StorageGuard overview
StorageGuard™ addresses the challenges of securing the vulnerable enterprise data storage and backup systems. It automatically collects the up-to-date configurations of the enterprise’s data storage systems and checks for security misconfigurations and vulnerabilities including violation of vendor security best practices, organizational security baseline configuration requirements, ransomware protection guidelines, non-compliance with information security standards and more. It informs the relevant IT teams of violations and how to repair them in order to close the security gaps that put critical data systems at risk.
Key benefits of StorageGuard:
- Meets vendor and community-driven security configuration best practices.
- Validation of Configuration Compliance with information security standards (ISO, CIS, PCI, NIST, FFIEC and more).
- Automatically validates security baseline configurations.
- Automatically detects security vulnerabilities and misconfigurations.
- Tracks and reports on security configuration changes.
- Provides remediation guidelines for detected misconfigurations and facilitates automatic healing.
- Provides the platform for easily implementing custom security configuration checks for storage, backup and host systems.
- Supports all leading enterprise data storage systems including SAN, NAS, Storage Network, Storage Management, Storage Virtualization, Data Protection Systems and more.
- An enterprise-grade solution – A secure and scalable solution that can be easily customized and/or integrated with other management systems.
New in Version 9.1
New features and highlights
This StorageGuard release introduces new features and major enhancements in the following areas:
New Platform Support |
The new release enables StorageGuard to collect the security configuration and automatically detect security configuration best practice violations and vulnerabilities for the following new platforms:
|
||
Enhanced support for storage systems |
The security configuration collection and analysis have been extended for a variety of supported Storage and Backup systems including Brocade FC Switch, Cisco MDS Switch, Dell EMC Data Domain, Dell EMC PowerProtect DD, Dell EMC Elastic Cloud Storage (ECS), Dell EMC Isilon, Dell EMC PowerScale, Dell EMC Unity, Dell EMC VMAX, Dell EMC PowerMax and other Storage/Backup systems. |
||
Azure AD MFA |
Support for Microsoft Azure AD and Azure AD Multifactor authentication is now available. |
||
Auto Update |
System settings now enable configuring StorageGuard to automatically download and apply the latest CVE definitions file. Manual update also available. |
||
Enhanced security |
Several security enhancements have been implemented:
|
||
Risk knowledgebase update |
The StorageGuard risk knowledgebase has been updated with additional industry security best practices, vendor recommendations and vulnerabilities. |
Additional Changes and Enhancements
The following section highlights additional notable changes or enhancements:
Id | Description |
CSP-10540 | Time zone information in logging |
CSP-10541 | IP address information now logged in the event of unsuccessful login |
CSP-10592 | Creation of a new user role is now logged |
CSP-10625 | Improved Security enforcement of Certificate Transparency requirements |
CSP-10630 | SSH security library upgraded |
CSP-10644 | Improved Java memory usage (Performance Improvement) |
CSP-11182 | Alignment of jar file names to the manifest of Log4J V2.17 |
CSP-11802 | ServiceNow Incident number not processed correctly from incident staging table |
CSP-11929 | Improved view of the Risk table – columns not displayed can be selected by the Settings icon |
CSP-5008 | Improved styling on the new User Interface |
CSP-11405 | Restricted access to Swagger API documentation |
SG-10793 | Enhanced configuration collection for Dell EMC Isilon |
SG-11020 | Enhanced configuration collection for Dell EMC Solutions Enabler |
SG-11928 | Policies (add/edit)- Assign Items - UI under Policies does not show Backup systems |
SG-7375 | Add detection support for patches and firmware for Storage System of IBM FlashSystem (formerly XIV) |
SG-9768 | Enhanced configuration collection for Veritas NetBackup |
SG-9898 | Enhanced configuration collection for Dell EMC Unity |
SG-9899 | Enhanced configuration collection for Brocade Directors and Switches |
SG-9925 | Enhanced configuration collection for Dell EMC Data Domain and PowerProtect DD |
SG-9928 | Enhanced configuration collection for Infinidat Infinibox |
SG-10876 | fosexec is no longer mandatory for scanning Brocade switches (now optional) |
New / Modified system properties
The following section highlights key system properties that were added or modified:
Category | Property | Comment |
REST API | Restrict access to swagger documentation | Default: true |
Application Security | X-FRAME-OPTIONS header | Default: SAMEORIGIN |
Initializers | Task start time window | Default: 10 |
Collection - Admin | The number of SANnav probes the system can run in parallel | Default: 2 |
Collection - Admin | The number of CDM probes the system can run in parallel | Default: 2 |
Collection - Admin | The number of Commvault probes the system can run in parallel | Default: 2 |
Collection - Admin | The number of VxRAILManager probes the system can run in parallel | Default: 2 |
Collection - Admin | The number of UnisphereVMAX probes the system can run in parallel | Default: 2 |
Collection Timeouts | Timeout for scanning all SANnav in minutes | Default: 180 |
Collection Timeouts | Timeout for a single SANnav scan, in minutes | Default: 90 |
Collection Timeouts | Timeout for a single CDM scan, in minutes | Default: 60 |
Collection Timeouts | Timeout for a single VxRAIL Manager scan, in minutes | Default: 60 |
Collection - Admin | Save all sanNAV server responses to file | Default: false |
Collection - Admin | Save all CDM cluster responses to file | Default: false |
Collection - Admin | Save all VxRAIL Manager cluster responses to file | Default: false |
Collection - Admin | Save all DataPlatform server responses to file | Default: false |
Collection - Admin | Save all Commvault server responses to file | Default: false |
Collection - Admin | Save all UnisphereVMAX server responses to file | Default: false |
Collection - Admin | Enable sanNAV keep-alive thread | Default: false |
Collection - Admin | Enable CDM keep-alive thread | Default: true |
Collection - Admin | Enable VxRAIL Manager keep-alive thread | Default: false |
Collection - Admin | Enable DataPlatform keep-alive thread | Default: true |
Collection - Admin | Enable Commvault keep-alive thread | Default: true |
Collection - Admin | Enable UnisphereVMAX keep-alive thread | Default: false |
Collection - Admin | Set sanNAV keep-alive timer, in minutes | Default: 3 |
Collection | sanNAV port | Default: 443 |
Collection | CDM port | Default: 443 |
Collection | VxRAIL Manager port | Default: 443 |
Collection | Commvault port | Default: 443 |
Collection | UnisphereVMAX port | Default: 8443 |
Additional Collection - Admin | Number of parallel threads for sanNav | Default: 50 |
Identity Provider | Azure Active Directory scopes | Default: "GroupMember.Read.All User.Read" |
Identity Provider | Azure Active Directory stateTTL | Default: 600 |
Identity Provider | Azure Active Directory group synchronization interval | Default: 5 |
Identity Provider | Azure Active Directory silent validation interval (in sec) | Default: 30 |
Fixed issues
The following issues are resolved:
Id | Description |
CSP-10639 | Scan tasks may not run according to schedule |
CSP-10643 | The “Send to ITSM” option may not work as expected in certain conditions |
CSP-11118 | The "Allow login during full cycle" option may not work in the new UI |
SG-11439 | Failure to load Isilon data when characters are in European code |
SG-4819 | Missing resolution and resolution command in [Cisco] K0619I0MP805: SSH key bitcount |
SG-11440 | Dell EMC Unity findings are labeled with VNX |
SG-10153 | Search for labels when editing principle(s) is case sensitive |
SG-11940 | Default password detection may not work as expected for Dell EMC VNX |
SG-11938 | Scan troubleshooting messages may not appear for Dell EMC Unity |
SG-11205 | The Risk Assessment report may now unselected storage systems |
SG-11115 | Value for customizable parameters may not be saved when grouping the data |
SG-11504 | CSV import of hosts may not import the policy info |
SG-10998 | Partial configuration collection for Veritas NetBackup in certain conditions |
SG-10893 | Changes to custom parameter value may not be saved in certain circumstances |
SG-10892 | In a specific workflow, OPEN tickets will also present CLOSED tickets |
SG-11130 | PASS/FAIL pie chart of the risk assessment report may show inaccurate info |
SG-10531 | Error adding custom check based on configuration file |
SG-10093 | Security Principles UI loads slowly |
SG-7240 | “SymCLI: K0301I0MP295: Maximum password age” configuration check inaccuracy |
SG-7238 | “SymCLI: K0201I0MP353: Secure view of user authorization rules” configuration check inaccuracy |
SG-7239 | “SymCLI: K0301I00P863: Cross-host authentication for client-server com” configuration check inaccuracy |
SG-11097 | Partial configuration collection for Dell EMC Data Domain |
Important Notes
Deprecated features
The following features of StorageGuard will be deprecated in newer product releases:
- Classic (Legacy) user interface. All functions of the legacy UI will be available in the Modern UI
- All functions of the CLI are available in the REST API library.
- WS API. All functions of the WS API are available in REST API.
Oracle database Locale requirement
The Oracle instance used as the backend database for the Continuity Software Platform must be configured with the English Locale. This requirement is complementary to other requirements identified in the Deployment guide and/or other documents.
Web Browser Support
StorageGuard supports Google Chrome, Firefox and Microsoft Edge. Microsoft Internet Explorer is not supported.
Recommended display size and resolution
StorageGuard’s web user interface is best displayed and operated with these specs:
• Full HD resolution (1080p)
• Screens 21” or larger
• Aspect ratio of 16:9.
Using smaller screens, coarser resolution, or both might cause incomplete display of some information. Use the browser’s zoom-out function to display all content.
Scan of Storage and Replication Management servers
It is recommended to scan all production / DR storage management servers as hosts. This is required even for management servers are already configured for scanning as storage proxies. A storage proxy scan operates at the API/CLI level whereas scanning the storage management servers as a host enables collection of additional configuration files and settings.
Scan of Windows hosts through WMI
Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. As of version 7.2.1, StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.
Limitations
Assigning a profile to an Active Directory group
- When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
- When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD. In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.
Special characters are converted during object import to StorageGuard
When importing names and properties of objects from CSV/CMDB/API, special characters such as “&”,‘no-break- space’ and certain UTF8 chars are converted to alphanumeric chars.
In specific cases scan error messages are not sufficiently informative
The Scan Troubleshooting screen occasionally presents scan error messages that include the error code but no additional details.
Workaround: Run the erroneous command or script manually to see the full scan error message. If further assistance required, contact Technical Support.
SSH key supports only keys with less than 4000 characters [P-6645]
Elevated rights required for certain read-only Commvault API calls
Few of the optional read-only API calls executed by StorageGuard on Commvault require elevated rights - SNMP & Audit Trail API. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands.
Elevated rights required for certain read-only Dell EMC Data Domain commands
Few of the read-only commands executed by StorageGuard on Data Domain require the limited-admin role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only user role.
Elevated rights required for certain read-only Dell EMC Unity API calls
Few of the read-only API calls executed by StorageGuard on Unisphere for Unity require the securityadministor role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for scanning Windows hosts
It’s recommended to scan a Storage Management system both at the application level and the OS level. OS-level scan is optional but recommended for a comprehensive security configuration analysis. The OS-level scan is performed by connecting through either WinRM or WMI and then running read-only commands and queries. These commands and queries, even though read-only, require elevated rights.
NetBackup version support
StorageGuard support scanning NetBackup systems from release 8.1 and above. NetBackup 7.x and 8.0.x are not supported.
CVE detection limitation
StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.
Installation Notes for this Release
Read the Installation Procedure Chapter of the User Guide for guidance about installing StorageGuard v9.1. In addition, review the Deployment and Scanning Guides for guidance about the StorageGuard infrastructure requirements and the preparations needed for scanning your datacenters.
Upgrade for this Release
An upgrade path to version 9.1 is available from the 9.0 release. If your system is currently installed with an earlier release, an upgrade to version 9.0 is mandatory before upgrading to version 9.1.
Important notes:
- The upgrade will require the complete stop of StorageGuard operations, including data collection and data analysis. While it is fully automatic, the length of the upgrade process may require several hours to complete in large environments. During this time, it is important not to restart the StorageGuard server or terminate the upgrade task. In addition, it is essential that the Oracle database used by StorageGuard will be available throughout the upgrade process.
- Prior to upgrading, take care to read the release notes in full, and make any necessary changes to the StorageGuard infrastructure and/or to user account permissions as required, and ensure sufficient free disk space is available on the master server. It is important to review newly required read-only privileged commands and make necessary changes to sudo[1] to allow StorageGuard to run the commands.
- Prior to upgrading, verify you have an up-to-date backup of the StorageGuard server disk drives using your standard backup tools, and an up-to-date StorageGuard database export. A database export can be generated using the EXPDP or EXP Oracle commands.
- Once the upgrade on the master StorageGuard server is completed and the Tomcat service starts, StorageGuard will automatically check and upgrade the StorageGuard collectors. There is no manual collector upgrade process. For gradual collector upgrade, disable the collectors before initiating the upgrade on the master server, and gradually enable the collectors you wish to upgrade following the completion of the software upgrade on the master server.
- The upgrade will require the complete stop of StorageGuard operations, including data collection and data analysis. While it is fully automatic, the length of the upgrade process may require several hours to complete in large environments. During this time, it is important not to restart the StorageGuard server or terminate the upgrade task. In addition, it is essential that the Oracle database used by StorageGuard will be available throughout the upgrade process.
To upgrade from version 9.0 to version 9.1:
- Login as a local administrator to the master StorageGuard.
- Run the ContinuitySuite_9.1.exe as an administrator.
- Click Next in the Welcome screen.
- Select “Yes, upgrade Continuity Suite 9.0 to 9.1”.
- Accept the License Agreement and click Next.
- Accept the GNU License Agreement and click Next.
- Select whether to perform a database export prior to upgrading and whether to start Tomcat after the upgrade completes and click Next. It is recommended to keep the default settings.
- Click Install to begin the Software Upgrade process. This process may require up to several hours to complete, depending on the size of the scanned environment.
- Click Finish.
[1] sudo or any other privilege management solution used to grant the required permissions, such as PowerBroker, UPM, sesudo, etc.
Comments
0 comments
Please sign in to leave a comment.