Around the Storage Block

HPE 3PAR StoreServ storage: Built with security in mind

Learn how HPE 3PAR StoreServ all-flash storage is designed to help meet your data center security and compliance requirements.

HPE 3PAR_data security_blog.jpgData center security is always a top-of-mind topicnow more than ever. In many ways, the launch of the General Data Protection Regulation (GDPR) served as a very loud wake-up call for organizations worldwide to update their data center security practice.

Earlier, I blogged about learning how to build a best-in-class GDPR compliance strategy with HPE Storage. Today, I want to focus on how you can create a secure data center environment with HPE 3PAR StoreServ all-flash storage—and also how we at HPE continue to invest in security as we offer new 3PAR hardware and software to our customers.

Security 101: the importance of data center security

Data housed in your organization’s storage devices contains sensitive, mission-critical information that can be put at risk when accessed by the wrong person or applications, misused either willfully or accidentally, accessed for non-compliant purposes, and lost or compromised through system failure, human error or enemy action.

As data growth has exploded, the sophistication of data breaches has greatly increased. Organizations that do not adhere to security compliance and regulations for data storage and management often face stiff penalties. Proactive security measures also have compelling ROIs for organizations. Regulations such as PCI DSS, GDPR, or HIPAA, along with the need to store data for longer periods of time, triggers the need for organizations to deploy a combination of storage security solutions.

Understanding industry-wide security fundamentals

Let’s review these security principles:

  • Authentication is validating identity of an entity (user or application).
  • Authorization is the process of providing privileges and access rights to a trusted entity. This is done after authentication is successful.
  • Availability implies that Data should be available all the time securely, to all the authorized users and applications, when requested.
  • Encryption enables hiding information from unauthorized presentation by providing privacy. Two categories of data encryption are possible: data at rest (when data is within the storage) and data in flight (when data is moving across within a data center).
  • Integrity means ensuring data is in exact form it was intended to be while being written or read from a storage system.
  • Auditing is the ability to capture and retain the various events occurring in the datacenter infrastructure for compliance purpose.

How does 3PAR fit into each of these security principles?HPE 3PAR all-flash storage: secure by designHPE 3PAR all-flash storage: secure by design

First, what’s covered in authorization? HPE 3PAR storage supports multiple administrative roles, from browse to full storage administrator privilege. 3PAR’s appliance model provides more control to the customer and protects against installation of unauthorized and malicious software. Secure Domain enabled capabilities in 3PAR enable creation of secure isolated pools of storage across the physical nodes. You can secure pools of storage on an HPE 3PAR by using Storage Quality of Service (QoS) via the HPE 3PAR Priority Optimization that allows to logically partition system performance to given LUN and this can be integrated with Virtual Domain so policies can be applied at a tenant level. HPE 3PAR Virtual Domains provides a policy-based, secure administrative segregation of users and hosts within a 3PAR StoreServ system while still sharing all system resources (ports, processors, cache, and disk drives) across all workloads to enable logical segmentation of storage. 3PAR’s ability to integrate with LDAP/AD allows enterprises to centrally manage identity records, role-based access controls (RBAC) and security policies.

3PAR supports customer-installed x.509 certificates for authentication of administrative interfaces. 3PAR offers support for LDAP and Active Directory for centralized authentication. These features are covered across the 3PAR Operating System, 3PAR Service Processor and 3PAR StoreServ management Console (SSMC). 3PAR also (3PAR OS 3.3.1 and SSMC 3.1 and above) enabled 2-Factor authentication support in SSMC thru Common Access Cards (CAC) and with SSMC 3.2 support for Virtual Smart Card as the second factor of authentication has been made available in subsequent releases. With SSMC 3.2, multi-domain authentication has been supported.

What about 3PAR encryption? 3PAR supports data at rest (DAR) encryption. With 3PAR OS 3.2.1 and above, 3PAR has a complete FIPS 140-2 compliant encryption solution. 3PAR DAR solution utilizes FIPS 140-2 Level 2 self-encrypting drives (SEDs).  SEDs contain special firmware and an ASIC which provides encryption. 3PAR supports third-party encryption solutions as well.

With HPE 3PAR Persistent Checksum, 3PAR adheres to the data Integrity security principle. This ensures that data stored and then read back is exactly what it supposed to be. This is an important feature as the transition to all-flash datacenter brings in consolidation, where a single array is now handling hundreds of thousands of IOPS, and Checksum therefore enables protection of integrity of data from media or transmission errors. With SSMC 3.2, customers can also set and view the DIF fields on their 3PAR StoreServ, host DIF setting can be enabled/disabled for the system and the type of DIF can be selected.

For auditing, 3PAR has detailed hardening guidance available thru the Common Criteria Certification and Security Technical Implementation Guide (STIG). 3PAR is the only storage product in its class to have a vendor-unique STIG, other vendors may be compliant with a patchwork of generic STIGs (database, network device, OS, webserver, etc.).  Export to Syslog server is also supported by SSMC. There is also comprehensive audit recording of privileged operations and all security relevant events are logged in the system event log, which can also be logged to a remote syslog server via a secure connection, these system logs are protected from modification by any administrator, and are highly-available. 3PAR is Unified Capabilities Approved Product List (UCAPL) compliant as well.

To ensure high availability, 3PAR has features like Peer Persistence and Remote Copy. 3PAR Peer Persistence enables 3PAR systems located at metropolitan distances to act as peers to each other, presenting a nearly continuous storage system to hosts and servers connected to them. HPE 3PAR Remote Copy Software provides enterprise and cloud data centers with autonomic replication and Tier 1 disaster recovery technology that allows the protection and sharing of data from any application simply, efficiently, and affordably.

Additional 3PAR security enhancements

3PAR also offers:

FIPS validated cryptography: One of the important change that was brought in the last few months is the FIPS 140-2 validated cryptography across the entire 3PAR stack which happened as part of enabling CAVP/CMVP compliance for 3PAR. With 3PAR OS 3.3.1 MU3, SSMC 3.3, and SP 5.0.4, 3PAR now offers end-to-end FIPS 140-2 validated solution. 3PAR has been certified through “vendor affirmation” which means that the crypto that is used has been certified.

TLS 1.2-only support: HPE 3PAR OS 3.3.1, 3.2.2 MU6 Patch 107 and 3.2.2 MU4 Patch 106 and above enables TLS 1.2-only configurations which eliminate any potential impact of security vulnerabilities by preventing TLS 1.0/1.1 connections, which allows 3PAR customers to enhance the Payment Card Industry Data Security Standard (PCI DSS) 3.2 compliance strategy.

Security vulnerability management and data protection

When it comes to 3PAR storage, we are committed to working and partnering with both our customers and the security community to help prevent and mitigate any and all the security threats which occur daily across the world. With every new threat and every new vulnerability, HPE 3PAR all-flash storage continues to evaluate the risk and formulate the approach to avoid the attack, all the while continuing to engineer safe products to help you protect your data.

Hewlett Packard Enterprise's Security Alert site has the most up to date assessment of critical vulnerabilities for HPE products.

To close, let me say that we continue to address all security concerns and aspects related to 3PAR and all HPE data storage products—and we continually work to build in strong secure software development practices as part of our product development lifecycle. You can count on that as you work to strengthen data center security against the current barrage of cyberthreats.

Rashmi Malik_HPE Storage.jpeg

 Meet Around the Storage Block blogger Rashmi Malik, Product Manager, HPE 3PAR Storage.



0 Kudos
About the Author


Our team of Hewlett Packard Enterprise storage experts helps you to dive deep into relevant infrastructure topics.