Add to collection(s) Add to saved
  1. No category
Uploaded by joeri

PowerMax Cyber Security

advertisement 
Dell PowerMax Cybersecurity
November 2022
H19070.2
White Paper
Abstract
This document outlines enhanced safety and security features used in
Dell PowerMax arrays for cyber detection, protection, and resiliency.
Dell Technologies
Copyright
The information in this publication is provided as is. Dell Inc. makes no representations or warranties of any kind with respect
to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular
purpose.
Use, copying, and distribution of any software described in this publication requires an applicable software license.
Copyright © 2022 Dell Inc. or its subsidiaries. All Rights Reserved. Dell Technologies, Dell, EMC, Dell EMC and other
trademarks are trademarks of Dell Inc. or its subsidiaries. Intel, the Intel logo, the Intel Inside logo and Xeon are trademarks
of Intel Corporation in the U.S. and/or other countries. Other trademarks may be trademarks of their respective owners.
Published in the USA November 2022 H19070.2.
Dell Inc. believes the information in this document is accurate as of its publication date. The information is subject to change
without notice.
2
Dell PowerMax Cybersecurity
Contents
Contents
Executive summary ........................................................................................................................ 4
Cybersecurity with PowerMax ....................................................................................................... 6
Hardware Root of Trust .................................................................................................................. 6
Multi-factor authentication for SecurID ......................................................................................... 8
CloudIQ ............................................................................................................................................ 8
Data at Rest Encryption ................................................................................................................ 10
End-to-end efficient encryption ................................................................................................... 12
Role Based Access Control ......................................................................................................... 13
Tamper-proof audit logs ............................................................................................................... 14
Secure snaps ................................................................................................................................. 15
Snapshot policies ......................................................................................................................... 16
Cloud Mobility ............................................................................................................................... 18
PowerMax cyber vault .................................................................................................................. 19
References ..................................................................................................................................... 22
Dell PowerMax Cybersecurity
3
Executive summary
Executive summary
Introduction
Cybersecurity is a growing priority for organizations. With growing concerns, demands,
and regulations, along with evidence of increasing attacks from local and global forces,
the need to address evolving security requirements is obvious. Attackers are continually
finding new creative techniques to infiltrate IT infrastructures to penetrate existing security
measures. In addition to external threats, there is also the potential of insider threats
where there is already access to infrastructure.
These threats to organizations have negative economic consequences:
•
A cyber or ransomware attack occurs every 11 seconds.1
•
84 percent of IT leaders report data loss prevention is more challenging with a
remote workforce.2
•
More than 60 percent of companies have experienced a data compromise due to
an exploited vulnerability.3
•
The average cost of a cyber crime for an organization is $13M.4
•
The total global impact of cyber crime is $6T.5
Financial cost is not the only loss incurred if a breach occurs. Loss of organizational
reputation can be even more costly because its impact can extend over many years. The
cost of a data breach can have lasting effects for organizations of all sizes and across all
industries.
Dell Technologies takes a comprehensive approach to cyber resiliency with a framework
that is designed to help organizations achieve their security objectives and requirements.
-------------------------------------------------1
Estimated for 2021, Cybersecurity Ventures: https://cybersecurityventures.com/cybercrimedamage-costs-10-trillion-by-2025/.
2
Tessian, The State of DLP - Why DLP Has Failed and What the Future Looks Like, May 2020.
Forrester Consulting Thought Leadership Paper Commissioned by Dell, BIOS Security – The
Next Frontier for Endpoint Protection, June 2019.
3
4
Accenture Insights, Ninth Annual Cost of Cybercrime Study, March 2019:
https://www.accenture.com/us-en/insights/security/cost-cybercrime-study.
5
Estimated for 2021, Cybersecurity Ventures: https://cybersecurityventures.com/cybercrimedamage-costs-10-trillion-by-2025/.
4
Dell PowerMax Cybersecurity
Executive summary
The Dell cybersecurity framework aligns with the National Institute of Standards and
Technologies (NIST) cybersecurity framework and consists of the following:
•
Identify
•
Protect
•
Detect
•
Respond
•
Recover
Dell PowerMax offers various data services and solutions to safeguard sensitive and
mission-critical data.
Revisions
Date
Description
February 2022
Initial release
August 2022
Added:
November 2022
We value your
feedback
•
Hardware Root of Trust
•
Multi-factor authentication for SecurID
•
Data reduction anomaly detection
•
Data at Rest Encryption for PowerMax 2500 and 8500
•
Mitigating ransomware attacks using snapshot policies
Added: PowerMax cyber vault
Dell Technologies and the authors of this document welcome your feedback on this
document. Contact the Dell Technologies team by email.
Author: Richard Pace
Note: For links to other documentation for this topic, see the PowerMax and VMAX Info Hub.
Dell PowerMax Cybersecurity
5
Cybersecurity with PowerMax
Cybersecurity with PowerMax
Dell follows a “shift-left” approach to security that ensures that security is baked into every
process in the development life cycle. The Dell Secure Development Lifecycle (SDL)
defines security controls based on industry standards that Dell product teams adopt while
developing new features and functionality. Dell SDL includes both analysis activities and
prescriptive proactive controls around key risk areas.
Dell strives to help our customers minimize risk associated with security vulnerabilities in
our products. Our goal is to provide customers with timely information, guidance, and
mitigation options to address vulnerabilities. The Dell Product Security Incident Response
Team (Dell PSIRT) is chartered and responsible for coordinating the response and
disclosure for all product vulnerabilities that are reported to Dell. Dell employs a rigorous
process to continually evaluate and improve our vulnerability response practices and
regularly benchmarks those practices against the rest of the industry. Dell has an
ingrained culture of security.
The following sections describe the various data services and solutions offered for Dell
PowerMax arrays to provide robust security if a cyber attack occurs.
Note: For more information about each topic, see References.
Hardware Root of Trust
Overview
PowerMax 2500/8500 arrays use an immutable, silicon-based Hardware Root of Trust
(HWRoT) to cryptographically affirm the integrity of BIOS and BMC firmware. This
HWRoT is based on one-time programmable, read-only public keys provisioned by Dell in
the factory to provide protection against malware tampering.
The BIOS boot process uses Intel Boot Guard technology, which verifies that the digital
signature of the cryptographic hash of the boot image matches the signature stored in
silicon by Dell in the factory. If Boot Guard successfully validates the signature, a chain of
trust procedure validates the rest of the BIOS firmware modules until control is handed off
to the operating system or hypervisor.
Each BIOS module contains a hash of the next module in the chain. The key modules in
the BIOS are the Initial Boot Block (IBB), Security (SEC), Pre-EFI Initialization (PEI),
Memory Reference Code (MRC), Driver Execution Environment (DXE), and Boot Device
Selection (BDS). If Intel Boot Guard authenticates the IBB, the IBB validates SEC+PEI
before handing control to it. SEC+PEI then validates PEI+MRC, which further validates
the DXE+BDS modules. Validation of the DXE+BDS modules results in control being
handed over to Unified Extensible Firmware Interface (UEFI) Secure Boot.
Rapid recovery to a trusted image is implemented on the PowerMax platform when
authentication fails. The rapid recovery is essential within the HWRoT implementation and
is automatically initiated by the BMC to guarantee maximum security and maintained
uptime.
6
Dell PowerMax Cybersecurity
Hardware Root of Trust
Secure Boot and
Measured Boot
Secure Boot
Secure Boot represents an industry-wide standard for security in the preboot environment.
Computer system vendors, expansion card vendors, and operating system providers
collaborate on the specification to promote interoperability. Secure Boot is the process of
verification that the image to be booted is exactly the image that is expected. It is used
during Hardware Root of Trust, firmware load, and firmware upgrade. Secure Boot also
extends through all the various images that need to be booted all the way, through the
execution of the operating system image, such as bootloaders, to firmware to Initial BIOS
to UEFI.
PowerMaxOS for PowerMax 2500/8500 supports industry standard UEFI Secure Boot,
which checks the cryptographic signatures of UEFI drivers, kernels and other code loaded
prior to the operating system running. UEFI Secure Boot prevents unsigned (untrusted)
UEFI device drivers or operating system kernels from being loaded, displays error
messages, and does not allow the device to function.
Measured Boot
Measured Boot is the process of storing hash values used for authentication during a
Secure Boot sequence. Values are stored in the boot log within a Trusted Computing
Group (TCG)-defined trusted platform module (TPM), public keys, and the various
signatures. The TPM values can be used through a token process by an upstream
operating system or applications to validate the expected execution of a Secure Boot
process.
PowerMaxOS for PowerMax 2500/8500 supports two versions of TPM:
•
TPM 2.0 FIPS + Common Criteria + TCG certified
•
TPM 2.0 China certified
The TPM can be used to perform public key cryptographic functions and compute hash
functions, and can generate, manage, and securely store keys.
Secure firmware
upgrade
PowerMax uses digital signatures on firmware updates for all components and
subcomponents to assure that only authentic firmware is running on the platform. Secure
firmware upgrade uses cryptographic authentication of digital signatures applied to the
firmware bootloader and images of the running firmware before running any update
process.
Enhanced firmware authentication is embedded within many third-party devices that
provide signature validation using their own Root of Trust mechanisms. This prevents the
possible use of a compromised third-party update tool from being used to load malicious
firmware into, for example, a NIC or storage drive (and bypassing the use of signed Dell
update packages). Many of the third-party PCIe and storage devices shipped with
PowerMax use a hardware Root of Trust to validate their respective firmware updates.
If any firmware in any device is suspected of malicious tampering, administrators can roll
back the platform firmware images to an earlier trusted version stored in PowerMax.
Dell PowerMax Cybersecurity
7
Multi-factor authentication for SecurID
Multi-factor authentication for SecurID
Dell Unisphere for PowerMax uses authentication authority for multi-factor authentication
(MFA) with Dell SecurID. SecurID provides time-sensitive tokens that are combined with a
user password to verify identity during the authentication process.
Unisphere for PowerMax authenticates SecurID Authentication Manager with the SecurID
token. If SecurID Authentication Manager validates the token, Unisphere for PowerMax
then authenticates against Local Directory, Windows Active Directory, or LDAP for twofactor authentication.
MFA with SecurID is supported on all PowerMax arrays using external management with
the following versions:
•
SecurID Authentication Manager 8.5.0 OVA
•
Unisphere 10
•
Solutions Enabler 10
The following figure shows the settings for enabling MFA with SecurID.
Figure 1.
Enabling MFA with SecurID
CloudIQ
8
Introduction
Dell CloudIQ is a cloud-based application that provides monitoring and troubleshooting for
PowerMax arrays. Each customer is provided with an independent, secure portal in which
users can register their PowerMax arrays and monitor their storage from a single portal.
This secure portal ensures that each customer will only be able to see arrays in their
environment.
Cybersecurity in
CloudIQ
Cybersecurity in CloudIQ constantly compares the configuration of the PowerMax system
to a set of user-selected, security-related evaluation tests. Upon identifying a deviation
between the actual and desired configuration setting, CloudIQ proactively notifies users of
Dell PowerMax Cybersecurity
CloudIQ
the violation and provides remediation steps to correct the issue. Based on NIST 800-53
R5 standards and Dell best practices, Cybersecurity in CloudIQ quickly and automatically
ensures that the storage infrastructure is secure, to comply with the industry’s best
practices.
Cybersecurity in CloudIQ can be set to provide proactive notifications to the user in the
event of an infrastructure security risk. The Security Advisories section of the
Cybersecurity feature in CloudIQ notifies users of relevant Dell and VMware Security
Advisories. Users quickly see a summary of vulnerabilities specific to their systems and
versions along with links to remediation details.
The following figure shows the Cybersecurity feature in CloudIQ.
Figure 2.
Anomaly
detection
Cybersecurity in CloudIQ
Latency anomaly
CloudIQ uses machine learning and predictive analytics to identify any anomalies.
•
Performance metrics are compared with historical values to determine any
deviation outside of normal ranges.
•
Performance impacts are also analyzed to identify any increases in latency against
other metrics, such as IOPS and bandwidth. The analysis is designed to determine
if the latency increase is caused by workload characteristics or any other competing
resource, and to identify the origin of the impact.
•
Capacity anomaly detection uses hourly analysis of usage to identify any surges of
capacity utilization.
The following figure shows an example of CloudIQ latency anomaly detection.
Dell PowerMax Cybersecurity
9
Data at Rest Encryption
Figure 3.
CloudIQ latency anomaly
Data reduction anomaly
Ransomware attacks are typically encoded user data using asymmetrical encryption.
Since encrypted data is nonreducible, PowerMax systems can use CloudIQ to monitor
and analyze data reduction data in near real time. Increases in the amount of unreducible
data can represent suspicious activity or a potential ransomware threat. Proactive alerts
can be set to notify users of the increased unreducible data that could represent data
being encrypted, which would provide early detection that could minimize exposure.
The following figure shows an example of CloudIQ data reduction anomaly detection.
Figure 4.
CloudIQ data reduction anomaly detection
Data at Rest Encryption
PowerMax 2000,
PowerMax 8000,
and VMAX
Dell Data at Rest Encryption (D@RE) provides hardware-based, on-array, back-end
encryption for PowerMax arrays. D@RE provides back-end encryption using IO modules
that incorporate 256 AES-XTS data encryption and is FIPS 140-2 validated. The IO
modules encrypt data as it is being written to the drives and decrypt the data as it is being
read. All configured drives in the array are encrypted, including data and spare drives,
using a unique Data Encryption Key (DEK).
D@RE can be deployed with either an embedded, set-it-and-forget-it key manager or with
external key management.
With embedded key management, D@RE is integrated with Dell Key Trust Platform
(KTP). Dell KTP establishes a pervasive and secure infrastructure for all key generation,
distribution, and management capabilities required for D@RE.
The following figure shows the embedded key management architecture.
10
Dell PowerMax Cybersecurity
Data at Rest Encryption
Figure 5.
Embedded key manager
External key management uses OASIS Key Management Interoperability Protocol
(KMIP). KMIP allows for separation of key management from PowerMax arrays. An
external key manager provides external centralized and consolidated key storage and
management and allows integration between PowerMax arrays and the existing key
management infrastructure.
The following figure shows the external key management architecture.
Figure 6.
PowerMax 2500
and 8500
External key manager
D@RE for PowerMax 2500 and 8500 provides full on-array, back-end encryption using
Dell qualified, industry-standard self-encrypting drives (SEDs). SEDs are FIPS 140-2
validated and NVMe/TCG standard compliant. SEDs contain their own data encryption
keys (DEKs) that are managed internally within the drives. Because the keys on the SED
are self-managed, D@RE key management infrastructure generates and manages
authentication keys (AKs), which are used to unlock the drives for reads and writes.
D@RE incorporates Dell Key Trust Platform (KTP) for integrated, set-and-forget
embedded key management. Dell KTP establishes a pervasive and secure infrastructure
for all key generation, distribution, and management capabilities required for D@RE.
The following figure shows PowerMax 2500/8500 embedded key manager architecture.
Dell PowerMax Cybersecurity
11
End-to-end efficient encryption
Figure 7.
Embedded D@RE architecture
D@RE can also be deployed with an external key manager using OASIS Key
Management Interoperability Protocol (KMIP). This provides external centralized key
storage and management that simplifies key generation and recovery management for
PowerMax and other KMIP-compatible encryption solutions.
The following figure shows PowerMax 2500/8500 external key manager architecture.
Figure 8.
External key manager architecture
End-to-end efficient encryption
PowerMax 2000
and 8000
12
End-to-end efficient encryption combines Thales host encryption with PowerMax
2000/8000 back-end Data at Rest Encryption (D@RE) using industry-standard AES
encryption technology. End-to-end efficient encryption protects data while taking
advantage of PowerMax space-saving data reduction technology. Thales software
encrypts and decrypts data that is written from the application host to the PowerMax
array. PowerMax decrypts the data to process through the data reduction engine, and
Dell PowerMax Cybersecurity
Role Based Access Control
D@RE re-encrypts the data. Encryption from the host is set on a volume level. Not all
volumes are required to participate. Encryption on the back end with D@RE encrypts all
data, regardless of whether it is set for efficient encryption.
PowerMax and Thales are integrated to provide an end-to-end encryption solution.
PowerMax uses its existing D@RE solution to provide back-end encryption. Thales
provides two external components for encryption at the application host:
•
•
Data Security Manager (DSM)
▪
Provides centralized management of policies and keys
▪
Communicates with the KMIP communication protocol that resides on the
PowerMax MMCS
▪
Is deployed either as a virtual or hardware-based appliance
Vormetric Transparent Encryption (VTE)
▪
Host-based agent that encrypts user data before sending it to the array
▪
Coordinates with DSM for management of encryption keys
The following is a summary of the encryption process:
1. Thales VTE software encrypts data when written from the host application.
2. Encrypted data arrives at the PowerMax in system cache.
3. Data is decrypted using an additional installed I/O module.
4. The PowerMax array applies the data reduction process to the data.
5. The data is re-encrypted using back-end D@RE encryption before it is written to
storage.
The following figure shows the end-to-end encryption architecture.
Figure 9.
End-to-end efficient encryption
Role Based Access Control
Role Based Access Control (RBAC) gives administrators the ability to restrict
management operations that users or groups of users can perform on PowerMax arrays.
RBAC consists of various roles that define the operations that can be performed. Users
can be assigned their own login and password with a single role or a combination of roles.
Each role can further be restricted to specific storage groups.
Dell PowerMax Cybersecurity
13
Tamper-proof audit logs
RBAC is a hierarchy of roles, and each role has specific privileges. For example:
•
Administrator—Performs all operations.
•
Storage Administrator—Performs all management operations. Cannot perform
security operations.
•
Security Administrator—Performs all security operations.
•
Local Replication—Performs local replication operations involving snapshot
creation. Device Manager is also required to restore a snapshot and only needed to
link target devices. Secure snaps require Storage Administrator rights.
•
Remote Replication—Performs SRDF operations involving device pairs. Create,
modify, or deletion of SRDF groups requires Storage Administrator rights.
•
Device Manager—Performs control and configuration operations on devices.
Storage Administrator rights are required to create, expand, or delete devices.
•
Performance Monitor—Can set performance alerts and thresholds.
•
Auditor—Grants the ability to view, but not modify, security settings. Minimum role
to view audit logs.
•
Monitor—Performs read-only operations excluding access to audit logs.
•
None—Has no permissions.
The following figure shows the hierarchy of RBAC.
Figure 10. RBAC role hierarchy
Tamper-proof audit logs
Tamper-proof audit logs are secure historical system records of all actions and operations
performed on a PowerMax array. The secure logs are internal to the array itself and
include information such as configuration changes, service operations, and securityrelevant actions. The logs cannot be tampered with, modified, edited, or deleted by any
user with any level of access.
14
Dell PowerMax Cybersecurity
Secure snaps
Relevant information recorded in the audit logs includes:
•
Time and date of operation
•
Operation type and category
•
User and user type
•
Hostname
•
Application
The audit logs have advanced filtering and search capabilities. Filtering and searching can
be done by specific timeframe as well as by the foregoing parameters to help determine
what operation was performed, where the operation came from, and by whom the
operation was performed.
Records can be expanded to show more detailed information and can be exported as .log
file.
The following figure shows an example of an audit log filtered by username and a
searched action code of delete.
Figure 11. Tamper-proof audit log
Secure snaps
Dell TimeFinder SnapVX provides space-saving and efficient local replication in
PowerMax arrays. SnapVX snapshots are a pointer-based structure that preserves a
point-in-time view of a source volume. Snapshots provide the ability to manage consistent
point-in-time copies for storage groups and are created with a user-defined name and
optional expiration date (time-to-live), and without the use of a target volume. Hostaccessible target volumes can be linked if a point-in-time snapshot needs to be accessed.
Writing to a linked target does not affect the point-in-time of the snapshot.
SnapVX snapshots can be set as secure snaps. Secure snaps are snapshots that cannot
be deleted, accidentally or intentionally. They are retained in resource-limited situations in
which conventional snapshots are placed in a failed state to release resources.
Secure snaps must be created with a time-to-live retention period. The snapshot cannot
be terminated before the retention time, and all termination attempts are rejected. When
the retention time is reached, the snapshot is terminated.
The retention period on a secure snap can be extended in situations where the snapshot
is needed longer than originally planned; however, reducing the retention time is not
Dell PowerMax Cybersecurity
15
Snapshot policies
allowed. A traditional snapshot can be converted to a secure snap, but a secure snap
cannot be converted to a traditional snapshot. All other SnapVX operations and rules
apply to secure snaps.
When implementing secure snaps, a user should determine how many snapshots on an
array must be secure. Users should consider using secure snaps only on certain critical
volumes, or only on a subset of the snapshots to capture points-in-time that are critical to
the business and for how long the secure snaps should be retained. As always, proper
planning and system sizing is crucial, no matter the types or number of snapshots that will
exist in an environment.
The following figure shows an example of creating secure snaps with a retention time of
five days.
Figure 12. Secure snap creation
Snapshot policies
Overview
Snapshot policies provide automated scheduling of SnapVX snapshots on PowerMax
arrays. Policies are customizable with rules that specify when to take snapshots, how
many to take, and how long to keep them. Compliance requirements can also be specified
to send alerts if the rules of a policy are not being met. Snapshot policies create and
retain snapshots according to the rules of each policy. Snapshot policies support up to
1,024 snapshots per source device and 65 million snapshots per PowerMax array.
Snapshot policies are applied to storage groups (SGs) to protect applications with
consistent regularly scheduled snapshots. Applications can be protected by multiple
policies with differing schedules and retention parameters, according to requirements. A
single policy can protect multiple applications. Manual snapshots are supported along with
snapshot policies to satisfy any on-demand requirements.
Parameters defined within each policy are as follows:
16
•
Policy Name—One to 32 characters containing letters, numbers, dashes, and
underscores
•
Policy Type—Local or cloud
•
Snapshot Type—Traditional or secure
Dell PowerMax Cybersecurity
Snapshot policies
•
Recovery Point Objective—Interval or offset
•
Snapshots to Keep—Timeframe or snapshot count
•
Compliance Alerting—Based on snapshot count and scheduled interval
Note: All parameters are defined during creation and can be changed on active policies except for
Policy Type and Secure Snaps options.
The following figure shows an example of creating a snapshot policy.
Figure 13. Snapshot policy
Mitigating
ransomware
attacks using
snapshot
policies
SnapVX snapshots with snapshot policies allow for 1,024 snapshots per source device
and 65 million per PowerMax array. Users can take advantage of the frequency and large
snapshot scale in policy-driven snapshots to provide enhanced data resiliency.
Because secure snaps cannot be maliciously or accidentally deleted before any planned
expiration date, they can be used to preserve multiple point-in-time copies from which
data can be recovered if a malware or ransomware attack occurs. Snapshot policies can
be automated to take secure snaps with a high frequency and a short retention duration
for fine granularity, with a lower frequency and longer retention for added security, or a
mixture of both. If an attack occurs, the user can review the secure snaps to determine
which point in time has the most relevant and up-to-date copy of data without malware
impact. When the precise point in time is identified, restoring critical data can be done
almost instantaneously by bringing application data back to the original state before any
attack.
Dell PowerMax Cybersecurity
17
Cloud Mobility
Secure snaps also provide an additional layer of security in the case of multiple attacks
and can be used for forensic work to help determine what happened during the attack and
when it originally occurred. With the lower frequency and longer retention period, secure
snaps can be used to validate data and data change rate to help identify any suspicious
activity.
Traditional snapshots can be set with a scheduling frequency rate and retention policy
that works best for the organization. These snapshots can be used for daily business
continuity, such as development, operations, and data analytics. They can also assist in
any forensic analysis and can be compared against secure snaps to help determine what
changed and when the change began. Unlike secure snaps, traditional snapshots can be
deleted or fail in array resource constraint situations. However, the data on an existing
snapshot cannot be changed and could be used for additional recovery options.
Both secure and traditional snaps are a powerful tool that can be used to help protect and
restore data rapidly, to minimize any impact of a malware or ransomware attack. The
large scalability of snapshots can be easily managed using snapshot policies for
scheduling frequency and retention time duration to fit any size organization.
The following list is an operational example of the frequency, retention, and scale out of
the value of SnapVX secure snaps. The numbers are based on an average of 5,000
production volumes in a PowerMax array.
•
•
Secure snaps every 10 minutes with a 48-hour retention
▪
288 per volume point-in-time copies
▪
Fine-grain protection and recovery
Secure snaps every 60 minutes with a 7-day retention
▪
168 per volume point-in-time copies
▪
Extended protection and data validation
Total = 2,040,000 secure point-in-time copies
Figure 14.
Frequency, retention, and scale out of secure snaps
Cloud Mobility
Cloud Mobility for Dell PowerMax offers secure, seamless, and transparent movement of
application data from on-premises to the cloud. Data movement uses SnapVX snapshots
for snapshot shipping to a public or private cloud. Cloud snapshots can be taken ondemand or with automated scheduling using snapshot policies.
18
Dell PowerMax Cybersecurity
PowerMax cyber vault
Supported public and private cloud providers are:
•
Dell ECS
•
Dell PowerScale OneFS S3
•
Amazon S3 (AWS)
•
Microsoft Azure
Data that is moved to the cloud can be recovered back to the source PowerMax array.
Cloud data can be made available to an AWS system for secondary processing, analytics,
reporting, or test/development.
Cloud Mobility offers the following benefits:
•
Array capacity usage reduction
•
Data repurposing: Data analytics, reporting
•
Space-efficient snapshot shipping: Full initial copy and differential updates
•
Cloud-system-independent compression and encryption
•
Separation from PowerMax data services
•
In-flight and Data at Rest Encryption (on cloud provider)
The following figure shows an example of the Cloud Mobility Dashboard.
Figure 15. Cloud Mobility dashboard
PowerMax cyber vault
PowerMax cyber vault (cyber-vault) offers a simplified orchestrated cyber recovery
solution that is built using SRDF and snapshot technologies.
The basic cyber-vault operating model connects production and secondary PowerMax
arrays. The secondary array, which is an isolated PowerMax storage array, is known as
Dell PowerMax Cybersecurity
19
PowerMax cyber vault
the vault. The connection between the arrays is closed, creating an operational air gap,
and removing access to the vault array devices.
PowerMax cyber vault provides a secure copy of production data in the vault based on a
policy. The air gap is opened periodically to push production snapshots to the vault using
SRDF's adaptive copy mode. An immutable secure copy with a retention lock is created.
The air gap is closed when the secure snapshot copy is taken on the vault. The snapshot
pushes from the production system to the vault are incremental.
If there is a cyberattack at the production site, secure copies at the vault site are used to
recover the data or can be used directly from the vault. The vault maintains multiple
copies of the production data based on the policy.
The cyber vault solution features include:
•
Automated setup and provisioning
•
Support for up to 16 storage groups
•
Support for two to eight vault copies per storage group
•
Vault copies that are secured using retention locks
▪
The retention lock period is based on the maximum number of vault copies. If
the maximum number of vault copies is set to 5 and the frequency is set to 1,
the retention lock period is five days.
•
An easy to install Python software package
•
Autopilot mode
▪
•
Runs after the first replication, or sync, of data. Based on time of day, autopilot
mode opens the air gap, creates the vault copy, then closes the air gap.
Alerting using email messages
The cyber-vault suite is installed and configured on an external vault host, which can be a
server or virtual machine (VM). It has access to Dell Unisphere on the vault site and the
production site. The cyber-vault suite uses a REST API to communicate with Unisphere
for all automation by using a policy managed by the cyber-vault configuration file.
Unisphere can be configured as either embedded Unisphere or as external Unisphere.
Note: The cyber-vault solution is for FBA devices only.
The following figure shows the PowerMax cyber vault solution architecture.
20
Dell PowerMax Cybersecurity
PowerMax cyber vault
Figure 16. PowerMax cyber vault architecture
Dell PowerMax Cybersecurity
21
References
References
The following Dell Technologies documentation provides information related to this
document. Access to these resources depends on your login credentials. If you do not
have access to a document, contact your Dell Technologies representative.
22
•
PowerMax and VMAX Info Hub
•
Dell PowerMax: Family Overview
•
Dell PowerMax: Reliability, Availability, and Serviceability
•
Dell PowerMax Security Configuration Guide
•
Dell CloudIQ: A Detailed Review
•
Dell PowerMax and VMAX All Flash: Data at Rest Encryption
•
Dell PowerMax: End-to-End Efficient Encryption
•
Dell PowerMax and VMAX All Flash: TimeFinder SnapVX Local Replication
•
Dell PowerMax 2500 and 8500: TimeFinder SnapVX Snapshots and Clones
•
Dell PowerMax and VMAX All Flash: Snapshot Policies
•
Cloud Mobility for Dell PowerMax
Dell PowerMax Cybersecurity
Related documents
Stakeholder Engagement Model
Stakeholder Engagement Model
Business Model Lecture
Business Model Lecture
Dell EMC VxRail Node Health Check Tool for node replacement or expansion Dell US
Dell EMC VxRail Node Health Check Tool for node replacement or expansion Dell US
Matching Dell Case Study
Matching Dell Case Study
Lesson Three
Lesson Three
Download
advertisement