StorageGuard overview
StorageGuard™ addresses the challenges of securing the vulnerable enterprise data storage and backup platforms. It automatically collects the up-to-date configurations of the enterprise’s data storage systems and checks for security misconfigurations and vulnerabilities including violation of vendor security best practices, organizational security baseline configuration requirements, ransomware protection guidelines, non-compliance with information security standards and more. It informs the relevant IT teams of violations and how to repair them in order to close the security gaps that put critical data systems at risk.
Key benefits of StorageGuard
- Meets vendor and community-driven security configuration best practices.
- Validation of Configuration Compliance with information security standards (ISO, CIS Controls, PCI DSS, NIST, NERC CIP and more).
- Automatically validates security baseline configurations.
- Automatically detects security vulnerabilities and misconfigurations.
- Tracks and reports on security configuration changes.
- Provides remediation guidelines for detected misconfigurations and facilitates automatic healing.
- Provides the platform for easily implementing custom security configuration checks for storage, backup, and host systems.
- Supports all leading enterprise data storage systems including SAN, NAS, HCI, Storage Network, Storage Management, Storage Virtualization, Data Protection Systems and more.
- An enterprise-grade solution – A secure and scalable solution that can be easily customized and/or integrated with other management systems.
New in Version 9.2.4
New features and highlights
This StorageGuard release introduces new features and major enhancements in the following areas:
Finding Assignment and Due Date
This new release now enables assigning findings to specific users for resolution, and to assign a due date.
New Platform Support
The new release enables StorageGuard to collect the security configuration and automatically detect security configuration best practice violations or vulnerabilities for the following new platforms:
- Hitachi NAS Platform (HNAS)
- IBM Tape
New Reports
This release includes new reports in the catalog:
Data at-rest encryption – This report presents a summary and detailed information for Data at-rest encryption (DaRE) status for the selected system scope.
Risks report (Custom) – This report presents a summary and detailed information for user-selected check type and system scope.
Enhanced security
CyberArk integration has been enhanced to support also integration through CyberArk Central Credential Provider (CCP) Rest API.
This release resolves third-party vulnerabilities. Refer to Support Announcements for additional information.
Risk Knowledgebase update
The StorageGuard risk knowledgebase has been updated with additional industry security best practices, vendor recommendations and vulnerabilities.
Additional Changes and Enhancements
The following section highlights additional notable changes or enhancements:
Id | Description |
SG-22113 | The user interface now enables users to click on dashboard components and be redirected to appropriate pages. For example, clicking the High bar on the By Severity chart of the Baseline Configuration Overview page, would redirect user to the Risks page with a filter pre-set to high-severity risks. |
SG-22106 | The scan engine has been enhanced to prevent irrelevant (read-only) commands from running. |
SG-21965 | Enhanced Support for Veritas NetBackup – In addition to colleting NetBackup configuration through REST API, StorageGuard now also collects FLEX Appliance level configuration. |
SG-20849 | StorageGuard custom configuration collection has been enhanced to allow users to expand the built-in configuration collection with additional REST API calls. |
SG-22693 | Scan timeout and retry parameter have been optimized to facilitate a faster and more efficient scan. |
SG-22651 | Two new predefined user roles are now available: Monitor, Security Admin. In addition, the UserRole has been renamed to Operator. |
SG-21108 | Branding – Administrative users can now modify the color used for the StorageGuard UI, to align with the company’s color palette. |
SG-21956 | The system can now elaborate on risk closure reason such as “CI decommissioned”, “Configuration Change” and “Check Parameter Change”. This information is presented in the Closure Reason column of the Risks view. |
SG-21936 | The List of Security Policies was enhanced to include a column showing number of systems in scope. |
SG-17992 | The configuration collection for Dell Avamar, NetApp ONTAP and Veeam has been expanded. |
SG-9898 | The configuration collection for Dell Unity, Brocade switches, Rubrik CDM, Cisco switches, Commvault, Dell PowerProtect, Dell ECS and Hitachi VCP has been further optimized. |
SG-22032
|
StorageGuard log files can now be opened for review from the StorageGuard UI. Navigate to Settings > Troubleshooting > Server logs to see the list of log files and view them. |
SG-22484 | Additional fields in the Inventory page: number of misconfigurations, number of vulnerabilities and more. |
Fixed issues
The following issues are resolved:
Id | Description |
SG-21955 | Risk Activity log does not log edit parameter actions (previous value, new value) |
SG-21773 | Risk Summary report does not show CVSS scores |
SG-21876 | Check parameter view does not show which parameters have been modified |
SG-21931 | Compliance tab presents inactive / irrelevant policies |
SG-12726 | Check ID “K020CI0MP200: Authentication server redundancy” incorrect finding |
SG-16550 | Check ID “K132E00MP730: Eradication Delay (secure data erasure)” incorrect risk description |
SG-16548 | Check ID “K191700M00106: Default FC port mode” incorrect impact |
SG-15674 | UI: column sorting does not handle case sensitivity correctly |
SG-15546 | Rubrik CDM malformed commands |
SG-20133 | Incorrect version and model presented for IBM FlashSystem |
SG-19972 | Scan Detail report inaccuracies |
SG-22633 | Non-actionable Dell Solutions Enabler scan issue reported |
SG-22629 | Troubleshooting packages are not fully sanitized when marking the sanitize checkbox |
SG-22006 | UI: Switching system types quickly in the compliance tab sometimes results in wrong data being presented |
SG-21980 | Dell PowerFlex is missing under Assets |
SG-21949 | In certain situations, the Compliance tab may show irrelevant checks |
SG-21942 | Policies defined by Check type do not appear under the Compliance tab |
SG-21920 | View collection is not available for certain cloud providers |
SG-21468 | Check ID “C0008 Secure NTP status” – resolution not sufficiently detailed |
SG-16575 | Cisco: show_cimserver command should be executed only on versions below NX-OS 5.2 |
SG-21902 | Insufficient resolution info for Check ID “[SG-NetApp]: K022I00P0195: SSL status"” |
SG-21777 | Irrelevant labels presented in the Risks filter tree |
SG-20835 | The Policies view may present an incorrect number of checks |
SG-21853 | Dell PowerFlex scan error messages show ScaleIO instead of PowerFlex |
SG-23125 | Check ID “SG-C0163T073V01: Approved AD domain” - Data parsing issues lead to inaccurate risk data |
SG-23097 | Incorrect Dell Unity - End Of Support - finding |
SG-22906 | Check ID “Unity- SG-C0448T105V01: Trusted certificate-authority (CA)” incorrect finding |
SG-22776 | Scan Troubleshooting Report - No data is presented when generating the report using the long format option |
SG-22769 | Vulnerabilities Overview - Top vulnerable systems – incorrect stats |
SG-22653 | PowerFlex licensing - incorrect counting of systems |
SG-22504 | Check ID “SG-C0426T105V01: Login banner status” – incorrect finding |
SG-21970 | Incorrect command date may be presented for evidence under certain circumstances |
SG-21930 | Custom check has empty fields after applicable probe removal |
SG-21869 | Incorrect PPDM Protection Engine & Application Agent presentation name and model. |
Important Notes
Oracle database Locale requirement
The Oracle instance used as the backend database for the Continuity Software Platform must be configured with the English Locale. This requirement is complementary to other requirements identified in the Deployment guide and/or other documents.
Web Browser Support
StorageGuard supports Google Chrome, Firefox, and Microsoft Edge. Microsoft IE is not supported.
Recommended display size and resolution
StorageGuard’s web user interface is best displayed and operated with these specs:
- Full HD resolution (1080p)
- Screens 21” or larger
- Aspect ratio of 16:9.
Using smaller screens, coarser resolution, or both might cause incomplete display of some information. Use the browser’s zoom-out function to display all content.
Scan of Storage and Replication Management servers
It is recommended to scan all production / DR storage management servers as hosts. This is required even for management servers are already configured for scanning as storage proxies. A storage proxy scan operates at the API/CLI level whereas scanning the storage management servers as a host enables collection of additional configuration files and settings.
Scan of Windows hosts through WMI
Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. As of version 7.2.1, StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.
User account for technical support only
The csadmin user provides access to support tools that can cause damage if not used properly; This user is intended to be used by Continuity Software support engineers only. Enable and login with the csadmin user only when directed to do so by support personnel. This user is locked by default.
Database Views
The Database Views feature is currently only available when using Oracle DBMS. Support Database Views when using Postgres will be added in the future.
Limitations
Assigning a profile to an Active Directory group
- When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
- When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD. In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.
Special characters are converted during object import to StorageGuard
When importing names and properties of objects from CSV/CMDB/API, special characters such as “&”,‘no-break- space’ and certain UTF8 chars are converted to alphanumeric chars.
In specific cases scan error messages are not sufficiently informative
The Scan Troubleshooting screen occasionally presents scan error messages that include the error code but no additional details.
Workaround: Run the erroneous command or script manually to see the full scan error message. If further assistance required, contact Technical Support.
SSH key supports only keys with less than 4000 characters [P-6645]
Elevated rights required for certain read-only Commvault API calls
Few of the optional read-only API calls executed by StorageGuard on Commvault require elevated rights - SNMP & Audit Trail API. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands.
Elevated rights required for certain read-only Dell EMC Data Domain commands
Few of the read-only commands executed by StorageGuard on Data Domain require the limited-admin role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only user role.
Elevated rights required for certain read-only Dell EMC Unity API calls
Few of the read-only API calls executed by StorageGuard on Unisphere for Unity require the securityadministor role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for certain read-only Hitachi Ops Center API calls
Few of the read-only API calls executed by StorageGuard on Hitachi Ops Center require the Security Administrator role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for scanning Windows hosts
It’s recommended to scan a Storage Management system both at the application level and the OS level. OS-level scan is optional but recommended for a comprehensive security configuration analysis. The OS-level scan is performed by connecting through either WinRM or WMI and then running read-only commands and queries. These commands and queries, even though read-only, require elevated rights.
NetBackup version support
StorageGuard supports scanning NetBackup systems from release 8.1 and above. NetBackup 7.x and 8.0.x are not supported.
CVE detection limitation
StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.
CVE detection knowledgebase
The CVE knowledgebase is limited to advisories and CVEs that have been announced by the vendor, MITRE or other source to the community.
Comments
0 comments
Please sign in to leave a comment.