Research Hub > ONTAP 9.3 Security Enhancements

September 02, 2020

Article
2 min

ONTAP 9.3 Security Enhancements

So, without further ado, I'm going to give you, dear reader, a rundown of the security enhancements made in NetApp ONTAP 9.3.

CDW Expert CDW Expert
ONTAP 9.3 Security Enhancements

The internettouches pretty much every aspect of our lives these days, but typically wedon't devote a whole lot of mind share to cybersecurity. So, without furtherado, I'm going to give you, dear reader, a rundown of the security enhancementsmade in ONTAP 9.3.

First up,encryption. Specifically, data at rest encryption using NetApp VolumeEncryption (NVE). First introduced with 9.1, NVE only supported the onboard keymanager introduced in 9.0. With 9.3 however, NVE has reached parity supportwith the key managers supported for use with NetApp self-encrypting drives(NSE). As before, NVE and NSE can be used together; each unique XTS-AES-256data encryption key is automatically stored in the key manager, and NetAppoffers FIPS 140-2* compliant key management solutions.

Introducing multifactor authentication

Let's move overto access control for a moment and discuss the introduction of multifactorauthentication (MFA) for web access to both System Manager and OnCommand UnifiedManager, as well as in SSH for command line access. For the security conscious,implementing MFA is a great decision and helps protect against both brute forceattacks and weak passwords. Web-based MFA is implemented via SAML using anidentity provider and Active Directory. SSH, however, is actually 2FA, does notrequire an identity provider and is only available for local admin accounts.The two factors here are SSH key exchange combined with username and passwordchallenge/response.

Finally, for the compliancy-mindedout there, SnapLock gets three new features:

  1. Legal hold
  2. Event-based retention
  3. Volume append mode

Legal hold isused to hold files in a tamperproof state for an indefinite period forlitigation purposes. It can be applied at the file, folder or volume level andprevents deletion or modification until the hold is removed.

Event-based retentionhelps customers reduce the risk of failing to protect records according tolegal requirements. This is useful for protecting records that must be protectedfor a certain time period after an event occurs. This can be applied at boththe file and directory level.

Volume appendmode protects data in 256KB increments, on ingest, not just on close. Usefulfor protecting audio or video capture.

That wraps up thesecurity updates to NetApp ONTAP 9.3; hopefully, you're a little more cybersecurehaving read it.

*FIPS 140-2,Level 1, currentlyunder review.