Transcription of IBM Storage Insights: Security Guide
1 IBM Storage InsightsSecurity GuideSC27-8774-04 IBMNote:Before using this information and the product it supports, read the information in Legal notices on page edition applies to the current version of IBM Storage Insights (product number 5725-U02) and to allsubsequent versions until otherwise indicated in new edition replaces SC27-8774-03. Copyright IBM Corporation Government Users Restricted Rights Use, duplication or disclosure restricted by GSA ADP Schedule Contractwith IBM this should read this What is the data How is the What types of metadata How long is the Who can access access controls and access for resolving Support access for troubleshooting your tickets14 Metadata access for quality backup and the deletion of personal Asset, capacity, andconfiguration Storage system volumes pools groups, nodes, and ports and managed disks Storage system system shares system pools shared disks nodes Storage systems Performance metadata for Storage systems that runIBM Spectrum metadata for metadata for XIV, IBM SpectrumAccelerate, IBM FlashSystem A9000, and IBMF lashSystem metadata for IBM Spectrum metadata for EMC VMAX and policy Copyright IBM Corp.
2 2018iiiivIBM Storage Insights: Security GuideAbout this guideIn IBM Storage Insights Pro and IBM Storage Insights, detecting and resolvingissues in a Storage environment has never been easier. It combines cognitivestorage management capabilities with a simplified yet robust IBM supportexperience to help you spend less time troubleshooting Storage problems and moretime planning for your future Storage should read this guideThis publication is intended for administrators or IT professionals who deploy IBMS torage Insights Pro or IBM Storage Insights and want to learn more about securityand data should be familiar with the following topics:vGeneral procedures for installing software on Microsoft Windows, AIX , area network (SAN) resources and management concepts. Copyright IBM Corp. 2018vviIBM Storage Insights: Security GuideChapter1. SummaryThe concerns that customers might have about deploying a data collectoron-premises and processing and storing metadata off-premises are Storage Insights Pro and IBM Storage Insights are cloud service offerings thatuse a light-weight application that is called the data collector to collect and sendasset, configuration, capacity, and performance metadata for analysis to an IBMC loud data center and for presentation in the :The Security policies for collecting, sending, accessing, protecting, andstoring metadata for IBM Storage Insights Pro and IBM Storage Insights key differences between both cloud service offerings lie in the exclusivefeatures that IBM Storage Insights Pro provides to its subscribers, such as capacityplanning analysis, reclamation analysis, and tiering analysis, and in the access tothe metadata that is presented in the GUI for the cloud service offerings.
3 In IBMS torage Insights Pro, subscribers have access to all of the metadata in the GUI,whereas in IBM Storage Insights, users have access to key capacity andperformance metadata in the GUI, and IBM Support has read-only access to the setof metadata that they need to troubleshoot and close support discuss the Security concerns that customers might have, the followingquestions are answered:vWhat is the data collector?vHow is the metadata protected?vWhat types of metadata are collected?vHow long is the metadata kept?vWho can access the metadata that is collected?Lists of the asset, capacity, and configuration metadata and the performancemetadata that is collected and stored about your Storage systems are also reference:Chapter7, Asset, capacity, and configuration metadata, on page 17 The data collector collects and stores asset, capacity, and configuration metadatafor block, file, and object Storage systems and their resources.
4 A list of thesupported Storage systems is , Performance metadata, on page 27 The data collector collects and stores performance metadata for IBM block storagesystems and non-IBM block Storage systems and it collects and stores file systemand node performance metadata for IBM Spectrum Scale Storage systems. Copyright IBM Corp. 201812 IBM Storage Insights: Security GuideChapter2. What is the data collectorThe data collector is the application that collects and delivers the metadata that isanalyzed and presented in the data collector is a light-weight application that is installed on a server in yourdata center. It sends the metadata that is collected about your Storage systems,such as asset, configuration, capacity, and performance metadata, from your datacenter to your instance of IBM Storage Insights Pro or IBM Storage Insights, whichis in an IBM cloud data :Outbound metadata is sent by the data collector to a single, uniqueaddress, which is the IBM host name and port of your instance.
5 This means thatwhen you configure your firewall to send the metadata, you open a single path toa well-defined and secure a matter of minutes, you can install the data collector and when you add thestorage systems that you want to monitor, you get the capacity and performanceinsights that you need to monitor your data center. Because the metadata that IBM Copyright IBM Corp. 20183 Support needs to investigate and close tickets is also collected, you can also uploadlogs automatically when you create or update tickets and IBM Support can accessand investigate the metadata to resolve any issues that you might for connecting to Storage systems:To add and collect metadata fromthe Storage systems that you want to monitor, you must provide the storagesystem's credentials. Depending on the type of Storage system that you add formonitoring, you can provide the name and password of a user with privileges tocollect the metadata, or an SSH user and SSH key.
6 The credentials that areprovided are encrypted before they are stored in the database for the instance, andthe database is also encrypted. In addition, most Storage systems support thecreation of users with read-only roles, who can't make any changes to theconfiguration of the Storage operating systems:Data collectors can be installed on servers that runAIX, Linux, or Windows operating systems. The server on which you install thedata collector must have a minimum of 1 GB RAM and 1 GB of free disk certification:IBM Storage Insights, based on regular audits, has ISO/IEC27001 Information Security Management Security characteristicsTo ensure that metadata is collected securely, the data collector has the followingcharacteristics:In-built securityCommunication with other entities, such as Storage systems in the localdata center and the IBM Storage Insights service in the IBM cloud datacenter are initiated solely by the data collector.
7 The data collector does notprovide any remote APIs that might be used to interact with the communicationThe data collector sends metadata out of your network to your instance ofIBM Storage Insights Pro or IBM Storage Insights. Communication isoutbound only; the data collector can't receive data from the internet orany other entity in your transmissionAll communication between the data collector and IBM Storage InsightsPro or IBM Storage Insights in the IBM cloud data center uses encryptionbased on communication that the data collector initiates with the server where itis installed, and the communication between the server and IBM StorageInsights Pro GUI or IBM Storage Insights GUI uses HTTPS connections are signed by DigiCert Inc., which uses TLS with128-bit :Because HTTPS connections are used, the data collector can run onany computer that can access the internet over an outbound TCPconnection to port 443.
8 Port 443 is the standard port for Storage Insights: Security GuideChapter3. How is the metadata protectedEnd-to end protection is provided for the metadata that is collected, delivered, andstored for your instance of IBM Storage Insights Pro or IBM Storage Insights in theIBM cloud data collection, delivery, and Storage in the cloudTo transform the metadata into insights and present them in IBM Storage InsightsPro or IBM Storage Insights, the data collector forwards metadata packages foranalysis and Storage to an IBM cloud data keep the metadata package safe on its journey to the cloud , the data collectoruses Hypertext Transfer Protocol Secure (HTTPS), which encrypts the metadataand sends the metadata package through a secure channel to the IBM cloud the gateway, or reverse proxy gateway, the metadata package gets instructionsto deliver the package to your instance of IBM Storage Insights Pro or IBM the metadata package is delivered, the metadata is decrypted, analyzed, your data center to the internetHTTPS connections are used to compress and encrypt the metadata that iscollected about your Storage systems and sent to your IBM cloud data center.
9 Copyright IBM Corp. 20185As part of the onboarding process, you're provided with a host name and portnumber for your instance of IBM Storage Insights Pro or IBM Storage Insights. Tosecure the outbound communication between the data collector and IBM StorageInsights Pro or IBM Storage Insights, a Secure Sockets Layer (SSL) certificate isused. The certificate and HTTPS connections are signed by DigiCert, which usesTLS with 128-bit send the metadata, your firewall must be configured to allow outboundcommunication on HTTPS port 443 using TCP to the address of your the IBM cloud data centerIBM Storage Insights Pro and IBM Storage Insights are hosted in IBM cloud datacenters, which comply with high physical, technical, and organizational securityEach instance of IBM Storage Insights uses a local keystore, which isdedicated to their instance and password protected. The password for thekeystore is generated randomly when the instance is created.
10 Thecertificate in the keystore is unique to each instance and the keystorepassword is encrypted. (The encryption doesn't include hardwareencryption.) The master password is kept encrypted in the service payloadconfiguration in a secure location in IBM cloud .There is only one external customer key, which is the public key that iscertified by DigiCert. As part of the TLS Handshake and certificateexchange, the client (Web Browser) uses the signed certificate to verify thatit is communicating with the IBM Storage Insights Pro or IBM StorageInsights gateway in IBM cloud and that communications are not tamperedwith. For internal traffic, each customer's instance of IBM Storage InsightsPro or IBM Storage Insights has a unique key, which is protected with aunique, encrypted password, and which is self-signed by IBM to validatethat the communication is between the customer and the customer' rotation:A new master key is created and added to the keystorewhen the instance is created and when the instance is upgraded.
