Administration security features
Discover the administration security features in StorageGRID.
Feature | Function | Impact | Regulatory compliance |
---|---|---|---|
Server Certificate (Grid Management Interface) |
Grid administrators can configure the Grid Management Interface to use a server certificate signed by their organization’s trusted CA. |
Enables the use of digital certificates signed by their standard, trusted CA to authenticate management UI and API access between a management client and the grid. |
— |
Administrative user authentication |
Administrative users are authenticated using username and password. Administrative users and groups can be local or federated, imported from the customer’s Active Directory or LDAP. Local account passwords are stored in a format protected by bcrypt; command-line passwords are stored in a format protected by SHA-2. |
Authenticates administrative access to the management UI and APIs. |
— |
SAML support |
StorageGRID supports single sign-on (SSO) using the Security Assertion Markup Language 2.0 (SAML 2.0) standard. When SSO is enabled, all users must be authenticated by an external identity provider before they can access the Grid Manager, the Tenant Manager, the Grid Management API, or the Tenant Management API. Local users cannot sign in to StorageGRID. |
Enables additional levels of security for grid and tenant administrators such as SSO and multifactor authentication (MFA). |
NIST SP800-63 |
Granular permission control |
Grid administrators can assign permissions to roles and assign roles to administrative user groups, which enforces which tasks administrative clients are allowed to perform by using both the management UI and APIs. |
Allows Grid administrators to manage access control for admin users and groups. |
— |
Distributed audit logging |
StorageGRID provides a built-in, distributed audit logging infrastructure, scalable to hundreds of nodes across up to 16 sites. StorageGRID software nodes generate audit messages, which are transmitted through a redundant audit relay system and ultimately captured in one or more audit log repositories. Audit messages capture events at an object-level granularity such as client-initiated S3 API operations, object lifecycle events by ILM, background object health checks, and configuration changes made from the management UI or APIs. Audit logs can be exported from admin nodes through CIFS or NFS, allowing audit messages to be mined by tools such as Splunk and ELK. There are four types of audit messages:
|
Provides Grid administrators with a proven and scalable audit service and enables them to mine audit data for various objectives. Such objectives include troubleshooting, auditing SLA performance, client data access API operations, and management configuration changes. |
— |
System audit |
System audit messages capture system-related events, such as grid node states, corrupt object detection, objects committed at all specified locations per ILM rule, and progress of system-wide maintenance tasks (grid tasks). |
Helps customers troubleshoot system issues and provides proof that objects are stored according to their SLA. SLAs are implemented by StorageGRID ILM rules and are integrity-protected. |
— |
Object storage audit |
Object storage audit messages capture object API transaction and lifecycle-related events. These events include object storage and retrieval, grid-node to grid-node transfers, and verifications. |
Helps customers audit the progress of data through the system and whether SLA, specified as StorageGRID ILM, are being delivered. |
— |
HTTP protocol audit |
HTTP protocol audit messages capture HTTP protocol interactions related to client applications and StorageGRID nodes. In addition, customers can capture specific HTTP request headers (such as X-Forwarded-For and user metadata [x-amz-meta-*]) into audit. |
Helps customers audit data access API operations between clients and StorageGRID and trace an action to an individual user account and access key. Customers can also log user metadata into audit and use log mining tools, such as Splunk or ELK, to search on object metadata. |
— |
Management audit |
Management audit messages log admin user requests to the management UI (Grid Management Interface) or APIs. Every request that is not a GET or HEAD request to the API logs a response with the username, IP, and type of request to the API. |
Helps Grid administrators establish a record of system configuration changes made by which user from which source IP and which destination IP at what time. |
— |
TLS 1.3 support for management UI and API access |
TLS establishes a handshake protocol for communication between an admin client and a StorageGRID admin node. |
Enables an administrative client and StorageGRID to identify and authenticate each other and communicate with confidentiality and data integrity. |
— |
SNMPv3 for StorageGRID monitoring |
SNMPv3 provides security by offering both strong authentication and data encryption for privacy. With v3, protocol data units are encrypted, using CBC-DES for its encryption protocol. User authentication of who sent the protocol data unit is provided by either the HMAC-SHA or HMAC-MD5 authentication protocol. SNMPv2 and v1 are still supported. |
Helps Grid administrators monitor the StorageGRID system by enabling an SNMP agent on the Admin Node. |
— |
Client certificates for Prometheus metrics export |
Grid administrators can upload or generate client certificates which can be used to provide secure, authenticated access to the StorageGRID Prometheus database. |
Grid administrators can use client certificates to monitor StorageGRID externally using applications such as Grafana. |
— |