Storage environments comes in all shapes and sizes. Some are distributed across the world in multiple data centers, while others are more consolidated into one or two sites. Different storage architectures and tiers can be in the mix and working together, such as object, block, and file storage systems, and Flash and HDD-based arrays. Fabrics and switches also help connect devices and keep the flow of data running smoothly.
A critical requirement for these environments is the need to protect the data that is stored in them. In an unparalleled time of global connectivity and proliferation of cloud services and IoT devices into every aspect of business, the threat of cyber crimes is ever present. Organizations must safeguard their data -- and metadata -- diligently, protecting against breaches that can harm their operations and customers and erode public trust.
IBM® Storage Insights plays a pivotal role in the operation of your storage environment by analyzing its configuration, capacity, and performance. It connects to your devices and communicates with IBM Cloud so you can get actionable insights in minutes with deeper insights delivered over time as intelligence about your environment increases.
The ability of IBM Storage Insights to identify and troubleshoot storage problems
before they impact your business includes the responsibility of being a
secure part of your organization.
Security and privacy by design
Security and Privacy by Design (SPbD) at IBM is an agile set of focused security and privacy practices, including threat models, privacy assessments, security testing, and vulnerability management.
Because IBM Storage Insights is a cloud-based service, the security of the connection between it and your storage environment is paramount. For us, that meant using SPbD to build in security measures starting at the foundation and carrying it up through every aspect of the service.
Security wasn't something we just tacked on during development, but was and is
baked into the design and DNA of IBM Storage Insights:
ISO/IEC 27001/27017/27018/27701 ISM certified
Communication is one way, encrypted and compressed
Metadata at rest is AES 256-bit encrypted
Metadata streamed to IBM Cloud is 128-bit encrypted
Only metadata about your storage is collected
Personal, identity, and application data are never accessed
HIPAA / Blue Diamond ready
Dedicated vulnerability tracking and threat response team (IBM PSIRT)
EU-US Privacy Shield and Swiss-US Privacy Shield Framework
Meets the requirements of GDPR
in the security of IBM Storage Insights is an important factor when organizations consider deploying the service within their environments. Understanding more about the security measures that we build in can help address the concerns that you might have and gain the trust that you need to use it with peace of mind.
What is metadata and how is it used?
Metadata is the information that IBM Storage Insights collects about your storage devices and environment. This information includes configuration properties, device statuses, and over 100 capacity and performance metrics. Diagnostic data is also collected into log packages and added to support tickets.
IBM Storage Insights analyzes this metadata to help you identify problems with your storage before they impact your business. Performance bottlenecks, capacity usage and shortages, loss of connectivity or access to devices, and configuration issues are just a few of the things that metadata can spotlight.
The data on your storage devices is never viewed or accessed by IBM Storage Insights;
only the metadata about devices is collected.
For more information about the metadata that IBM Storage Insights collects, check out https://www.ibm.com/docs/en/storage-insights?topic=security-what-types-metadata-are-collected.
How is metadata protected?
To transform the metadata into insights, it's forwarded for analysis and storage from your organization to the IBM Cloud® data center (located in Washington, D.C.).
Metadata is never stored locally and is encrypted with 128-bit encryption while streaming
and 256-bit encryption while at rest.
To keep the metadata package safe on its journey to the cloud, IBM Storage Insights uses Hypertext Transfer Protocol Secure (HTTPS), which encrypts the metadata and sends the metadata package through a secure channel to the IBM Cloud data center.
At the gateway, or reverse proxy gateway, the metadata package gets instructions to deliver the package to your IBM Storage Insights service. Only data collectors that are associated with your service can collect and deliver metadata about your storage environment.
When the metadata package is delivered, the metadata is decrypted, analyzed, and stored.
From your data center to the internet
Metadata is collected by a light-weight application or "data collector" that is installed on a server in your data center. Protecting the communication between the data collector in your network and IBM Storage Insights in IBM Cloud is a key building block for delivering on the promise of foundational security:
Communication with other entities, such as storage systems in the local data center and the IBM Storage Insights service in the IBM Cloud data center are initiated solely by the data collector. The data collector does not provide any remote APIs that might be used to interact with the data collector.
Data collectors use prepackaged commands and code from IBM Storage Insights
to run pre-defined operations only. Remote code loading is not possible.
Communication is outbound only; data collectors can't receive data from the internet or any other entity in your network.
Here's how the one-way communication works:
- Data collectors send out a request for work.
- IBM Storage Insights responds with data collection requests.
- Data collectors communicate with your storage devices or start log collections.
After you sign up for IBM Storage Insights, you're provided with a unique host name and port number for IBM Storage Insights. To secure the outbound communication between the data collector and IBM Storage Insights at the well-defined and secure network endpoint https://insights.ibm.com:443, a Secure Sockets Layer (SSL) certificate is used. HTTPS connections use certificates issued by Cloudflare, Inc. (issuer common name "Cloudflare Inc ECC CA-3") and use TLS 1.2 and TLS 1.3 with 256-byte keys.
We're serious about protecting IBM Storage Insights against cyberattacks such as phishing, credential stuffing, and brute force attacks. Our implementation of multi-factor authentication provides an extra layer of protection between you and IBM Cloud. Requiring a second form of identification when you sign in for the first time from a device is an effective safeguard because it's not easy to obtain or duplicate by cybercriminals.
After you sign in to the service, the security of your web browser session is also important. To protect your session, you're automatically logged out after 2 hours 30 minutes of inactivity. For more security during extended use, the duration of an active login session is limited to approximately 8 hours. When you are logged out, you can log in again and pick up right where you left off.
At the IBM Cloud data center
IBM Storage Insights is hosted in IBM Cloud data centers, which comply with high physical, technical, database, and organizational security standards.
Each IBM Storage Insights service uses a local keystore that is dedicated to that instance and is password protected. The password for the keystore is generated randomly when the instance is created. The certificate in the keystore is unique to each instance and the keystore password is encrypted. The master password is kept encrypted in the service payload configuration in a secure location in IBM Cloud®.
There is only one external customer key, which is the public key that is certified by DigiCert. As part of the TLS Handshake and certificate exchange, the client (Web Browser) uses the signed certificate to verify that it is communicating with the IBM Storage Insights Pro or IBM Storage Insights gateway in IBM Cloud and that communications are not tampered with. For internal traffic, each customer's instance of IBM Storage Insights Pro or IBM Storage Insights has a unique key, which is protected with a unique, encrypted password, and which is self-signed by IBM to validate that the communication is between the customer and the customer's instance.
Key rotation: A new master key is created and added to the keystore when the
service is created and when the service is upgraded. Services are upgraded at least
once every three months, which results in an implicit key rotation of not less
than 90 days. The public key that is certified by DigiCert is updated every 2 years.
This results in end-to-end privacy and encryption for each IBM Storage Insights service.
The data centers are rigorously controlled and onsite security is provided round the clock. Access to server-rooms is limited to certified employees and security controls are vetted by third-party auditors.
See https://www.ibm.com/cloud-computing/bluemix/data-centers and https://www.ibm.com/cloud/security.
IBM Storage Insights is built with a multi-tenant SaaS architecture. Multiple SaaS instances, or tenants, are hosted from a single multi-tenant application that spans the resources of many shared servers and services.
Even though any two tenants might share common resources, the data of each tenant
is isolated to ensure any one tenant does not see the data of other tenants;
let alone even knows others exist.
In this multi-tenant SaaS architecture, IBM Storage Insights uses a virtualization technology called "containers". If you are familiar with Docker, containers is the technology behind it. The resulting container consists of just the application and a very small overhead for dependencies. The application within the container is comprised of multiple, independent micro-services based on a functional area. For example, there is one micro-service for the web server and another to process performance data. A collection of all the containers for the various micro-service applications make up the entire multi-tenant IBM Storage Insights server.
To keep track of all the IBM Storage Insights containers, Kubernetes is used as the container management tool. Kubernetes organizes containers into pods that are deployed on nodes in the cluster. Each IBM Storage Insights tenant is containerized within a Kubernetes cluster, which enables scalability, high-availability, and disaster tolerance. The Kubernetes cluster uses enterprise class IBM Cloud security, providing optimal communication and lower front-end latency to IBM Storage Insights containers and services. Additionally, back-end storage and SAN resources utilize the same enterprise class IBM Cloud security.
- On a day-to-day basis, the following security software and services are used:
- Crowdstrike EDR and Crowdstrike Prevent to protect against malware
- IBM SOS® to comply with security and regulatory requirements
- IBM Security QRadar® SIEM to store and monitor system and application logs
For more information about IBM Cloud's compliance and certifications, see https://cloud.ibm.com/docs/overview?topic=overview-security.
IBM Storage Insights uses IBM Cloud databases built on Apache Cassandra. It’s designed to power real-time applications with high availability and massive scalability. With its NoSQL workloads, a smooth and secured experience is natively integrated into the IBM Cloud. Cassandra database protects against unauthorized access, provides data resiliency, is SOC/ISO certified, and GDPR/HIPAA/PCI DSS compliant.
For more information about Cassandra's compliance and certifications, see
Access to the infrastructure and IBM Storage Insights service is controlled:
- By restricting access to the members of the DevOps team and cloud service infrastructure teams who qualify as privileged users.
- By conducting regular system health and vulnerability scans at the source code level and on the running services
- By conducting regular penetration tests. External companies conduct the penetration tests.
Who can access metadata
Access to the metadata that is collected and stored for your IBM Storage Insights service is restricted:
- To the DevOps and cloud service infrastructure teams who are responsible for the maintenance and day-to-day operation of your service.
- To IBM Support for investigating and closing support tickets and for downloading support logs to investigate issues. IBM Support has read-only access to the metadata that is collected about all your monitored devices and their internal resources.
To access the metadata in the IBM Cloud network and ensure that the connection is secure, DevOps and cloud service infrastructure teams use a secure virtual private network (VPN) connection. Access to services is only permitted from privileged user workstations, which must meet the strict security controls of IBM Security policies for production servers.
The access to metadata for DevOps and cloud service infrastructure teams is restricted:
- To the infrastructure for the cloud service
- To the operating system
- To add-on services such as agents
- To middleware components
Secure to the core
The importance of data and metadata security in storage environments cannot be overstated. It is critical that cloud applications with access to an organization's storage infrastructure are protected against breaches, unauthorized access, and other disruptive data security threats. Security measures within IBM Storage Insights perform three critical roles:
- Safeguard the operation of the data collector and communication with IBM Cloud.
- Protect the storage metadata that is collected, stored, and used.
- Ensure that cyber threats can't use IBM Storage Insights to breach an organization's network, storage infrastructure, and operations.
In 60 seconds or less, you can learn more about data collectors, the metadata that they collect, and the security around them here: https://ibm.biz/insightssecuritypage
Resources and references
IBM Storage Insights security documentation: https://www.ibm.com/docs/en/storage-insights?topic=security
IBM terms of service (search for "IBM Storage Insights Pro": https://www.ibm.com/support/customer/csol/terms/
IBM Secure Engineering Framework (SEF) and SPbD, see the IBM Redbooks® Security in Development - The IBM Secure Engineering Framework (PDF)
Internet certifications and encryption between your web browser and IBM Storage Insights and between IBM Storage Insights and data collectors: https://www.ssllabs.com/ssltest/analyze.html?d=insights.ibm.com&latest
Disabling the collection of metadata for devices that use TLS 1.0 or 1.1: https://www.ibm.com/docs/en/storage-insights?topic=didc-disabling-collection-metadata-devices-that-use-tls-10-11
How do I get IBM Storage Insights?
If you manage IBM block storage systems, but don't already have the free version of IBM Storage Insights, sign up today.
What you need to know about signing up for IBM Storage Insights:
You'll need an IBM ID. It will be your administrator account and single point of access to IBM Storage Insights. It's also used by IBM to communicate key updates, announcements, and your unique URL. Ensure that the email address associated with your IBM ID is valid and keep an eye out for important messages from IBM.
If you don't have an IBM ID, don't worry. Getting one is easy. Just complete this Create an IBM account.
To purchase a full subscription to IBM Storage Insights Pro:
- Go to the IBM Storage Insights page on ibm.com.
- Click Pricing and then Purchase now to learn about and purchase a subscription.