StorageGuard overview
StorageGuard™ addresses the challenges of securing the vulnerable enterprise data storage and backup systems. It automatically collects the up-to-date configurations of the enterprise’s data storage systems and checks for security misconfigurations and vulnerabilities including violation of vendor security best practices, organizational security baseline configuration requirements, ransomware protection guidelines, non-compliance with information security standards and more. It informs the relevant IT teams of violations and how to repair them in order to close the security gaps that put critical data systems at risk.
Key benefits of StorageGuard:
- Meets vendor and community-driven security configuration best practices.
- Validation of Configuration Compliance with information security standards (ISO, CIS, PCI, NIST, FFIEC and more).
- Automatically validates security baseline configurations.
- Automatically detects security vulnerabilities and misconfigurations.
- Tracks and reports on security configuration changes.
- Provides remediation guidelines for detected misconfigurations and facilitates automatic healing.
- Provides the platform for easily implementing custom security configuration checks for storage, backup and host systems.
- Supports all leading enterprise data storage systems including SAN, NAS, Storage Network, Storage Management, Storage Virtualization, Data Protection Systems and more.
- An enterprise-grade solution – A secure and scalable solution that can be easily customized and/or integrated with other management systems.
New in Version 9.2
New features and highlights
This StorageGuard release introduces new features and major enhancements in the following areas:
New Platform Support |
The new release enables StorageGuard to collect the security configuration and automatically detect security configuration best practice violations and vulnerabilities for the following new platforms:
|
||
Enhanced support for storage systems |
The security configuration collection and analysis have been extended for a variety of supported Storage and Backup systems including Brocade FC Switch, Cisco MDS Switch, Dell EMC PowerProtect DD, Dell EMC Elastic Cloud Storage (ECS), Dell EMC PowerScale, Dell EMC Unity, Dell EMC PowerMax and other Storage/Backup systems. |
||
Fix it |
The new Fix it capability offers automatic healing. Fix it will enable users to automatically execute the suggested remedial steps and re-validate that the issue has been corrected. Fix it is an optional feature that will initially be available for a limited set of checks and will be gradually expanded. |
||
Vulnerability Management and Baseline Security |
The Risks tab has been divided into two separate tabs: Vulnerabilities and Baseline Security. The Vulnerabilities tab is dedicated to managing findings related to security advisories, security bulletins and CVE vulnerabilities. The Baseline Security tab is dedicated to managing configuration policies and to reviewing findings related to security best practice violations, hardening guidelines, non-compliance, configuration drifts and other misconfigurations. |
||
Storage and Backup System Inventory |
A new Assets tab is available with this release. This tab provides a listing of all discovered storage/backup systems including hardware and software and version information. |
||
New Dashboards |
The previous dashboard was replaced with dedicated dashboards for the following areas:
Click on the Overview page to see the dashboard. |
||
Enhanced security |
Several security enhancements have been implemented:
|
||
Support for PostgreSQL |
StorageGuard uses a database to store its data. StorageGuard can now be installed with a PostgreSQL database, in addition to the previously supported Oracle database. |
||
Risk knowledgebase update |
The StorageGuard risk knowledgebase has been updated with additional industry security best practices, vendor recommendations and vulnerabilities. |
Additional Changes and Enhancements
The following section highlights additional notable changes or enhancements:
Id | Description |
SG-10172 | A StorageGuard finding now includes an Ease of Implementation field. |
SG-6815 | Vulnerabilities can now be filtered based on CVSS score. |
SG-12365 | Additional NetBackup APIs. |
SG-13167 | Enable scanning Rubrik with a Service Account (User ID and Access Key). |
SG-13208 | Additional Isilon commands. |
SG-14647 |
Recommended component updates: The upgrade wizard allows users to choose whether to update these components. The components can also be independently updated (consult with technical support). |
SG-15182 | The encryption cipher was updated to AES256. |
SG-12572 | Added ability to scan Cisco DCNM. |
SG-10579 | Ability to Benchmark your Storage and Backup Security against Industry average. This option is disabled by default and reserved for future use. |
SG-15145 | Additional labels and policies added to mark requirements of NERC CIP, UK NCSC CAF, HIPAA, Singapore MAS TRM, CSA Cloud Controls Matrix and other standards. |
SG-10000 | Additional labels added to provide insight regarding the type of threats mitigated by remediating a finding. |
SG-10000 | Additional labels added to provide insight regarding the applicable CIS Implementation Group (IG) and/or the applicable NIST SP800-53 Baselines. |
SG-13652 | User account (csadmin) for technical support is now available. The user is locked by default and should not be enabled unless specifically instructed by technical support personnel. |
New / Modified system properties
The following section highlights key system properties that were added or modified:
Category | Property | Comment |
Collection | Collector collection packs cache timeout (seconds) | Default value: 15 |
Collection | Collector scanning detail cache timeout (seconds) | Default value: 15 |
Collection | Enable the Fix it option | False |
Collection | SpectrumProtect port | 443 |
Collection | StorageGRID port | 443 |
Collection | Veeam port | 1556 |
Collection – Admin | Enable Automatic Peers Switch Discovery | Default value: true |
Collection – Admin | List of commands (case sensitive) to be skipped from running (comma separated) | Default value: (empty) |
Benchmark | Enable benchmark feature (reserved for future use) | Default value: false |
Fixed issues
The following issues are resolved:
Id | Description |
SG-10094 | Report export actions are not logged |
SG-10675 | The notes text box does not appear when suppressing a ticket |
SG-11087 | Error messages written to the log during Commvault configuration collection |
SG-11302 | The VMware VSAN scan may occasionally result in an error |
SG-11737 | Incorrect finding reported for NetApp regarding missing banner and/or motd |
SG-11816 | Search by label may not work as expected |
SG-11930 | Security Principles screen may load slowly |
SG-11937 | Dell EMC Unity default password check does not always works as expected |
SG-12431 | Data Domain command not executed correctly |
SG-12432 | Isilon command not executed correctly |
SG-12439 | Pure FlashArray is duplicated in Reports |
SG-12445 | Incorrect Data Domain finding regarding syslog server redundancy |
SG-12723 | Inaccurate finding regarding SSH cipher strength for Data Domain |
SG-12725 | Inaccurate finding regarding Data Encryption for Data Domain |
SG-12727 | Inaccurate finding regarding local users for Data Domain |
SG-12728 | Inaccurate finding regarding fips compliance for Data Domain |
SG-12807 | Hitachi VSP - SNMP Authentication Algorithm Strength is reported when SNMPv3 is not used |
SG-12810 | Inaccurate finding regarding FTP reported for Hitachi VSP |
SG-12884 | VSAN and VxRail checks are not executed in certain conditions |
SG-12955 | Scan cache inefficiency |
SG-12971 | TLS and AV issues not detected for Unity in certain conditions |
SG-12993 | No scan troubleshooting messages for failed pure storage commands |
SG-13442 | Configuration collection of Unisphere for VMAX may not work in certain versions |
SG-15052 | table sort does not work as expected on certain columns |
SG-15672 | Inaccurate finding regarding remote support configuration for Dell Unity |
Important Notes
Deprecated features
The following features of StorageGuard have been deprecated:
- Classic (Legacy) user interface: All essential functions of the legacy UI will be available in the Modern UI.
- CLI: All functions of the CLI are available in the REST API library.
- WS API: All functions of the WS API are available in REST API.
Oracle database Locale requirement
When using Oracle as the backend database for the Continuity Software Platform must be configured with the English Locale. This requirement is complementary to other requirements identified in the Deployment guide and/or other documents.
Web Browser Support
StorageGuard supports Google Chrome, Firefox and Microsoft Edge. Microsoft Internet Explorer is not supported.
Recommended display size and resolution
StorageGuard’s web user interface is best displayed and operated with these specs:
• Full HD resolution (1080p)
• Screens 21” or larger
• Aspect ratio of 16:9.
Using smaller screens, coarser resolution, or both might cause incomplete display of some information. Use the browser’s zoom-out function to display all content.
Scan of Storage and Replication Management servers
It is recommended to scan all production / DR storage management servers as hosts. This is required even for management servers are already configured for scanning as storage proxies. A storage proxy scan operates at the API/CLI level whereas scanning the storage management servers as a host enables collection of additional configuration files and settings.
Scan of Windows hosts through WMI
Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. As of version 7.2.1, StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.
Installation Notes for this Release
Read the Installation Procedure Chapter of the User Guide for guidance about installing StorageGuard v9.2. In addition, review the Deployment and Scanning Guides for guidance about the StorageGuard infrastructure requirements and the preparations needed for scanning your datacenters.
Upgrade for this Release
An upgrade path to version 9.2 is available from the 9.1 release. If your system is currently installed with an earlier release, an upgrade to version 9.1 is mandatory before upgrading to version 9.2.
Important notes:
- The upgrade will require the complete stop of StorageGuard operations, including data collection and data analysis. While it is fully automatic, the length of the upgrade process may require several hours to complete in large environments. During this time, it is important not to restart the StorageGuard server or terminate the upgrade task. In addition, it is essential that the Oracle database used by StorageGuard will be available throughout the upgrade process.
- Prior to upgrading, take care to read the release notes in full, and make any necessary changes to the StorageGuard infrastructure and/or to user account permissions as required, and ensure sufficient free disk space is available on the master server. It is important to review newly required read-only privileged commands and make necessary changes to sudo[1] to allow StorageGuard to run the commands.
- Prior to upgrading, verify you have an up-to-date backup of the StorageGuard server disk drives using your standard backup tools, and an up-to-date StorageGuard database export. A database export can be generated using the EXPDP or EXP Oracle commands.
- Once the upgrade on the master StorageGuard server is completed and the Tomcat service starts, StorageGuard will automatically check and upgrade the StorageGuard collectors. There is no manual collector upgrade process. For gradual collector upgrade, disable the collectors before initiating the upgrade on the master server, and gradually enable the collectors you wish to upgrade following the completion of the software upgrade on the master server.
- The upgrade will require the complete stop of StorageGuard operations, including data collection and data analysis. While it is fully automatic, the length of the upgrade process may require several hours to complete in large environments. During this time, it is important not to restart the StorageGuard server or terminate the upgrade task. In addition, it is essential that the Oracle database used by StorageGuard will be available throughout the upgrade process.
To upgrade from version 9.1 to version 9.2:
- Login as a local administrator to the master StorageGuard.
- Run the ContinuitySuite_9.2.exe as an administrator.
- Click Next in the Welcome screen.
- Select “Yes, upgrade Continuity Suite 9.1 to 9.2”.
- Accept the License Agreement and click Next.
- Accept the GNU License Agreement and click Next.
- Select whether to perform a database export prior to upgrading and whether to start Tomcat after the upgrade completes and click Next. It is recommended to keep the default settings.
- Click Install to begin the Software Upgrade process. This process may require up to several hours to complete, depending on the size of the scanned environment.
- Click Finish.
[1] sudo or any other privilege management solution used to grant the required permissions, such as PowerBroker, UPM, sesudo, etc.
Limitations
Assigning a profile to an Active Directory group
- When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
- When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD. In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.
Special characters are converted during object import to StorageGuard
When importing names and properties of objects from CSV/CMDB/API, special characters such as “&”,‘no-break- space’ and certain UTF8 chars are converted to alphanumeric chars.
In specific cases scan error messages are not sufficiently informative
The Scan Troubleshooting screen occasionally presents scan error messages that include the error code but no additional details.
Workaround: Run the erroneous command or script manually to see the full scan error message. If further assistance required, contact Technical Support.
SSH key supports only keys with less than 4000 characters [P-6645]
Elevated rights required for certain read-only Commvault API calls
Few of the optional read-only API calls executed by StorageGuard on Commvault require elevated rights - SNMP & Audit Trail API. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands.
Elevated rights required for certain read-only Dell EMC Data Domain commands
Few of the read-only commands executed by StorageGuard on Data Domain require the limited-admin role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only user role.
Elevated rights required for certain read-only Dell EMC Unity API calls
Few of the read-only API calls executed by StorageGuard on Unisphere for Unity require the securityadministor role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for scanning Windows hosts
It’s recommended to scan a Storage Management system both at the application level and the OS level. OS-level scan is optional but recommended for a comprehensive security configuration analysis. The OS-level scan is performed by connecting through either WinRM or WMI and then running read-only commands and queries. These commands and queries, even though read-only, require elevated rights.
NetBackup version support
StorageGuard support scanning NetBackup systems from release 8.1 and above. NetBackup 7.x and 8.0.x are not supported.
CVE detection limitation
StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.
CVE detection knowledgebase
The CVE knowledgebase is limited to advisories and CVEs that have been announced by the vendor, MITRE or other source to the community.
Comments
0 comments
Please sign in to leave a comment.