fbpx
Yaniv Valik

Best Practices for Setting Secure Configuration Baselines for your Storage & Backup Systems – Part2

  • December 17, 2024
  • 6 min read

About Continuity™

StorageGuard - by Continuity™ - is the ONLY Security Posture Management solution for Storage & Backups, helping to ensure these systems are securely configured, and compliant with industry & security standards.

Read more

In part 1 we discussed the security and compliance motivations for implementing a secure configuration baseline for Storage and Backup platforms. And now it’s time to explore what exactly that process looks like and provide some insight as to how to get started. 

A Secure Configuration Baseline Process should have roughly four steps. 

Image 1: Secure Configuration Baseline Process 

As a starting point, you need to define the first version of the secure configuration baseline for each of its storage and backup solutions. This requires assembling a team of Storage Security SMEs for Block storage, NAS, Object, HCI and Backup. This team would need to work in two vectors: 

  1. Engage with your InfoSec department to learn about goals, policies and required controls for core IT infrastructure – and specifically for Storage and Backup systems. 
  1. Study Storage and Backup security. Understand the principles of securing the various storage technologies, review the vendor’s security configuration and hardening guides for the particular storage and backup system you use, review guidelines outlined in industry standards for information systems and specifically for Storage and Backup. 

Now your team can start writing a Secure Configuration Baseline for each Storage and Backup solution used by your organization. This includes the technical implementation guide. 

This set of documents needs to be updated periodically to deal with changes to infoSec policies and controls, and to adapt to new vendor hardening instructions, security capabilities or limitations in latest storage/backup product versions, new industry guidelines, etc. 

This step involves collecting up-to-date configurations & analyzing adherence to the baseline defined in step 1.  

This can be done manually by an engineer, system by system. However, this isn’t very scalable, is very time-consuming and error-prone.  

Another option is to automate the process – either by developing and maintaining in-house scripts, or by adopting a suitable commercial solution such as StorageGuard

The configuration collection should be able to gather the security configuration of each of your storage and backup solutions, work for the different models and versions you use, and continue to work seamlessly as you deploy newer versions.  

The analysis of baseline adherence should produce detailed, actionable baseline violation findings, including remediation guidelines, evidence from the scanned systems, detection timestamps, severity, affected systems, etc.  

Image 2: StorageGuard Finding Example and Functionality

Ideally the finding lifecycle should be managed in such a way that a subsequent scan would close a previously detected baseline violation finding if it has been remediated.  

In addition, for an effective process you should assign findings to an IT engineer for remediation with a due date and suppress certain findings with the ability to document the exception. Integrations with existing IT Service Management (ITSM) tools, like ServiceNow or Vulnerability Aggregators, like Kenna are recommended. 

Overall, this step should ideally be repeatable and executed daily, weekly or monthly based on your risk flavor.  

Following the scan and analysis, findings are prioritized and assigned for remediation.  

The inclusion of remedial steps (including commands) within each finding helps to accelerate the resolution of baseline violations. During this step, the ability to re-scan and determine if a finding has in fact been remediated is critical. If you’re collecting statistics on open and resolved findings, it will allow your team leads and managers to track resolution progress and ensure the return the baseline adherence. 

 Image 3: StorageGuard Finding Remediation

Finally, you’d like to be able to produce baseline compliance reports. These reports include information about successfully passed and failed security principles, baseline checks.  

For Infrastructure & Storage Managers, this should include statistics on open and resolved issues, trending, status by vendor, product and technology.  

Image 4: StorageGuard Pass/Fail Report 

For Engineers and InfoSec teams, this should include detailed check result information including outputs as evidence for compliance or non-compliance. 

Image 5: StorageGuard Compliance Report 

So, what needs to be included in a secure Configuration baseline? The baseline defined in step 1 may include the following elements – and of course many other security control implementations: 

General – MFA Min Password
– Length Account
– Lockout Authorized Certificates  
– Terminate Idle sessions 
– Change Default Passwords 
– Encrypted communications   
Technology-specific 
(NAS, FC, Object, …) 
– NFS share ACL 
– NFS root squash 
– SMB version 
– Default SAN Zone  
– NFS root squash 
– Bucket Delete MFA 
– Bucket versioning 
Product-Specific 
(Dell, NetApp, Pure, Veritas, Rubrik, …)  
– DD Dual authorization Dell
– CR Cyber Sense 
– Pure SafeMode 
– ONTAP dynamic authorization  
Role-Specific 
(Primary Storage, Backup Storage)  
– Separate credentials 
– Retention Lock settings 
– Off-site copy 

Image 6: StorageGuard Ready-Made Baseline Snippet 

One approach to establishing a secure configuration baseline for Storage and Backup platforms is Gradual Hardening.  

It can be rather overwhelming to attempt to implement all security controls at once. Thus, we recommend doing it in multiple phases, each time taking on a group of additional security guidelines to further protect storage and backup systems.  

For example, as an initial step you may want to change default passwords, disable telnet and check RBAC.  

In more advanced phases, consider looking into encrypted communications and backup immutability. 

Image 7: StorageGuard built-in gradual hardening baselines 

Implementing a secure configuration baseline for storage and backup systems is not a one-time task but a continuous process that evolves with emerging threats, changing IT landscapes, and organizational priorities.  

By following the four steps outlined in this guide – establishing the baseline, assessing adherence, monitoring remediation, and generating compliance evidence – you’ll create a repeatable framework that ensures the resilience of critical infrastructure.  

Leveraging automation tools and gradual hardening strategies can simplify this journey, making it manageable and scalable over time.  

The ultimate goal is to embed security and compliance into the DNA of your IT operations, protecting your organization’s most valuable data assets, while enabling operational continuity and trust. 

Talk To An Expert

It’s time to automate the secure configuration of your storage & backup systems.

We use cookies to enable website functionality, understand the performance of our site, provide social media features, and serve more relevant content to you.
We may also place cookies on our and our partners’ behalf to help us deliver more targeted ads and assess the performance of these campaigns. You may review our
Privacy Policy I Agree