IBM CONFIDENTIAL
Agenda
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Security Hardening
Authentication
Authorization
Cloud / multi-tenancy
Encryption / Integrity
Auditing
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Security Hardening
Apply best practices for secure configuration of Linux systems
Apply development and coding best practices for components developed by IBM
Apply test best practices for our own components as well as for whole SONAS product
Timely delivery of fixes (SONAS PTFs) to eliminate known security vulnerabilities
Authentication
Identify all internal and external users (SONAS administrator, SONAS NAS user, IBM service
personnel) and infrastructure components (backup server, replication peer) which access SONAS
Provide simple and reliable methods to verify the claimed identity of users and components
Easily integrate into customers already existing one or more authentication systems
Authorization
Grant or deny an already authenticated identity (e.g. SONAS user, SONAS admin, IBM service
personnel) access to resources (e.g. read a file stored on SONAS, execute a privileged command)
Encryption / Integrity
Protect data stored on SONAS, even if unauthorized persons get access to it
Detect unauthorized modification (tampering) of data
Auditing
Provide audit trail for all admin actions which change SONAS configuration
Provide audit trail for all access to files stored on SONAS
Provide audit trail for all security related events to detect internal and external attacks
4
3/8/2012 1:28 PM
IBM CONFIDENTIAL
3/8/2012 1:28 PM
IBM CONFIDENTIAL
SONAS 1.2
Umask 077 in system profiles
Further hardening of network settings
Disallow root logon via modem
Software currency (pickup security fixes)
SONAS 1.3
Banner message for admin access
Password policies to enforce strong
admin passwords
Session policies to prevent systematic
logon attacks
Software currency (pickup security fixes)
Security Hardening
Authentication
Authorization
Encryption / Integrity
Auditing
Multi-tenancy
Compliance
3/8/2012 1:28 PM
IBM CONFIDENTIAL
SONAS 1.3.2
Disable unused NAS services
Upload config files and download dumps as
non root user
More password policies
Disallow anonymous CIFS user/group
lookup
Harden file permissions
Harden PAM configuration
Software currency (pickup security fixes)
SONAS 2.0
Disable interactive root ssh and root scp
over external network to SONAS
More password policies
More session policies
Harden SSH settings
Password to protect interactive sessions
of GRUB boot loader
Remove unneeded RPMs from ISO image
Software currency (pickup security fixes)
Local authentication
Authentication
Netgroups in NIS for AD/SFU authentication
Netgroups in NIS for LDAP authentication
Authorization
Encryption / Integrity
Auditing
Multi-tenancy
Improve compliance to IBM ITCS 104
Improve compliance to DIACAP
Compliance
3/8/2012 1:28 PM
IBM CONFIDENTIAL
SONAS 1.3
Authentication
Authorization
Encryption /
Integrity
Auditing
Multi-tenancy
Compliance
Note: several security enhancements listed on the previous chart have been delivered on request by GTS
to support ITCS 104 compliance of public storage cloud (SCS) an compute cloud (SCE)
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Agenda
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Objective
Develop and maintain common understanding on current and potential future security
features of SONAS and related products
Consolidate all known customer requirements and align them to each other
Provide prioritization for the planning of future SONAS releases
10
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Customer
App
Regional
Buffer
SONAS
Staging
Disk
SONAS
Regional
Buffer
CIFS clients
11
3/8/2012 1:28 PM
IBM CONFIDENTIAL
2) SONAS security
capabilities for traditional
NAS are behind competition
Elementary exposures
No auditing
No encryption
No ISV integration
And, and, and
1) Most SONAS
opportunities are
Shared NAS or
Distributed NAS
File
Maturity
Category
Example
Access
method
Access
Control
Isolated
(single tenant)
Traditional NAS
NetApp, N series,
V7000U
ACLs
Consolidated
(multi tenant)
Shared NAS
NetApp vFiler,
Isilon, SONAS
ACLs,
partitioning
Cloud
(automated)
Distributed NAS /
Automated NAS
ACLs,
partitioning
4) Distributed NAS
requires sophisticated
encryption key
management to protect
data stored on cloud.
Today we see a lot of pressure for federated authentication (e.g. support multiple AD and/or LDAP) and
partitioning, but we will loose more and more opportunities due to lack of basic security features (Traditional NAS).
We need to invest in traditional security and federated authentication / partitioning to catch up with competition.
An investment in sophisticated encryption key management might be a competitive advantage. This investment
must include development of SONAS security features and ISV support.
12
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Objective
Method to group and prioritize the about 90 security requirements and suggestions
What do we do in the next 1-2 years and what not
Security enhancements for authentication, multi-tenancy and ACLs are driven by other teams
Category
Description
Prio
Elementary
security hardening
High
Further
security hardening
Medium
Minor security
enhancements
Minor effort
Requested by customer and prioritized by brand
High
Major security
enhancements
Major effort
Requested by customer and prioritized by brand
High
Further enhancements
Low
Do not loose sight of Elementary Exposures while catching up with major and minor customer requirements!
13
3/8/2012 1:28 PM
IBM CONFIDENTIAL
In Sec
te u
lli rit
ge y
nc
e
iz
im
pt
Automated
O
ed
ic
of
Pr
nt
ie
c
si
Ba
Organizations
employ perimeter
protection, which
regulates access and
feeds manual reporting
Manual
Basic
Reactive
Optimized
Organizations use
predictive and
automated security
analytics to drive toward
security intelligence
Proficient
Proactive
Security is layered
into the IT fabric and
business operations
This approach of the IBM Security Strategy helps to prioritize within each category.
14
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Description
It is a security best practice to disallow root logon on Unix-based appliances like SONAS. In addition, SONAS field support is out of control, because SONAS
and IFS customer can use root to issue native Linux commands to change SONAS / IFS configuration and scp to replace any files and executables on a
SONAS and IFS system. There is no audit trail of these actions.
Basic
Provide logging for all sudo tasks which are executed with root privilege (Committed for 1.3.2)
Provide non root scp to upload and download config and dump files (Committed for SONAS 1.3.2)
Disable interactive root ssh and interactive root scp over external network to SONAS (Committed for 2.0)
Disable all root ssh and root scp over external network to SONAS (Deferred due to dependency to async repl)
Disable direct root logon on physical attached console. Use sudo instead.
Disable password-less boot into single-user mode
Disable password-less start of interactive GRUB sessions (planned for 2.0)
Disallow boot from removable media
Proficient
Hardening of the sudo configuration
Disable all root ssh and root scp over SONAS internal networks
Enhanced Tamper Protection to allow only temporary root access for regular compliance
Linux hardening
There are a plenty of best practices for secure configuration of Linux like IBM ITCS 104 and DISA DIACAP.
Basic
Improve compliance to IBM ITCS 104 Linux TechSpec (ongoing effort)
Improve compliance to DISA DIACAP RedHat STIG (ongoing effort)
Systematic assessment for passwords and certificates used and stored in SONAS (must include log, trace and dump files)
Regular regression test to search for world-writeable files (Committed for 1.3.1)
Regular regression test with IBM lssecfixes
Regular regression test with IBM Tonic
Regular regression test with DISA SSR
Proficient
Integrity check (e.g. checksum) for all configuration files, scripts and executables
Current SONAS hardening is focused on Linux hardening, because most current customers request compliance to security guidelines. Advancements such
as IFS, WSS and public storage cloud will deploy the SONAS software stack in less secure networks. A particular concern is the use of HTTP, REST and
CGI for SONAS WebGUI, SONAS NAS access, WSS and VAAI.
Basic
Improve compliance to IBM ITCS 104 Apache TechSpec
Improve compliance to DISA DIACAP Web Server STIG (detailed STIG to be determined)
Regular regression test with Rational AppScan
15
3/8/2012 1:28 PM
Proficient
Regular regression test with Rational AppScan source
Adopt Secure Engineering (SE) practices, IBM Secure Engineering Framework (SEF), and Secure Engineering in Test (SEiT)
(e.g. Location of temp files, coding guidelines) IBM CONFIDENTIAL
Description
The MITRE Corporation maintains a list of standardized names for vulnerabilities and security exposures, the Common Vulnerabilities and Exposures (CVE).
Customers demand that RHEL fixes for critical CVEs are available for SONAS in a timely manner, in particular more frequently than SONAS PTFs are
shipped. This becomes even more critical with WSS and cloud offerings which are connected to public networks.
Basic
SONAS process for dealing with RedHat Security Advisories and patches (Committed for SONAS 1.3.1)
Regular regression test with Nessus and IBM ITCS 104 profile (Committed for SONAS 1.3.1)
Regular regression test with Retina and DISA DIACAP profile (Committed for SONAS 1.3.1)
Proficient
SLA for timely delivery of security fixes (e.g., IBM ITCS 104 requires 3 days for high, 7 days for medium, 30 days for low for Internet systems)
Current SONAS is open like a default Linux server. Need to close several open doors to move towards a closed appliance.
Basic
Disable direct root access (see previous chart)
First time install and first time configuration without root access
Removal of unneeded RPMs
Restrict GNOME user GUI on physical attached console
Root logon for IBM service personnel only
Proficient
Disable unneeded ports of internal switches
16
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Description
Audit logging
There is high market pressure to support auditing of security relevant events and configuration changes as well as audit of file access. This is in particular
required in markets with regulated workloads (e.g. health care, finance) and highly confidential data (e.g. US Government). Audit requirements include, but
are not limited too:
Audit of file access for all NAS protocols
Audit of file access via internal paths (e.g. by IBM service personnel)
Audit of mount actions
Audit of changes in system time
Audit of executed SONAS CLI commands which change system configuration
Audit of other security relevant actions
Forwarding of audit records to external ISVs (e.g. IBM QRadar, Varonis)
Tamper-proof storing of audit records inside SONAS
Audit internal logon, failed logon attempts and log-off events
NAS consolidation must support storage provisioning to a small set of tenants whilst the data of each tenant must be strongly isolated to prevent
unauthorized of to other tenants data. See three AD + LDAP use cases of authentication chart deck for further details.
USGv6
In December 2009 the US Government issued a Federal Acquisition Regulation (FAR) that requires US Government procurements to be USGv6 compliant
17
3/8/2012 1:28 PM
IBM CONFIDENTIAL
18
Category
Description
Minor security
enhancements
Further enhancements
No market pressure
Right no need to deliver in the next 2-3 years
Check charts in backup section for a wealth of potential further security enhancements
Authentication
enhancements
Multi-tenancy
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Recommendation
1. Do not loose sight of elementary security features while catching up with major and minor security
requirements
Have more attention on addressing elementary security exposures
Often perceived as additional burden by development, test, field support team
Needs strong management support to make it happen
Close basic level of elementary exposures by end of 2013
Security team has not the required component knowledge for hardening of some components
SONAS hardening is cross-component effort; needs committed resources beyond security team
Ramp up test resources for regular security regression test with a broad range of test tools
Establish task force to refine approach for hardening of SONAS software stack
Hardening of HTTP/REST/CGI requires skills which are rare (not available?) in current team
Need to build respective skill within SONAS development and test team
2. Develop strategy for ISV integration
What are the relevant (security) ISVs for instance of the health care industry?
What APIs are required to integrate with the identified ISVs?
What are the end-to-end use cases?
Creation of ISV ecosystem for industry verticals requires effort beyond security!
3. Market priority for major security enhancements seems to be:
1. Audit logging
2. Partitioning
3. USGv6
4. Concentrate near-term efforts (next 1-2 years) for major security enhancements on audit logging and
partitioning
Develop staged approach for audit logging
Provide a solution for partitioning with strong isolation for less then 10 tenants
Postpone support for USGv6
19
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Potential Roadmap
2012
2013
2014
2015
Improve closure of
basic elementary
security exposures
Closure of basic
elementary security
exposures
Improve closure of
proficient elementary
security exposures
Closure of proficient
elementary security
exposures
Audit logging
GA stage 1
GA stage 2
GA stage 3
Partitioning
TBD
(See authentication
roadmap in PARTIII)
TBD
(See authentication
roadmap in PARTIII)
TBD
(See authentication
roadmap in PARTIII)
2014 ?
Or 2015?
Elementary security
exposures
USGv6
2016
Pune security team needs support of other components to close all elementary security exposures.
Test team must be ramped up to enhance regression test for vulnerabilities.
Given the current security team size, roadmap for audit logging is on high risk.
20
3/8/2012 1:28 PM
IBM CONFIDENTIAL
BACKUP
21
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Contrasting Change
in Storage
Block
File
Object
22
Maturity
Category
Example
Access
method
Access
Control
Isolated
(single tenant)
SCSI disk,
SCSI tape drive
Direct
attached SCSI
Phyiscal
cabling
Consolidated
(multi tenant)
DS8000, TS3500
Fibre Channel
SAN
FC zones,
LUN masking,
partitioning
Cloud
(automated)
TPC / TSAM
workflows
Fibre Channel
SAN
FC zones,
LUN masking,
partitioning
Same as above.
Isolated
(single tenant)
Traditional NAS
NetApp, N series,
V7000U
ACLs
Consolidated
(multi tenant)
Shared NAS
NetApp vFiler,
Isilon, SONAS
ACLs,
partitioning
Cloud
(automated)
Distributed NAS /
Automated NAS
ACLs,
partitioning
Consolidated
(multi tenant)
Local cloud
storage
Object via
LAN (REST)
ACLs,
partitioning
Cloud
(automated)
Traditional cloud
storage
Amazon S3
Object via
WAN (REST)
ACLs,
partitioning
3/8/2012 1:28 PM
IBM CONFIDENTIAL
23
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Amazon Solutions
Is this caused by
block and file
storage is to difficult
to integrate and
IBM not having
object storage?
Company
Customer value
add:
Amazon integrates
compute and
storage resources
ISVs
Comment
Object
Amazon
359
File
NetApp
114
All NetApp
Block
IBM
12
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Data
Applications
Infrastructure
Secure application
development
Advanced network
monitoring /
forensics
Security
Intelligence
Optimized
Role based
analytics
Identity governance
Privileged user
controls
Proficient
SONAS
Basic
Identity
management
Strong
authentication
Passwords and
user identities
Data governance
Fraud detection
Access monitoring
Application firewall
Data loss
prevention
Source code
scanning
Encryption
Vulnerability
scanning
Access control
Secure systems
Asset management
Endpoint / network
security
management
Perimeter security
Anti-virus
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Design Phase
Functional Spec
Development Phase
Manage,
Monitor
& Defend
Design
Deploy
Develop
Deployment Phase
Configure infrastructure for application policies
Deploy applications into production
Outsourcing
Partner
Operational Phase
26
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Software
CODE
BUILD
QA
PRE-PROD
PRODUCTION
AppScan onDemand
AppScan Enterprise
Security
Requirements
Definition
Security
requirements
defined before
design &
implementation
AppScan Source
AppScan
Build
Build security
testing into the
IDE
Automate Security
/ Compliance
testing in the
Build Process
AppScan
Tester
AppScan
Standard
Security &
Security / compliance
Compliance
testing incorporated
Testing, oversight,
into testing &
control, policy,
remediation
audits
workflows
AppScan
Standard
Outsourced testing
for security audits &
production site
monitoring
27
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Cat II
4
3
2
1
0
SONAS 1.2
SONAS 1.3
SONAS 1.3.1
SONAS 1.3.2
SONAS 2.0
Findings based on a Retina scan provided by the customer, run on Aug 2011 against SONAS 1.2 PTF 2
Need a new Retina scan to address vulnerabilities which have been reported after Aug 2011
Asked IBM Federal team but have not received an updated scan report so far
Planning to add Retina scans with DISA DIACAP profile to SONAS regression test
Remaining Retina Cat II findings need more details from the customer
IBM Federal team asked customer several times for details without receiving a response
Current position of the IBM Federal team is to reject the fix of these two findings
28
3/8/2012 1:28 PM
IBM CONFIDENTIAL
RedHat Cat I
RedHat Cat I
9
8
7
6
Total
Script
4
Exception
3
2
1
0
SONAS 1.2
SONAS 1.3
SONAS 1.3.1
SONAS 1.3.2
SONAS 2.0
29
3/8/2012 1:28 PM
IBM CONFIDENTIAL
RedHat Cat II
RedHat Cat II
140
120
100
80
Total
Script
Exception
60
40
20
0
SONAS 1.2
SONAS 1.3
SONAS 1.3.1
SONAS 1.3.2
SONAS 2.0
3/8/2012 1:28 PM
IBM CONFIDENTIAL
ID
Plan
597
Title
Description
1.3.2
stretch
SONAS field support is out of control, because SONAS and IFS customer can use root to issue native Linux commands to
change SONAS / IFS configuration. There is no audit trail of these actions. This LI provides audit trail of root actions by friendly
admins. Bad actions of attackers who bypass the sudo mechanism are not logged.
461a
1.3.2
SONAS field support is out of control, because SONAS and IFS customer can use root scp to replace any files and executable
on a SONAS or IFS system. There is no audit trail of these replacements.
533
1.3.1
Pick up RHEL 6.1 security patches, Postgres 9.1.1 fix pack and RHEL kernel 2.6.32-131.18.1.el6
623
1.3.1
The MITRE Corporation maintains a list of standardized names for vulnerabilities and security exposures, the Common
Vulnerabilities and Exposures (CVE). Customers demand that RHEL fixes for critical CVEs are available for SONAS in a timely
manner, in particular more frequently than SONAS PTFs are shipped.
624
1.3.1
Nessus is an external scanning tool used by IBM with IBM profile to test Linux systems for known vulnerabilities. Running
Nessus regularly with an actual profile helps to finds exposures before customers find them.
430
Defer
It is a general security best practice to disallow incoming root ssh. Disabling all external root SSH to SONAS has been deferred
because SONAS remote replication depends on ssh key based root ssh from source SONAS to target SONAS (see
requirement 479 for details). It was decided to disable external root ssh, once SONAS remote replication is fully replaced by
Panache.
613
1.3.1
1.3.2
1.3.3
2.0
SONAS 1.3 produces a lot of internal files which are owned by root and are world-writeable and/or world-executable. SONAS
code must be changed to no longer create files with such permissions and the permissions of files on SONAS systems in the
field must be changed to no longer have such permissions. Requires staged delivery.
Note: Required to meet 581 DIACAP RHEL CAT I findings. Requesting 1.3.1 to support DIACAP.
DCR
74
1.3.2
To reduce the risk of allowing external root ssh to SONAS, it was planned to disable all external password based root ssh in
SONAS 1.3, but this was deferred to reduce execution risk. Ssh key based root ssh will still be allowed to support SONAS
remote replication.
1.3.2
10
1.3.2
SONAS stores many system passwords (e.g. LDAP, AD, TSM). All passwords stored on SONAS must be encrypted and files
which store passwords must have proper permissions. Passwords must not appear in clear text on CLI commands, GUI
panels, in log or trace files, in dump files, output of backup management node.
11
1.3.3
To further reduce the risk of allowing external root ssh to SONAS for remote replication, all CLI commands and all ssh keys will
be removed which enable interactive root logon over an external network to SONAS. Ssh key based root ssh between two
SONAS systems for remote replication is still allowed.
12
1.3.3
13
1.3.3
We need an audit trail of all commands issued by Enhanced user / Service user to have a complete log of all configuration
changes applied to SONAS.
Ulf need to check with Steve Wallace if such a log exists.
31
3/8/2012 1:28 PM
IBM CONFIDENTIAL
ID
622
618
32
Plan
Title
Description
2.0
CLI enhancements to
troubleshoot auth issues
Today we need root access to (1) to report group info, (2) Report user UID to name mappings for all user, (3) Report user UID
to SID mappings for all users, (4) check how that user get resolved, (5) check external auth server (e.g. like wbinfo for AD, (5)
detect/monitor issues with external auth server (e.g. LDAP not reachable)
2.0
More and more customers assess SONAS to assure compliance to their security policies (= apply certain RHEL settings) and
to check that RHEL patches for known CVEs are installed. Removing unneeded rpms reduces development and test efforts for
software which is installed on SONAS but not needed.
2.0
Enforce that all commands with root privilege are executed via sudo. This ensures that bad minded admins can bypass audit
trail for root actions and thus completes LI 597 audit trail for all sudo commands issued with root privilege.
2.0
IBM Rational AppScan is a tool to test web application like SONAS GUI for known vulnerabilities. Running AppScan regularly
with an actual profile helps to finds exposures before customers find them.
2.0
Tonic is an IBM developed tool to test compliance of a Linux system to IBM ITCS 104. Running Tonic regularly with an actual
profile helps to finds exposures before customers find them.
2.0
An attacker who exploits a vulnerability of the http server will gain immediate root access to SONAS, when web server for GUI
is running with root privilege.
2.0
An attacker who exploits a vulnerability of the http server will gain immediate root access to SONAS, when web server for
SONAS NAS access is running with root privilege.
2.0
SONAS first time configuration requires root ssh to a SONAS system. So, when our customers touch SONAS the first time, we
teach them that using root is a good idea. We want to go away from customer and tester using root.
2.0
DIACAP:
It seems that Mozilla Firefox was started by root user on SONAS systems in the field (RH CAT I finding of JIEDDO program).
We need to revisit our service procedures to avoid or at least reduce the use of root for standard service tasks.
2.0
Product Security Incident Response is a key element of the IBM Secure Engineering Framework (SEF). The IBM Product
Security Incident Response Team (PSIRT) is responsible for providing the right level of responsiveness in the handling and
reporting of security vulnerabilities that may affect IBM offerings. IBM defines a security vulnerability as a set of conditions in
the design, implementation, operation or management of a product or service that is unable to prevent an attack by a party
resulting in exploitations such as controlling or disrupting operation, compromising (i.e. deleting, altering or extracting) data or
assuming ungranted trust or identity. (https://d01db034.pok.ibm.com/q_dir/qmx/swg/qh0dl.nsf/procnum/PROCESS-0186)
2.0
When files are written to an open directory, this is a potential security hole as it is a common exploit. If a hacker gains access
to the directory and knows or can predict a filename that is written to this directory, they could potentially gain root access. The
test team scanned SONAS source code and found that writing directly to /tmp (rather than to a secure directory within /tmp) is
widespread.
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Minor Security Enhancements (SONAS 2.0 or later)red indicates that feature is not committed
Prio
ID
Plan
Title
Description
489b
2.0
GTS/Cloud:
Enhance SONAS CLI to restrict management access to SONAS CLI and SONAS GUI by accepting incoming connections from
trusted IP addresses only and blocking connection requests from untrusted IP addresses
616
2.0
DIACAP:
An attacker can tamper SONAS by booting an operating system from DVD and then manipulating SONAS configuration data
on disk. SONAS must be enhanced to disallow booting from all removable media and the capability to configure a BIOS
password. Current SONAS requires boot from DVD for first time install, not recovery and upgrade from SONAS 1.2 to 1.3.
596
2.0
Multiple:
System time may be tampered to bypass retention period of immutable files
625
2.0
Multiple:
Current white-list filtering does not catch internal logon / log-off events, because this would flood the SONAS event log.
SONAS management stack opens new ssh session for each command which needs to be executed on a SONAS node.
Access to Postgress DB triggers a lot of su events.
33
3/8/2012 1:28 PM
IBM CONFIDENTIAL
Prio
ID
Plan
Title
Description
299
1.3.2
Basic immutability
2.0
HealthCare, GTS, multiple other: Capability to audit all file access via NAS protocols (e.g. NFS, CIFS) as well as direct access
to GPFS to support regular compliance and to detect unauthorized access to data stored on GPFS (e.g. bad admin action)
2.0
DoD: Address all DIACAP CAT II findings for RedHat configuration. Some of the findings are difficult to address. This LI
consolidates stage 1 of these high hanging fruits (HHF).
Future
DoD: Address all DIACAP CAT II findings for RedHat configuration. Some of the findings are difficult to address. This LI
consolidates stage 2 of these high hanging fruits (HHF).
295
Future
Password in AD and id
mapping in LDAP
Multiple: Capability to store passwords of SONAS NAS user in AD and their id mapping in LDAP. All available options have
major limitations and thus have been rejected by the DRT. Need to develop enabling technology to enhance Linux capabilities
for authentication configuration
495
Future
Multiple: SONAS shall support multiple exclusive authentication and id mapping domains. The SONAS storage capacity can be
divided in multiple partitions (e.g. GPFS file system, GPFS file set) and each partition can be associated with exactly one
different AD or LDAP server.
495
Future
Multiple: SONAS shall support multiple complimentary authentication and ID mapping domains. The SONAS storage capacity
will be associated with multiple different AD or LDAP server. SONAS will provide rules like: Look in AD No1 first. If no user
found, look in AD No2. If still not found, look in
143
343
Future
USGv6
US Gov: In December 2009 the US Government issued a Federal Acquisition Regulation (FAR) that requires US Government
procurements to be USGv6 compliant
600
Future
Future
Multi-tenancy / Cloud: One key inhibiting factor for adoption of public storage clouds is unauthorized access to customer
confidential data. We could enable ACE / Panache to encrypt data before it is sent to a SONAS based storage cloud. Multiple
customers could share data via cloud, by sharing the encryption keys. Integration into Tivoli Key Lifecycle Manager might be
plus.
Future
Multiple: Tivoli offers a bunch of security products: TCIM, TSOM, TSPM, TAMOS, TSIEM. Tight integration of SONAS into
Tivoli product line could be a strong selling point for security sensitive customers.
Future
This features is available for GTS / Cloud only. It would be good to have this for all customers.
Future
AD with SASL
AD with SALS is the preferred method to encrypt LDAP traffic between SONAS and AD. Some major non SONAS customers
are already using this.
Future
CIFS signing
Requested by Citi
Future
34
3/8/2012 1:28 PM
IBM CONFIDENTIAL
ID
Plan
Title
Description
Future
Future
9a
Future
9b
Future
13
Future
16
Future
18
Future
Current SONAS requires internal root ssh for GPFS and SONAS management stack
Future
Future
Authentication of remote
replication endpoints
Utilize a proper industry standard based mechanism to authenticate endpoints of a data replication configuration.
Future
Data sanitization
Future
Future
SELinux support
402
Store audit records locally inside SONAS when external audit logging serve not reachable
This chart comprises security requirements identified by GTS which are not
integrated in the roadmap for 2012
35
3/8/2012 1:28 PM
IBM CONFIDENTIAL
ID
467
36
Plan
Title
Description
Future
Future
Provide additional control (e.g. SELinux) to prevent service personnel and root to touch data on GPFS. Access to data on
GPFS can be enabled via a new CLI command.
Future
Future
Future
Future
Formal compliance
Future
Future
Future
FDE/Encrypted Filesystem
Future
Future
Future
Requested by RedHat
Future
Reject
AD with LDAPS
SONAS connects to AD via Kerberos, CIFS/RPC, LDAP, CLDAP, NetBIOS and DNS. CBS requested to encrypt LDAP traffic
by supporting LDAPS. This requests has been rejected:
https://fsccsvn.mainz.de.ibm.com/svn/fscc_internal/documents/design/Security/roadmap/Secure%20access%20to%20data%2
0stored%20in%20Windows%20Active%20Directory.pdf
3/8/2012 1:28 PM
Certification to standards like Common Criteria (Level 4), FFIEC, HIPAA, PCI DSS, SOX, GLBA, Data Protection Act, 21 CRF
Part 11, ISACA, Basel II, California Senate Bill 1386 (or SB 1386)
Citi: SONAS admin issues command. Secure officer needs to approve for command execution.
IBM CONFIDENTIAL
37
ID
Plan
Title
Description
Future
Provide a capability to configure multiple SONAS systems with the same mapping scheme, if mapping is maintained inside
SONAS and not on an external directory service
Future
Configure SONAS authentication and ID mapping on one reference SONAS system and push the configuration from their to
multiple other SONAS systems including Panache clients
Future
SONAS supports multiple ACL models: CIFS ACL, NFSv4 ACL, POSIX bits. Supporting all ACLs models causes interoprability
issues. We might support multiple ACLs modes: (1) 100% CIFS ACL compliance, (2) 100% NFSv4 ACL compliance, (3) 100%
POSIX compliance, (4) mixed support of all models on a best can do basis. NetApp has similar capability.
Future
Future
Future
Future
Future
Future
Future
Future
May contain customer confidential configuration data (e.g. share names, machine names)
Future
Encrypt output of
backupmanagementnode CLI
command
3/8/2012 1:28 PM
Check integrity of SONAS software (Linux scripts & executables, configuration files)
IBM CONFIDENTIAL
Conclusions / Recommendations
earlier version
1.
We need to improve our understanding of the NetApp security features and surrounding ISVs
Gain detailed understanding of NetApp security features
Gain detailed understanding of security ISV support for NetApp
Gain detailed understanding of customer security value for NetApp features + ISV ecosystem
There is limited knowledge inside SONAS development and eventually inside whole storage development, but there
is NetApp expertise available in
S&D (NSeries), GTS, GBS (?), SWG (?)
GMU countries (attrition from NetApp to IBM)
For each opportunity (e.g. BAE) understand how NetApp security features and NetApp ISVs support the customer
requirement
Establish a task force, AoT study, etc. to fully understand
(a) NetApp value network (= feature + ISV + use cases)
(b) how NetApp meets customer security requirements in current competitive SONAS opportunities
2.
3.
We need to create and fund a security roadmap which delivers the security strategy for IBM file storage
Roadmap must include enhancements of the SONAS software stack and creation of ISV ecosystem
We do not know the details of the roadmap today, but it is obvious that the delivery of a strong security roadmap
(1) might be a key success factor for IBMs future (file & block !!) storage revenue
(2) requires significant additional development funding for SONAS security
Remember: R&D funding for security roadmap is constrained by mechanics described in The Innovators Dilemma!
38
3/8/2012 1:28 PM
IBM CONFIDENTIAL