Consider the following scenario: What if a hacker were to take down your e-commerce site and simultaneously short your company’s stock to profit from the negative publicity? Hackers know that they can profit by attacking governments and corporations, and they are coming up with clever new schemes on a regular basis.


Or maybe these are the questions that keep you awake at night: What information are you collecting, and why? How are you processing the information, and is it secure? The European Union (EU) General Data Protection Regulation (GDPR) forces companies to know the answers to these questions. Failure to comply with GDPR could result in penalties as high as 4% of gross revenue or €20 million.


With the release of NetApp® ONTAP® 9.4, data security and privacy are at the forefront of our efforts to help you deal with the many data management challenges you now face. New features such as secure purge, protected controller reboot, and Unified Extensible Firmware Interface (UEFI) secure boot decrease your residual security risk and enable data privacy compliance.

Data Privacy and All-Flash Storage

Did you know that flash is a tricky medium when you’re dealing with data erasure? Because of the wear leveling in solid-state drives (SSDs), even if you tell a drive to overwrite a specific file, it will probably not actually overwrite that file on the drive. The operating system will believe that the information has been deleted, but the data might still exist in the memory cells on the SSD. What happens when an EU citizen exercises the GDPR “right to erasure”? How do you determine that the offending data has been purged everywhere and anywhere, including on the drive itself?


With the new secure purge capability, ONTAP can cryptographically shred individual files from SSD drives while the system remains online and the rest of the files remain intact. This capability can also be helpful for data spillage—for example, when classified data inadvertently ends up in an unclassified location. Previously, remediation operations could require weeks of downtime. But now, ONTAP provides the ability to shred a single file with zero downtime.

Data Security for Systems in Transit

If your system uses the onboard key manager, how can you keep your data secure whenever you need to ship the system and its drives from one location to another? With the new protected controller reboot feature in ONTAP 9.4, you can secure your data while shipping the entire system. Protected reboot can also simplify equipment returns. For example, at the end of a lease, you can just apply protected reboot, and the data will be inaccessible without special intervention by the original data owner.


Protected reboot can be used to render your data useless should an entire storage system ever fall into the wrong hands. Alternatively, encryption keys used for the onboard key manager can be stored on a USB device, providing the same benefits as protected reboot.

Enhanced Data Protection for Your Storage OS

How can you tell if you’re running an unmodified version of ONTAP? Previously, you’d have to manually inspect the hash, make sure it was properly signed, and compare it against the image you downloaded. Now, when you upgrade to ONTAP 9.4, the validity of the image will be checked by the cluster. No more manual inspection. And for new systems introduced starting with ONTAP 9.4, each one will perform UEFI secure boot. Every time the system boots, you’ll know it’s running genuine ONTAP.


ONTAP 9.4 provides common-sense, nondisruptive, easy-to-use security and privacy enhancements that let you focus on your business instead of worrying about your systems.


For more information on the full range of security features available in ONTAP, you can download this datasheet, read TR-4598: Security Hardening Guide for NetApp ONTAP 9, or check out this short lightboard video.


Juan Mojica

Juan Mojica is a senior product manager in the ONTAP team responsible for security, networking, and the kernel. Juan has spent his career solving customers’ problems by developing enterprise and service provider software working at Cisco, Allscripts, and NetApp. Juan has his BS and MS in computer engineering from Georgia Tech, and has his MBA from Duke’s Fuqua School of Business.

Add comment