IBM Technical Exchange India Storage User Group

This user group is for IBM Storage users in India. We invite you to share common experiences, product details, and drive common features back into IBM development. This space is for collective knowledge sharing, in the true sense of community learning.

View Only

Back to Blog List

Prevent security misconfigurations using IBM Storage Insights – Security Posture Dashboard

By Swanand Gadre posted 9 days ago

What is Security Misconfiguration?

Security misconfiguration appears in OWASP Top 10 2021 critical security risks to web applications. Often multiple parameters need to be assigned specific values referring to product documentation and related to target environment.

Examples of such parameters (not limited to) are Minimum Password length, or GUI Timeout etc. Values of these parameters are often set to default. Many times, the default values are not revised as per security practices. Default value of “Minimum Password Length” of “8” is now revised to higher values and the default value of “8” is not considered as minimum but not secure.

Often parameter / value assignment is ignored and hence remains unassigned or set to default values. In case of scenario where such values are not reviewed or reassigned to recommended secure value, it leads to security misconfiguration.

Application to Software Storage

Focusing on storage area, typical infrastructure setup has multiple types of storage devices.
Administrators go through multiple configuration parameters and set up the values based on IBM product provided recommendations or organization standards.

Taking up example of "min_password_length" from IBM Storage FlashSystem further

min_password_length parameter specifies the minimum number of characters that are required in a new password. The value is in the range 6 - 64. If value of this parameter is set to lower value, then, such weak passwords are vulnerable to brute-force attacks. So setting appropriate (higher) value of "min_password_length" is important from security hardening perspective.

Please note - min_password_length is one parameter example. There are multiple parameters setup for storage devices, which needs to be reviewed for security hardening.

IBM Storage Insights - Security Posture Dashboard.

IBM Storage Insights introduced a new feature "Security Posture Dashboard". This feature helps to evaluate security configurations of various parameters for storage devices.

Evaluation is performed with following steps

It reads current value set for min_password_length on the device.
It then compares this value with recommended secure value. Recommended values are derived by referring to IBM Storage FlashSystem and IBM Storage DS8000 product security practice recommendations and documentation.

If current value of min_password_length is set to "8" and IBM Product recommended secure value is "20", then the evaluation result will be shown as "non-compliant".

This non compliance is with respect to IBM Product recommended secure value.

Dashboard overview

Administrator can refer to the Tenant level" security posture dashboard, using menu -> "security posture". Dashboard views are prepared to help administrators in prioritization.

Tenant Level Dashboard

Device Level dashboard

Evaluation is presented at the parameter level, device level and tenant level.

Security Categories and NIST

All the parameters considered for evaluation are associated with categories. “NIST SP 800-209 Security Guidelines for Storage Infrastructure” is referred to get the list of categories.

This view represents various categories / storage systems and corresponding bucket.
This view is expected to help with compliance and audit reporting, especially where categories are defined based on NIST SP 800-209 standard.

Reference -> https://csrc.nist.gov/pubs/sp/800/209/final

Please note – Current implementation refers NIST guidelines in the association of parameters to categories as described in the tables below.

IBM Storage FlashSystem and IBM Storage DS8000 Storage Devices.

IBM Storage Insights – security posture dashboard now monitors IBM Storage FlashSystem and IBM Storage DS8000 parameters as part of security posture monitoring.

Described below are the two examples of parameters from IBM Storage FlashSystem and IBM Storage DS8000 storage systems. It shows, with example how “IBM Storage Insights - Security Posture Dashboard” feature helps in evaluation of violation reporting and actionable recommendations for the values.

Example of IBM Storage FlashSystem parameter

sshprotocol - Specifies the current security level for SSH. It allows numeric values 1, 2, and 3.
Each value signifies key exchange methods allowed during SSH communication.

Default and Recommended values for this parameter is “3”.

In case if user sets value less than 3, then it allows weaker key exchange methods, and may result in sensitive data exposure, key leakage, broken authentication, insecure session, and spoofing attacks.

In case if a non compliance is reported for this parameter, it means, ssshprotocol value needs to be set to “3”.

User can login to corresponding storage system and Set the value of sshprotocol to 3 (IBM Product recommended value) using chsecurity command.

Refer:
https://www.ibm.com/docs/en/flashsystem-9x00/8.7.x_cd?topic=commands-chsecurity
https://www.ibm.com/docs/en/flashsystem-5x00/8.6.0?topic=commands-lssecurity

Example of IBM Storage DS8000 parameter

showioport - The showioport command displays properties of an I/O port. It optionally displays the performance metrics for a specific I/O port, or the Read Diagnostic Parameters (RDP) for a local port and an attached port.

Recommendation is if port security is enabled on at least one FICON ports port, it is reported as “compliant”.

In case if security is not enabled for the specified I/O port. Port allows insecure communication.

Reference
https://www.ibm.com/docs/en/ds8000/10.0?topic=commands-showioport

Summary

Administrator works with array of storage devices. Each device is configured with specific parameters. It is challenging to keep track of all the security parameters.
All the security parameters need to be reviewed periodically, and the corrections must be made, where security gaps are identified.

Security Posture Dashboard helps with single pane view of security parameters across devices.
It helps in addressing security misconfiguration and helps in building / maintaining secure storage infrastructure.

Also for a comprehensive overview of security and compliance posture of your Storage System

Refer -> https://www.youtube.com/watch?v=nYZGnmWRxVc

References

https://owasp.org/www-project-top-ten/

https://gdpr-info.eu/art-32-gdpr/

https://www.hhs.gov/hipaa/for-professionals/security/laws-regulations/index.html

https://csrc.nist.gov/pubs/sp/800/209/final

https://www.ibm.com/docs/bg/storage-insights

https://www.ibm.com/docs/bg/storage-insights?topic=dashboards-security-posture-dashboard

https://www.ibm.com/it-infrastructure/storage/storage-insights/register/

0 comments

27 views