Platform security features
Learn about the platform security features in StorageGRID.
Feature | Function | Impact | Regulatory compliance |
---|---|---|---|
Internal public-key infrastructure (PKI), node certificates, and TLS |
StorageGRID uses an internal PKI and node certificates to authenticate and encrypt internode communication. Internode communication is secured by TLS. |
Helps secure system traffic over the LAN or WAN, especially in a multisite deployment. |
SEC Rule 17a-4(f) |
Node firewall |
StorageGRID automatically configures IP tables and firewalling rules to control incoming and outgoing network traffic, as well as closing unused ports. |
Helps protect the StorageGRID system, data, and metadata against unsolicited network traffic. |
— |
OS hardening |
The base operating system of StorageGRID physical appliances and virtual nodes is hardened; unrelated software packages are removed. |
Helps minimize potential attack surfaces. |
SEC Rule 17a-4(f) |
Periodic platform and software updates |
StorageGRID provides regular software releases that include operating system, applications binaries, and software updates. |
Helps keep the StorageGRID system updated with current software and application binaries. |
— |
Disabled Root Login Over Secure Shell (SSH) |
Root login over SSH is disabled on all StorageGRID nodes. SSH access uses certificate authentication. |
Helps customers protect against potential remote password cracking of the root login. |
SEC Rule 17a-4(f) |
Automated time synchronization |
StorageGRID automatically synchronizes system clocks of each node against multiple external time Network Time Protocol (NTP) servers. At least four NTP servers of Stratum 3 or later are required. |
Ensures the same time reference across all nodes. |
SEC Rule 17a-4(f) |
Separate networks for client, admin, and internal grid traffic |
StorageGRID software nodes and hardware appliances support multiple virtual and physical network interfaces, so that customers can separate client, administration, and internal grid traffic over different networks. |
Allow Grid administrators to segregate internal and external network traffic and deliver traffic over networks with different SLAs. |
— |
Multiple virtual LAN (VLAN) interfaces |
StorageGRID supports configuring VLAN interfaces on your StorageGRID client and grid networks. |
Allow Grid administrators to partition and isolate application traffic for security, flexibility, and performance. |
|
Untrusted Client Network |
The Untrusted Client Network interface accepts inbound connections only on ports that have been explicitly configured as load-balancer endpoints. |
Ensures that interfaces exposed to untrusted networks are secured. |
— |
Configurable Firewall |
Manage open and closed ports for Admin,Grid, and client networks. |
Allow grid administrators to control access on ports and manage approved device access to the ports. |
|
Enhanced SSH behavior |
disable SSH by default prior to installation. In the default state, SSH access is only enabled on the link-local management ports address. The admin and root user passwords are set to the appliance compute controller serial number. Login is only allowed on serial console and graphical console (BMC KVM). SSH on any network port is disabled. |
Enhances network access protection. |
SEC Rule 17a-4(f) |
Node encryption |
As part of the new KMS host server encryption feature, a new Node Encryption setting is added to the StorageGRID Appliance Installer. |
This setting must be enabled during the hardware configuration stage of appliance installation. |
SEC Rule 17a-4(f) |