Manualshelf

White Papers

ManualsBrandsDell ManualsConverged InfrastructureStorage Solution Resources
12345678910
Additional resources
6 Best Practices for Securing Dell EMC SC Series Storage | BP1082
2.1 Basic security features
An SC Series SAN offers a variety of mechanisms for preventing unauthorized access to administrative
access points or to storage volumes. In addition, self-encrypting drives (SEDs) are available to provide
security for data at rest.
Note: Common Criteria (CC) for IT Security Evaluation certification of SC Series storage is in process at the
time of this publication (certificate number: BSI-DSZ-CC-0847):
https://www.bsi.bund.de/EN/Topics/Certification/incertification.html
The primary security features of an SC Series SAN include the following:
Event auditing: For administrative events at DSM or Dellâ„¢ Storage Center OS (SCOS), this records the
controller, user identity and role, date, time, and outcome.
User identity and authentication: This ensures that users authenticate with proper credentials to access
administrative functions or storage volumes. Management users require a password to authenticate, Fibre
Channel initiators authenticate using their persistent WWN, and iSCSI initiators can be authenticated using
unidirectional or bidirectional CHAP.
Data access control: This prevents unauthorized access to storage volumes by requiring an explicit volume
mapping from each Fibre Channel or iSCSI initiator to each storage volume. By default, the SC Series system
blocks access to all storage volumes, a behavior known as LUN masking. Fibre Channel environments also
implement zoning for additional security.
Residual information protection: Whenever a new volume is created, SCOS does not allow a storage host
to read from unwritten areas on the volume, and newly allocated pages are zeroed before host access.
Security role management and access: This allows users to have different levels of authorization. In
addition to the administrator role for administering DSM and SCOS, there is also a restricted volume manager
role that must be granted permission to volumes, storage hosts, or disk folders. A read-only reporter role can
view all information but cannot make changes.
Reliable time stamps: Using an internal time source or an NTP server, time stamps within auditing and logs
are synchronized.
Trusted channel communication: Management traffic to SCOS and DSM is encrypted using HTTPS over
TCP port 443 and TCP port 3033.