|
| 1 | +--- |
| 2 | +title: Understand Azure NetApp Files data plane security |
| 3 | +description: Learn about the different data plane security features in Azure NetApp Files |
| 4 | +services: azure-netapp-files |
| 5 | +author: b-ahibbard |
| 6 | +ms.service: azure-netapp-files |
| 7 | +ms.topic: conceptual |
| 8 | +ms.date: 09/27/2024 |
| 9 | +ms.author: anfdocs |
| 10 | +--- |
| 11 | + |
| 12 | +# Understand Azure NetApp Files data plane security |
| 13 | + |
| 14 | +Learn about the different data plane security features in Azure NetApp Files to understand what is available to best serve your needs. |
| 15 | + |
| 16 | +## Data plane security concepts |
| 17 | + |
| 18 | +Understanding the data plane is crucial when working with Azure NetApp Files. The data plane is responsible for data storage and management operations, playing a vital role in maintaining both security and efficiency. Azure NetApp Files provides a comprehensive suite of data plane security features, including permissions management, data encryption (in-flight and at-rest), LDAP (Lightweight Directory Access Protocol) encryption, and network security to ensure secure data handling and storage. |
| 19 | + |
| 20 | +### Permissions management |
| 21 | + |
| 22 | +Azure NetApp Files secures network attached storage (NAS) data through permissions, categorized into network file permissions (NFS) and server message block (SMB) types. The first security layer is share access, limited to necessary users and groups. Share permissions, being the least restrictive, should follow a funnel logic, allowing broader access at the share level and more granular controls for underlying files and folders. |
| 23 | +Securing your NAS data in Azure NetApp Files involves managing permissions effectively. Permissions are categorized into two main types: |
| 24 | +* **Share Access Permissions**: These control who can mount a NAS volume and basic permissions for read/write. |
| 25 | +• NFS (Network File System) exports: Uses IP addresses or hostnames to control access. |
| 26 | +• SMB (Server Message Block) shares: Uses user and group access control lists (ACLs). |
| 27 | +2. File Access Permissions: These determine what users and groups can do once a NAS volume is mounted. |
| 28 | +• Applied to individual files and folders. |
| 29 | +• More granular than share permissions. |
| 30 | + |
| 31 | +Details on Share Access Permissions |
| 32 | +• NFS Export Policies: |
| 33 | +o Volumes are shared out to NFS clients by exporting a path accessible to a client or set of clients. |
| 34 | +o Access is controlled via export policies, which are containers for a set of access rules listed in order of desired access. Higher priority rules get read and applied first and subsequent rules for a client are ignored. |
| 35 | +o Rules use client IP addresses or subnets to control access. If a client is not listed in an export policy rule, it cannot mount the NFS export. |
| 36 | +o Export policies control how the root user is presented to a client. If the root user is “squashed” (Root Access = Off) then root for clients in that rule is resolved as the anonymous UID 65534. |
| 37 | +• SMB Shares: |
| 38 | +o Access is controlled via user and group ACLs. |
| 39 | +o Permissions can include read, change, and full control. |
| 40 | + |
| 41 | +For a detailed understanding of share access permissions, see [Understand NAS share permissions in Azure NetApp Files](network-attached-storage-permissions.md). |
| 42 | + |
| 43 | +Details on File Access Permissions |
| 44 | +• SMB File Permissions: |
| 45 | +o Attributes include read, write, delete, change permissions, and take ownership and more granular permissions supported by Windows. See the links below for details. |
| 46 | +o Permissions can be inherited from parent folders to child objects. |
| 47 | +• NFS File Permissions: |
| 48 | +o NFSv3 and NFSv4.x use traditional UNIX file permissions that are represented by mode bits. . |
| 49 | +o NFSv4.1 also supports advanced permissionsusing NFSV4.1ACLs (Access Control Lists). |
| 50 | +For more information on file access permissions please see, Understand NAS file permissions in Azure NetApp Files, and Understand SMB file permissions in Azure NetApp Files. |
| 51 | + |
| 52 | +Permission Inheritance |
| 53 | +Permission inheritance allows a parent folder to automatically apply its permissions to all its child objects, including files and subdirectories. This means that when you set permissions on a parent directory, those same permissions will be inherited by any new files and subdirectories created within it. |
| 54 | +• SMB: |
| 55 | +o Controlled in the advanced permission view. |
| 56 | +o Inheritance flags can be set to propagate permissions from parent folders to child objects. |
| 57 | +• NFS: |
| 58 | +o NFSv3 uses umask and setgid flags to mimic inheritance. |
| 59 | +o NFSv4.1 uses inheritance flags on ACLs. |
| 60 | +For more details on permission inheritance, refer to Understand NAS file permissions in Azure NetApp Files, Understand NFS mode bits in Azure NetApp Files, and Understand NFSv4.x access control lists in Azure NetApp Files. |
| 61 | + |
| 62 | +Important Considerations |
| 63 | +• Most Restrictive Permissions Apply: When conflicting permissions are present, the most restrictive permission takes precedence. For instance, if a user has read-only access at the share level but full control at the file level, the user will only have read-only access. |
| 64 | +• Funnel Logic: Share permissions should be more permissive than those at the file and folder level, allowing for more granular and restrictive controls at the file level. |
| 65 | + |
| 66 | +Data Encryption in transit |
| 67 | +Azure NetApp Files encryption in transit refers to the protection of data as it moves between your client and the Azure NetApp Files service. This ensures that data is secure and cannot be intercepted or read by unauthorized parties during transmission. |
| 68 | +Protocols and Encryption Methods: |
| 69 | +NFSv4.1: Supports encryption using Kerberos with AES-256 encryption. This ensures that data transferred between NFS clients and Azure NetApp Files volume is secure. |
| 70 | +• Kerberos Modes: Azure NetApp Files supports Kerberos encryption modes such as krb5, krb5i, and krb5p. These modes provide various levels of security, with krb5p offering the highest level of protection by encrypting both the data and the integrity checks. |
| 71 | +For more information on NFSv4.1 encryption please see, Understand Data Encryption in Azure NetApp Files and Configure NFSv4.1 Kerberos encryption for Azure NetApp Files. |
| 72 | + |
| 73 | +SMB3: Supports encryption using AES-CCM and AES-GCM algorithms, providing secure data transfer over the network. |
| 74 | + |
| 75 | +• End-to-End Encryption: SMB encryption is conducted end-to-end, meaning the entire SMB conversation is encrypted. This includes all data packets exchanged between the client and the server. |
| 76 | +• Encryption Algorithms: Azure NetApp Files supports AES-256-GCM, AES-128-CCM cryptographic suites for SMB encryption. These algorithms provide robust security for data in transit. |
| 77 | +• Protocol Versions: SMB encryption is available with SMB 3.x protocol versions. This ensures compatibility with modern encryption standards and provides enhanced security features. |
| 78 | +For more information on SMB encryption, please see Understand data encryption in Azure NetApp Files. |
| 79 | + |
| 80 | +Data Encryption at rest |
| 81 | +Encryption at rest protects your data while it is stored on disk, ensuring that even if the physical storage media is accessed by unauthorized individuals, the data remains unreadable without the proper decryption keys. |
| 82 | +Types of Encryption at Rest: |
| 83 | +1. Single Encryption: Uses software-based encryption to protect data at rest. Azure NetApp Files employs AES-256 encryption keys, which are compliant with FIPS (Federal Information Processing Standards) 140-2 standard. |
| 84 | +2. Double Encryption: Provides two levels of encryption protection: both a hardware-based encryption layer (encrypted SSD drives) and a software-encryption layer. The hardware-based encryption layer resides at the physical storage level, using FIPS 140-2 certified drives. The software-based encryption layer is at the volume level completing the second level of encryption protection. |
| 85 | +For more information on data encryption at rest, please see Understand data encryption in Azure NetApp Files and Azure NetApp Files double encryption at rest. |
| 86 | + |
| 87 | +Key Management |
| 88 | +The data plane manages the encryption keys used to encrypt and decrypt data. These keys can be either platform-managed or customer-managed: |
| 89 | +• Platform-Managed Keys: Automatically managed by Azure, ensuring secure storage and rotation of keys. |
| 90 | +• Customer-Managed Keys: Stored in Azure Key Vault, allowing you to manage the lifecycle, usage permissions, and auditing of your encryption keys. |
| 91 | +For more information about Azure NetApp Files key management, please see How are encryption keys managed or Configure customer-managed keys for Azure NetApp Files Volume Encryption. |
| 92 | +LDAP Encryption |
| 93 | +LDAP encryption at the data plane layer ensures secure communication between clients and the LDAP server. Here is how it operates in Azure NetApp Files: |
| 94 | + |
| 95 | +1. Encryption Methods: LDAP traffic can be encrypted using TLS (Transport Layer Security) or LDAP signing. TLS encrypts the entire communications channels, while LDAP signing ensures the integrity of the messages by adding a digital signature. |
| 96 | +2. TLS (Transport Layer Security) Configuration: LDAP over StartTLS uses port 389 for the LDAP connection. After the initial LDAP connection has been made, a StartTLS OID is exchanged, and certificates are compared; then all LDAP traffic is encrypted by using TLS.LDAP Signing: This method adds a layer of security by signing LDAP messages with AES encryption, which helps in verifying the authenticity and integrity of the data being transmitted. |
| 97 | +3. Integration with Active Directory: Azure NetApp Files supports integration with Active Directory, which can be configured to use these encryption methods to secure LDAP communications. Currently, only Active Directory can be used for LDAP services. |
| 98 | +For more information on LDAP, please see Understand the use of LDAP with Azure NetApp Files. |
| 99 | + |
| 100 | +Network Security |
| 101 | + |
| 102 | +Securing your data with Azure NetApp Files involves employing multiple layers of protection. Leveraging Private Endpoints and Network Security Groups (NSGs) is essential to ensuring that your data remains secure within your virtual network and is accessible only to authorized traffic. This combined approach offers a comprehensive security strategy to safeguard your data against potential threats. |
| 103 | + |
| 104 | +Private Endpoints |
| 105 | +Private Endpoints are specialized network interfaces that facilitate a secure and private connection to Azure services via Azure Private Link. They utilize a private IP address within your virtual network, effectively integrating the service into your network's internal structure. |
| 106 | + |
| 107 | +Security Benefits: |
| 108 | +• Isolation: Private Endpoints ensure that Azure NetApp Files traffic stays within your virtual network, away from the public internet. This isolation minimizes the risk of exposure to external threats. |
| 109 | +• Access Control: You can enforce access policies for your Azure NetApp Files volumes by configuring network security rules on the subnet associated with the private endpoint. This control ensures that only authorized traffic can interact with your data. |
| 110 | +• Compliance: Private Endpoints support regulatory compliance by preventing data traffic from traversing the public internet, adhering to requirements for the secure handling of sensitive data. |
| 111 | + |
| 112 | +Network Security Groups (NSGs) |
| 113 | +Network Security Groups (NSGs) are collections of security rules that govern inbound and outbound traffic to network interfaces, virtual machines (VMs), and subnets within Azure. These rules are instrumental in defining the access controls and traffic patterns within your network. NSGs are only supported when using the standard network feature in Azure NetApp Files. |
| 114 | + |
| 115 | +Security Benefits: |
| 116 | +• Traffic Filtering: NSGs enable the creation of granular traffic filtering rules based on source and destination IP addresses, ports, and protocols. This ensures that only permitted traffic can reach your Azure NetApp Files volumes. |
| 117 | +• Segmentation: By applying NSGs to the subnets housing your Azure NetApp Files volumes, you can segment and isolate network traffic, effectively reducing the attack surface and enhancing overall security. |
| 118 | +• Monitoring and Logging: NSGs offer monitoring and logging capabilities through Network Security Group Flow Logs. These logs are critical for tracking traffic patterns, detecting potential security threats, and ensuring compliance with security policies. |
| 119 | + |
| 120 | +For further details, please refer to the documentation on Network Security Groups and Private Endpoints. |
| 121 | + |
| 122 | +Next Steps |
| 123 | +To learn more, see: |
| 124 | +• Understand NAS share permissions in Azure NetApp Files |
| 125 | +• Understand NAS protocols in Azure NetApp Files |
| 126 | +• Understand data encryption in Azure NetApp Files |
| 127 | +• Security FAQs for Azure NetApp Files |
| 128 | +• Guidelines for Azure NetApp Files Network Planning |
| 129 | + |
| 130 | + |
0 commit comments