An Onboard Key Manager is not supported. You can find the supported key managers in the NetApp Interoperability Matrix Tool under the Key Managers solution.
You can enable NetApp Volume Encryption on a new or existing volume by using the CLI or System Manager. Cloud Manager does not support NetApp Volume Encryption. For instructions, see Encrypting volumes with NetApp Volume Encryption.
AWS Key Management Service
When you launch a Cloud Volumes ONTAP system in AWS, you can enable data encryption using the AWS Key Management Service (KMS). Cloud Manager requests data keys using a customer master key (CMK).
|
You can't change the AWS data encryption method after you create a Cloud Volumes ONTAP system. |
If you want to use this encryption option, then you must ensure that the AWS KMS is set up appropriately. For details, see Setting up the AWS KMS.
Azure Storage Service Encryption
Azure Storage Service Encryption for data at rest is enabled by default for Cloud Volumes ONTAP data in Azure. No setup is required.
|
Customer-managed keys are not supported with Cloud Volumes ONTAP. |
Google Cloud Platform default encryption
Google Cloud Platform data-at-rest encryption is enabled by default for Cloud Volumes ONTAP. No setup is required.
While Google Cloud Storage always encrypts your data before it's written to disk, you can use Cloud Manager APIs to create a Cloud Volumes ONTAP system that uses customer-managed encryption keys. These are keys that you generate and manage in GCP using the Cloud Key Management Service.
Refer to the API Developer Guide for details about using the "GcpEncryption" parameters.
ONTAP virus scanning
You can use integrated antivirus functionality on ONTAP systems to protect data from being compromised by viruses or other malicious code.
ONTAP virus scanning, called Vscan, combines best-in-class third-party antivirus software with ONTAP features that give you the flexibility you need to control which files get scanned and when.
For information about the vendors, software, and versions supported by Vscan, see the NetApp Interoperability Matrix.
For information about how to configure and manage the antivirus functionality on ONTAP systems, see the ONTAP 9 Antivirus Configuration Guide.
Ransomware protection
Ransomware attacks can cost a business time, resources, and reputation. Cloud Manager enables you to implement the NetApp solution for ransomware, which provides effective tools for visibility, detection, and remediation.
-
Cloud Manager identifies volumes that are not protected by a Snapshot policy and enables you to activate the default Snapshot policy on those volumes.
Snapshot copies are read-only, which prevents ransomware corruption. They can also provide the granularity to create images of a single file copy or a complete disaster recovery solution.
-
Cloud Manager also enables you to block common ransomware file extensions by enabling ONTAP's FPolicy solution.
