StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.
In part 1 we discussed the security and compliance motivations for implementing a secure configuration baseline for Storage and Backup platforms. And now it’s time to explore what exactly that process looks like and provide some insight as to how to get started.
A Secure Configuration Baseline Process should have roughly four steps.
Image 1: Secure Configuration Baseline Process
As a starting point, you need to define the first version of the secure configuration baseline for each of its storage and backup solutions. This requires assembling a team of Storage Security SMEs for Block storage, NAS, Object, HCI and Backup. This team would need to work in two vectors:
Now your team can start writing a Secure Configuration Baseline for each Storage and Backup solution used by your organization. This includes the technical implementation guide.
This set of documents needs to be updated periodically to deal with changes to infoSec policies and controls, and to adapt to new vendor hardening instructions, security capabilities or limitations in latest storage/backup product versions, new industry guidelines, etc.
This step involves collecting up-to-date configurations & analyzing adherence to the baseline defined in step 1.
This can be done manually by an engineer, system by system. However, this isn’t very scalable, is very time-consuming and error-prone.
Another option is to automate the process – either by developing and maintaining in-house scripts, or by adopting a suitable commercial solution such as StorageGuard.
The configuration collection should be able to gather the security configuration of each of your storage and backup solutions, work for the different models and versions you use, and continue to work seamlessly as you deploy newer versions.
The analysis of baseline adherence should produce detailed, actionable baseline violation findings, including remediation guidelines, evidence from the scanned systems, detection timestamps, severity, affected systems, etc.
Image 2: StorageGuard Finding Example and Functionality
Ideally the finding lifecycle should be managed in such a way that a subsequent scan would close a previously detected baseline violation finding if it has been remediated.
In addition, for an effective process you should assign findings to an IT engineer for remediation with a due date and suppress certain findings with the ability to document the exception. Integrations with existing IT Service Management (ITSM) tools, like ServiceNow or Vulnerability Aggregators, like Kenna are recommended.
Overall, this step should ideally be repeatable and executed daily, weekly or monthly based on your risk flavor.
Following the scan and analysis, findings are prioritized and assigned for remediation.
The inclusion of remedial steps (including commands) within each finding helps to accelerate the resolution of baseline violations. During this step, the ability to re-scan and determine if a finding has in fact been remediated is critical. If you’re collecting statistics on open and resolved findings, it will allow your team leads and managers to track resolution progress and ensure the return the baseline adherence.
Image 3: StorageGuard Finding Remediation
Finally, you’d like to be able to produce baseline compliance reports. These reports include information about successfully passed and failed security principles, baseline checks.
For Infrastructure & Storage Managers, this should include statistics on open and resolved issues, trending, status by vendor, product and technology.
Image 4: StorageGuard Pass/Fail Report
For Engineers and InfoSec teams, this should include detailed check result information including outputs as evidence for compliance or non-compliance.
Image 5: StorageGuard Compliance Report
So, what needs to be included in a secure Configuration baseline? The baseline defined in step 1 may include the following elements – and of course many other security control implementations:
General | – MFA Min Password – Length Account – Lockout Authorized Certificates | – Terminate Idle sessions – Change Default Passwords – Encrypted communications |
Technology-specific (NAS, FC, Object, …) | – NFS share ACL – NFS root squash – SMB version – Default SAN Zone | – NFS root squash – Bucket Delete MFA – Bucket versioning |
Product-Specific (Dell, NetApp, Pure, Veritas, Rubrik, …) | – DD Dual authorization Dell – CR Cyber Sense | – Pure SafeMode – ONTAP dynamic authorization |
Role-Specific (Primary Storage, Backup Storage) | – Separate credentials – Retention Lock settings | – Off-site copy |
Image 6: StorageGuard Ready-Made Baseline Snippet
One approach to establishing a secure configuration baseline for Storage and Backup platforms is Gradual Hardening.
It can be rather overwhelming to attempt to implement all security controls at once. Thus, we recommend doing it in multiple phases, each time taking on a group of additional security guidelines to further protect storage and backup systems.
For example, as an initial step you may want to change default passwords, disable telnet and check RBAC.
In more advanced phases, consider looking into encrypted communications and backup immutability.
Image 7: StorageGuard built-in gradual hardening baselines
Implementing a secure configuration baseline for storage and backup systems is not a one-time task but a continuous process that evolves with emerging threats, changing IT landscapes, and organizational priorities.
By following the four steps outlined in this guide – establishing the baseline, assessing adherence, monitoring remediation, and generating compliance evidence – you’ll create a repeatable framework that ensures the resilience of critical infrastructure.
Leveraging automation tools and gradual hardening strategies can simplify this journey, making it manageable and scalable over time.
The ultimate goal is to embed security and compliance into the DNA of your IT operations, protecting your organization’s most valuable data assets, while enabling operational continuity and trust.
It’s time to automate the secure configuration of your storage & backup systems.