At NetApp, Inc., providing our customers with data-centric security capabilities to enhance their organizations’ cyber resiliency is a priority.
Nearly 30 years of innovation across our portfolio has included many new security capabilities that protect critical data and let you focus on using the data rather than worrying about how secure it is.
But given today’s vast cyberthreat landscape, claiming that NetApp has ‘industry-leading data-centric security capabilities’ isn’t enough. Just as in high school math class, it’s important to ‘show your work.’ That’s why we announce that ONTAP data management software is the industry’s first Commercial Solutions for Classified (CSfC) validated enterprise-class storage solution. This solution enables to protect data at rest at both the hardware layer (with NSE) and the software layer (with NVE) for enhanced rugged security.
What is CsfC?
To understand the significance of the CSfC announcement, it’s important to understand what CSfC is. The Commercial Solutions for Classified program is a key component of the US National Security Agency (NSA) commercial cybersecurity strategy. Validated products require 2 independent layers of encryption and must meet rigorous security requirements for protection of classified National Security Systems data.
The NSA has directed federal agencies, particularly in the area of defense, that host secret or top-secret data to have CSfC validated storage solutions in place. This announcement is particularly important for federal and US government agencies such as the Department of Defense (DoD). With this validation, they can layer state-of-the-art commercial hardware and software technologies into their data protection and cybersecurity solutions with ONTAP.
Yes, that’s correct. The company’s ONTAP is validated to host secret and top-secret data.
CSfC validation requires layered encryption
Data-at-rest encryption provides protection from physical theft of storage devices by using encryption. However, a key aspect of a CSfC validation requires layered encryption
Data-at-rest encryption provides protection from physical theft of data storage devices by using encryption. However, a key aspect of a CSfC solution is the need to provide two independent layers of validated data-at-rest encryption. ONTAP dual-layer FIPS 140-2 validated encryption capability is a perfect fit because it provides both software encryption at rest (NVE/NAE) and hardware encryption (NSE) at rest.
ONTAP encryption at rest features:
- Software-based encryption
- NetApp Volume Encryption (NVE) is a storage-efficient software data-at-rest encryption solution that enables ONTAP to encrypt data for each volume, which promotes granularity. NVE is a FIPS 140-2 compliant solution. ONTAP software is Protection Profile compliant for both the Full Drive Encryption—Authorization Acquisition 2.0E collaborative Protection Profile and the Full Drive Encryption – Encryption Engine 2.0E collaborative Protection Profile when NVE is enabled and the onboard key manager is configured in Common Criteria mode.
- NetApp Aggregate Encryption (NAE) is also available with ONTAP. Although it is not CSfC validated, with NAE, after data is encrypted, all ONTAP storage efficiencies are leveraged because the volumes can share encryption keys across the aggregate.
- Both NVE and NAE use a FIPS 140-2 validated cryptomodule to perform encryption and decryption.
- Hardware-based encryption
- NetApp Storage Encryption (NSE) is configured to use FIPS 140-2 Level 2 self-encrypting drives. By enabling data-at-rest protection through AES 256-bit transparent disk encryption, NSE facilitates compliance and failed or spare drive return. ONTAP data management software is Protection Profile compliant for the Full Drive Encryption – Authorization Acquisition 2.0E collaborative Protection Profile when used with NSE drives.
All the ONTAP data-at-rest encryption technologies have a negligible performance impact, so there’s no downside to taking advantage of these dual-layer encryption capabilities.
CSfC validation is important for all organizations
The importance of the CSfC validation announcement is not limited to federal agencies; it applies to any customer with concerns about the security of their data. Because it has achieved CSfC validation, ONTAP is capable of storing secret and top-secret data for even the most security-conscious organizations. This solution is more than adequate for even those customers who are most ardently focused on securing their data.
Benefits for any organization to employ ONTAP CSfC solution include following:
- Enhance data confidentiality and integrity with dual-layer encryption. Use both software and hardware to achieve a more robust data encryption solution.
- Maintain a secure posture regardless of physical media. Encrypt at the volume level so that the encryption capability can exist independently of the physical media—SSD, SAS, HDD, or NVMe.
- Maintain storage efficiencies. Encrypt your data while maintaining NetApp storage efficiencies such as de-dupe, compression, and compaction. Maintain all storage efficiencies unless NAE is not allowed in the solution.
- Satisfy governance and compliance requirements. Use established security best practices to adhere to and to support compliance with industry regulations and security levels.
Focus on your organizational goals without worrying about security
With the announcement of CSfC validation ONTAP, you can be assured that putting even your most sensitive data on a NetApp AFF or FAS array is a wise decision. This is true not only because you can meet your data-centric security goals; ONTAP also provides all the rich enterprise data management features for accessing your data securely wherever and whenever you need it. This ability allows you to focus on your day job without worrying about the security of your organization’s most precious asset, your data.