StorageGuard overview

StorageGuard™ addresses the challenges of securing the vulnerable enterprise data storage and backup systems. It automatically collects the up-to-date configurations of the enterprise’s data storage systems and checks for security misconfigurations and vulnerabilities including violation of vendor security best practices, organizational security baseline configuration requirements, ransomware protection guidelines, non-compliance with information security standards and more. It informs the relevant IT teams of violations and how to repair them in order to close the security gaps that put critical data systems at risk.

Key benefits of StorageGuard

• Meets vendor and community-driven security configuration best practices.
• Validation of Configuration Compliance with information security standards (ISO, CIS Controls, PCI DSS, NIST, and more).
• Automatically validates security baseline configurations.
• Automatically detects security vulnerabilities and misconfigurations.
• Tracks and reports on security configuration changes.
• Provides remediation guidelines for detected misconfigurations and facilitates automatic healing.
• Provides the platform for easily implementing custom security configuration checks for storage, backup, and host systems.
• Supports all leading enterprise data storage systems including SAN, NAS, Storage Network, Storage Management, Storage Virtualization, Data Protection Systems and more.
• An enterprise-grade solution – A secure and scalable solution that can be easily customized and/or integrated with other management systems.

New in Version 9.2.1

New features and highlights

This StorageGuard release introduces new features and major enhancements in the following areas:

New Platform Support

The new release enables StorageGuard to collect the security configuration and automatically detect security configuration best practice violations or vulnerabilities for the following new platforms:

Dell PowerProtect Cyber Recovery Dell Networker Pure Storage FlashBlade HPE 3PAR / Primera HPE OneView IBM DS

 

User Scoping (limited view)

User view can now be restricted to specific storage and backup systems based on a CI group - by defining a User Scope. CI groups define logical groups of entities based on either direct selection of entities or user-defined criteria that generate dynamic groups (for example - based on system type, IP subnet, site, naming convention and more).  CI groups support both include and exclude rules. The user view can also be scoped by Area or Labels however Label and Area based scoping is only applied only the risks pages.

Once a User Scope has been defined, a User Profile can be configured to use it. A User Profile also defines the User Role. Scope and Role together define the systems to which the user will have access and the permission level (read-only, admin, custom, etc.). A User Profile can be assigned to either a local user, domain user or domain group.

 

Compliance and Non-Compliance Evidence

An Evidence field was added to the Findings and PASS / FAIL reports. The field presents the raw output from the scanned system that led to the conclusion that the check failed or passed successfully. The evidence data in the Analysis Summary (PASS / FAIL) report can be used to show compliance. The Evidence data in the finding view assists end users to review the misconfiguration and make an informed decision as to the best course of action.

 

Global Parameters and Rule-based Override

Check parameters can now be defined globally across technologies. Furthermore, StorageGuard enables defining rules for overriding the default parameter value definition as appropriate for specific technologies, sites, or security policies.

 

Task Manager

A new area is now available for users to review current and historical tasks, including detailed status and performance information, and drilldown for scanned items, collectors, and command execution.

 

Enhanced security 

This release includes an upgrade to several components, including Apache Tomcat, AdoptOpenJDK JRE. Refer to Support Announcements for additional information.

 

Risk Knowledgebase update

The StorageGuard risk knowledgebase has been updated with additional industry security best practices, vendor recommendations and vulnerabilities. The security configuration collection and analysis have been extended for a variety of supported Storage and Backup systems including Pure Storage FlashArray, Dell EMC Unity, Dell EMC PowerScale / Isilon, NetApp ONTAP, Veritas NetBackup, Hitachi VSP, IBM Storage Protect, Dell VxRail, Rubrik CDM, Hitachi Ops Center, Dell PowerProtect DD / Data Domain and other Storage / Backup systems.

 

Additional Changes and Enhancements

The following section highlights additional notable changes or enhancements:

Id	Description
SG-12858	Severity and Ease of Implementation Matrix in findings report.
SG-17716	Improved Activity report.
SG-14224	Task scheduling based on Site or CI Group.
SG-12962	Improved configuration collection for Dell PowerMax.
SG-18103	CVE Search page allowing to query for vulnerabilities for certain Storage/Backup releases.
SG-18091	Import/Export capability for check parameters.
SG-17911	Improved Scan Status Reporting.
SG-17910	Enhanced Analysis Summary Report (Link to findings, Evidence column, data collection time).
SG-17909	The “N/A” check state was divided to two separated states: Missing user input (required parameters are not configured). Missing info (scan issue e.g., required permissions not granted).
SG-17884	System serial now presented for: Cisco Switch, Brocade Switch, Commvault, Data Domain, Cohesity DataPlatform, ECS, Isilon, ONTAP, NetBackup, Pure Storage, Rubrik CDM, PowerMax and Unity.
SG-17721	Support for collecting ONTAP configuration through REST API, in addition to previously supported ZAPI.
SG-17629	VB scripts defined in custom collection are now executed with: “cmd /c csript /nologo”.
SG-12653	Check unique identifier format has been revised. Existing checks and findings are automatically updated during the upgrade.
SG-13116	More granular capabilities for policy definition: In addition to label-based policy, now StorageGuard supports defining policies based on selecting check types or individual checks.
SG-17234	Added filtration by label option for the Findings Summary report.
SG-14244	Ease of Implementation can now be modified by users with the applicable permission.

 

Fixed issues

The following issues are resolved:

Id	Description
SG-16546	Incorrect syntax used in certain SYMCLI commands.
SG-17389	Change username length limitation to 80 characters (currently the limitation is 45 characters).
SG-16857	Improved Veritas NetBackup patch analysis in CVE detection.
SG-13604	Inaccurate ONTAP “Authentication server configuration” finding.
SG-16312	Collected audit info is insufficiently limited.
SG-16573	Inaccurate PowerMAX “Secure management server communication” finding.
SG-16369	REOPEN status incorrectly presented in the Findings Summary report.
SG-16434	Missing success/failure feedback when importing a custom check expansion package.
SG-16435	All areas are checked by default when defining a new custom check.
SG-16544	Solutions Enabler CVE tickets show the scanner name instead of SE host name.
SG-16545	symcli_cyber_collection.sh does not capture the command error message.
SG-16576	Incorrect role command syntax (cisco).
SG-16632	‘Fix it’ error when remediation includes multiple commands.
SG-17484	Partial info presented in the Activity report.
SG-17072	Risk paging is incorrect after a certain sequence of operations.
SG-17056	Adding a suppression note deselects the suppression period.

 

Important Notes

Oracle database Locale requirement

The Oracle instance used as the backend database for the Continuity Software Platform must be configured with the English Locale. This requirement is complementary to other requirements identified in the Deployment guide and/or other documents.

Web Browser Support

StorageGuard supports Google Chrome, Firefox, and Microsoft Edge. Microsoft IE is not supported.

Recommended display size and resolution

StorageGuard’s web user interface is best displayed and operated with these specs:

• Full HD resolution (1080p)
• Screens 21” or larger
• Aspect ratio of 16:9.

Using smaller screens, coarser resolution, or both might cause incomplete display of some information. Use the browser’s zoom-out function to display all content. 

Scan of Storage and Replication Management servers

It is recommended to scan all production / DR storage management servers as hosts. This is required even for management servers are already configured for scanning as storage proxies. A storage proxy scan operates at the API/CLI level whereas scanning the storage management servers as a host enables collection of additional configuration files and settings.

Scan of Windows hosts through WMI

Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. As of version 7.2.1, StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.

User account for technical support only

The csadmin user provides access to support tools that can cause damage if not used properly; This user is intended to be used by Continuity Software support engineers only. Enable and login with the csadmin user only when directed to do so by support personnel. This user is locked by default.

Database Views

The Database Views feature is currently only available when using Oracle DBMS. Support Database Views when using Postgres will be added in the future.

 

Limitations

Assigning a profile to an Active Directory group

• When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
• When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD.  In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.

Special characters are converted during object import to StorageGuard
When importing names and properties of objects from CSV/CMDB/API, special characters such as “&”,‘no-break- space’ and certain UTF8 chars are converted to alphanumeric chars.

In specific cases scan error messages are not sufficiently informative

The Scan Troubleshooting screen occasionally presents scan error messages that include the error code but no additional details.

Workaround: Run the erroneous command or script manually to see the full scan error message.  If further assistance required, contact Technical Support.

SSH key supports only keys with less than 4000 characters [P-6645]

Elevated rights required for certain read-only Commvault API calls

Few of the optional read-only API calls executed by StorageGuard on Commvault require elevated rights - SNMP & Audit Trail API. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands.

Elevated rights required for certain read-only Dell EMC Data Domain commands

Few of the read-only commands executed by StorageGuard on Data Domain require the limited-admin role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only user role.

Elevated rights required for certain read-only Dell EMC Unity API calls

Few of the read-only API calls executed by StorageGuard on Unisphere for Unity require the securityadministor role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.

Elevated rights required for certain read-only Hitachi Ops Center API calls

Few of the read-only API calls executed by StorageGuard on Hitachi Ops Center require the Security Administrator role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.

Elevated rights required for scanning Windows hosts

It’s recommended to scan a Storage Management system both at the application level and the OS level. OS-level scan is optional but recommended for a comprehensive security configuration analysis. The OS-level scan is performed by connecting through either WinRM or WMI and then running read-only commands and queries. These commands and queries, even though read-only, require elevated rights.

NetBackup version support

StorageGuard supports scanning NetBackup systems from release 8.1 and above. NetBackup 7.x and 8.0.x are not supported.

CVE detection limitation

StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.

CVE detection knowledgebase

The CVE knowledgebase is limited to advisories and CVEs that have been announced by the vendor, MITRE or other source to the community.