A guest post by Jodey Hogeland
Why did the Cyber criminal get away? Because he ransomware! That joke makes me laugh every time but in the case of real world enterprise IT infrastructure, cyber defense is no laughing matter.
In my role as an engineering technologist / evangelist Dell Technologies I have the privilege of meeting with customers and prospective customers on a daily basis. Day after day, there is one question that has consistently risen to the top of PowerStore conversations, “Tell me about the security capabilities of PowerStore.” That is the focus of this brief article, to give you insight into the security aspects of PowerStore and Dell’s industry leading focus on security, cyber defense, and zero trust architecture.
In the Beginning
From the very first day that PowerStore hit the street (May 5th, 2020) there were significant security capabilities.
- Full data path and data at rest encryption using array-based key management
- FIPS 140-2 Level 2 certified Self Encrypting Drives (SEDs)
- Immutable snapshots (see my post here for more details)
- NAS IP based multi-tenancy / network isolation segmentation
- REST API SSL
- Secure NFS / Kerberos
- User Authentication / RBAC User Role Authorization
After the initial 1.0 role out PowerStore began a rapid feature acceleration ramp that brought additional security features and overall capabilities.
Modern Security Approach
As of this article, the current shipping version of PowerStore OS is version 3.2. From version 1.0 to version 3.0 there have been literally hundreds of new features and capabilities – several of which are security centric.
In a recent article tilted “Protect Your Systems and Data with Dell Technologies“, Wei Chen, Andrew Sirpis, and Louie Sasa frame out great characteristics of how PowerStore protects data for customers.
This concept focuses on PowerStore’s physical protection layer and incorporates array based at rest encryption (D@RE), the use of FIPS certified devices like SED’s and NVRAM modules, and both internal and external Key Management Interoperability Protocol (KMIP).
Protected access encapsulates access control and logging capabilities. These capabilities included technologies like LDAP/LDAPS access policies, audit logging, SSH, TLS, IPSec, and secure HTTPS. You can also customize PowerStore’s login banner, leverage third-party certificate support, VLAN segmentation, IPv6 and Secure Connect Gateway.
Ransomware and virus protection is a must for today’s enterprise environments. PowerStore provides customers with:
- Read-Only Immutable snapshots,
- Remote replication (asynch and metro)
- NAS File Level Retention (FLR) for compliance
- Common Event Publishing Agent (CEPA) enables SMB and NFS file and directory notifications. This can assist with ransomware protection and file manipulation.
- Common Anti-Virus Agent (CAVA) which provides AV protection for SMB clients by providing third-party AV software integration at the NAS server level
- Secure NFS (Kerberos)
- SMB3 in-flight encryption
- iSCSI CHAP
- Dynamic Resiliency Engine – protects the integrity of data and provides resiliency within a PowerStore appliance
The strategy around protected software leans heavy on Dell’s CloudIQ integration which I wrote about here. Dell’s CloudIQ not only brings advanced AIOps proactive monitoring, it enables customers to detect anomalies in performance/capacity and also provides a cybersecurity assessment capability at no additional cost.
This allows Dell PowerStore customers to be up-to-date on the latest Common Vulnerabilities and Exposures (CVEs) and if susceptible, how to remediate with step-by-step instructions per NIST guidelines.
Dell also has a robust corporate strategy around cybersecurity and Secure Development Lifecycle. This gives customers confidence knowing that Dell is focused on security from beginning to end.
Zero Trust / Hardware Root of Trust (HWRoT)
In 2022, PowerStore Gen2 hardware started shipping in alignment with the 3.0 code release. One of the features in 3.0 / Gen2 hardware is the ability to leverage Intel chipsets that provide HWRoT capabilities. For PowerStore customers this means:
- Immutable silicon based protection / tamper-proofing
- Authentication of firmware images and PowerStore OS at time of boot
- Prevents malicious modifications throughout the supply chain or post installation
- Digitally signed firmware preventing malware / rootkit manipulation
My good friend Scott Delandy wrote a great brief around Dell’s Zero Trust implementation around PowerMax and this principle applies to the work Dell has done in PowerStore. I love Scott’s focus on the 5 tenants of Zero Trust:
- Assume every user and/or device is a potential threat.
- Apply the principle of “least privilege” to restrict users (and their devices).
- Apply multifactor authentication models and authorization rights that are time based, scope based, and role based.
- Authenticate and authorize at communication intersections of the infrastructure.
- No entity is inherently trusted, and verification is required to access all assets.
Hardware Root of Trust is not new to the industry. This is based on concepts that Dell helped pioneer back in 2017 with PowerEdge 14G and is now being integrated into Dell’s enterprise storage portfolio.
As Scott points out, “The Dell Technologies zero-trust approach has been designed to align with the U.S. Department of Defense (DoD) standards and, in the near future, government agencies, their vendors and those in heavily regulated industries — like infrastructure, transportation, energy, healthcare and banking — can expect more scrutiny to be placed on them to comply with zero-trust security specifications.”
PowerStore Architecture Helping with Cyber Defense
I mentioned Dynamic Resiliency Engine (DRE) earlier.
If interested in a video overview of DRE, I recorded a 20 minute webinar that can be viewed here.
DRE has multiple benefits, one of which is single drive scalability and the ability to add needed capacity in cost-effective, granular increments. This can be an incredible asset when it comes to cyber defense particularly if you are in the heat of an actual attack.
In several recent customer meetings the exact same scenario has come up in conversation. Primarily, all of them experienced the same core issue – a cyber / ransomware attack where data was encrypted. The environment is compromised and host level encryption began rather quickly. (as a disclosure they were NOT using Dell Technologies storage products)
This has an immediate impact on customers high-performance all flash architectures. Almost all modern flash environments leverage data reduction in some way. This is primarily due to data reduction technologies providing an effective capacity that achieves an affordable $/GB. However, during a cyber attack, host level data begins to be encrypted and data reduction has less of an impact.
Think about it this way. Let’s say that you have a need for 100TB of storage. In a typical scenario (for easy math sake), your storage array vendor will size 25TB usable with a vendor supplied target of 4:1 DRR (Data Reduction Ratio) meaning that you will get ~100TBe (effective).
During an attack, the data is being re-written in an encrypted fashion and your DRR efficiency is gone. Your 25TB of physical capacity begins to get consumed rapidly.
There are now a few points to consider:
- A cyber event recovery is NOT the same as a DR event
You cannot simply failover to a DR site due to the corruption being replicated to the target location.
- If you have corporate insurance for ransomware a forensic audit may be mandatory
This was the case with the customer scenarios I mentioned above. They were attacked, workloads were encrypted, but it was quickly realized that recovery options were limited.
- They could not touch the array data due to forensic audit requirements
- They had ran out of physical capacity due to loss of DRR
- Snapshots were irrelevant for a couple of reasons: 1) Could not manipulate the array because of forensics audit. 2) Snapshots now held encrypted data and contributed to the out of space scenario. 3) No visibility into which snapshot was actually valid other than 1:1 cloning / mapping – but again – can’t touch the data due to forensics.
A spiraling atmosphere is created in these situations. The PowerStore architecture could provide an advantage in these situations and perhaps immediate relief.
As mentioned – DRE fully supports single drive scalability which can help mitigate the necessity of adding large scale drive packs. Also, DRE enables the same scalability of drives on every PowerStore model. This means that you will not hit a capacity limitation that would force you into a controller upgrade along with the large capacity pack.
The immediate benefit is that you could rapidly acquire and implement capacity without massive costs or potential upgrade delays.
Another architectural advantage is PowerStore’s use of Intel’s Quick Assist Technology.
With some storage array vendors there is a single active controller that handles all IO and data services. In the case of high IO utilization the data service engines can defer data reduction in order to prioritize IO. I like to call this the death spiral.
This can be especially true during a cyber attack. During a cyber event, writes exacerbate IO utilization since everything is now being re-written (high IO rates) and encrypted / non-reducible. When this happens, the physical capacity of the array begins to fill rapidly due to fully hydrated data now being written with no DRR efficiency. In the case of PowerStore, customers receive the benefit of dual Active/Active nodes and dedicated resources (Intel QAT) for compression – meaning it never defers or turns off – potentially delaying the death spiral. This architectural differentiator might just buy you the additional capacity and performance that you need in order to take action during a cyber event.
Cyber Event Considerations
- Understand your corporate and industry response requirements
- Understand that Cyber Recovery and Disaster Recovery are NOT the same
- If forensic audit is required in what ways can you leverage your production array environment?
- If forensic audit is in play can you recover on your existing production array?
- Leverage immutable snapshots for immediate recovery if possible
- Plan for rapid / immediate capacity growth in the event of an emergency – you don’t want to be walking through a standard Quote / PO / Shipping process when you need that capacity to get back online
- Know and understand your array capacity limits. You do not want to hit a limit as a result of an attack and no simple way to add capacity.
- Do you have array based analytics (like CloudIQ) that can detect performance and capacity anomalies and provide a Cybersecurity assessment?
- Is array based snapshot protection enough or do you need a Cyber Vault?
Summary and Additional Resources
Security is as the heart of what we do at Dell Technologies and it is a core development practice across our Infrastructure Solutions Group (ISG) portfolio.
If you have not read it, there is a wonderful white paper on PowerStore Cyber Security located on Dell’s Info Hub. This paper details Cyber Security best practices and capabilities for PowerStore.
To read up on Dell’s overall offerings regarding Cyber Security visit the security solutions page.
For a additional reading on Dell’s PowerProtect and Cyber capabilities you can visit the Dell Learning Center Page for Cyber Security.
For details on how Dell Technologies follows, develops, and advocates industry security standards visit the Dell corporate Security and Trust site.