How to Use Qumulo’s Preventive Controls Against Malware is the second of a four-part series designed to help you take advantage of the security controls and data protection capabilities in Qumulo’s file data platform, as well as share security best practices.
The Qumulo File Data Platform is built to minimize the risk surface of an attack efficiently. In the first blog of this series, I introduced the security architecture. Now we’ll focus on the key preventive controls.
Locked-down Linux version
Qumulo is a software-defined file data platform, which is built to run on a current version of ubuntu Linux. The underlying Linux operating system is locked down in order to allow only operations needed to perform the tasks of the file system. Many other standard Linux services are disabled to reduce the risk surface for an attack.
User space application
Qumulo’s File Data Platform is completely built as a user-space application. This has many advantages, those related to preventive controls are as follows:
- No direct data access on Qumulo nodes. Even if an attacker acquired local root user privileges and access, there is no way to access your data on the nodes directly. This is different from other storage vendors’ implementations where an admin user on the nodes can access and manipulate all data locally. Accessing data through SMB or NFS would require additional software to be installed on the node. (API data access might still be possible, but would require an access token for API data access for non-root users, just like accessing the data remotely via API).
- Fully developed native protocol stack:There are no third-party or open source components used (such as Ganesha, Samba, or the like) to implement the data access protocols. Qumulo develops and controls every single line of code for all data access protocols. Risks that might surface because of known vulnerabilities in third-party components is low or zero since Qumulo controls all code.
- Level of separation from OS: No means of sharing users or privileges with the underlying OS. Users in the underlying Linux OS are “unknown” to Qumulo. Qumulo’s users are typically maintained in Active Directory or a local database but are not shared with the underlying OS.
- Secure coding practices: Qumulo software is developed following secure coding best practices, this further reduces the surface attacks and the risk of exploitable vulnerabilities. Even if an operating system vulnerability is found and exploited, the attacker would get user privileges but won’t be able to access data.
Qumulo’s upgrade process is very simple and thus allows us to ship new code every two weeks. That not only allows for rapid innovation but also improved security. Security fixes for Qumulo, as well as the underlying OS, are shipped automatically with the bi-weekly new version if required. If a reactive patch is required, it can be made available even faster using Qumulo’s accelerated release for these situations.
Our releases are periodically tested using Qualys Vulnerability Manager, which is recognized by the security community as one of the best vulnerability assessment tools.
Role-based access control
Role-based access control (RBAC) allows admins to assign fine-grained privileges to regular users or groups and to alleviate their privileges where needed while keeping them as minimal as possible. This allows delegating tasks in a secure way away from the admin. Together with the Qumulo Auditing feature, it allows us to deploy a very controlled and secure management framework.
There are currently three predefined roles:
- Administrators: Qumulo Administrators will have full access and control of the cluster.
- Data-Administrators: the Data-Administrator’s role is ideal for API/CLI users. With this role, a user or group will not have access to the Web UI but will have the same file privileges as the Administrators role along with some others
- Observers: with the Observers role, a user or group will have the privilege to access the Web UI and read-only APIs with a few exceptions (debug APIs and authentication settings).
For more detailed information on Qumulo’s RBAC functionality, refer to Role-Based Access Control (RBAC) with Qumulo Core.
Qumulo supports Intelligent Quotas which ensures that every quota is a policy that executes a set of real-time queries. Intelligent quotas can be enforced immediately, unlike traditional systems that require tree walking of the entire directory structure and can take days to complete. The benefits of this approach include real-time diagnosis and enforcement of rogue applications and users, along with real-time visibility showing how the storage is allocated at any given point in time.
From the security perspective, Intelligent Quotas reduce the impact of potential malware from writing unlimited data to the file system. Also, if suspicious behavior is detected, setting the quota to 0 will stop all writes to a directory immediately.
Hiding SMB shares from unauthorized users
Qumulo allows hiding SMB Shares from unauthorized users. Mounting the share requires explicit knowledge of the share path to block potential intruders from browsing shares. In addition, access-based enumeration can be enabled for every share. By doing so, only the files and folders that a user has permission to access will be displayed to that user. If a user does not have read or equivalent permissions for a folder, the folder is hidden from the user’s view.
Host restrictions by client IP address range provide a good way to reduce risk surface by limiting share/export access to specific hosts, independent of the User/Group permissions of that share. This control is currently available for both SMBv3 and NFSv3.
Different address ranges may be granted full, read-only, or no access, depending on the needs of your deployment. Host permissions interact with user/group share permissions and file permissions on a “least privilege” basis, which means that in order for a privilege to be granted for a particular file, the file permissions, share user permissions, and share host permissions must all permit it.
SMB host restrictions by client IP address range are not part of the SMB protocol. By implementing this functionality Qumulo provides an additional layer of SMB security.
SMB3 encryption with Qumulo Core
With Qumulo support for SMB3 encryption, a cluster-wide level or a per-share level encryption can be enabled. Depending on your environment and workflow, you can configure per-share level encryption instead of the cluster-wide setting so that a client can use encryption against a single share that requires it and connect to a share that does not in the same session.
At-rest data encryption
Qumulo Core’s software-based encryption provides complete encryption of file data by securing data at rest for all on-prem clusters created with Qumulo Core 3.1.5 and above. Keys are used to encrypt data, as well as to encrypt data keys themselves. A master key is utilized and stored on every boot drive in the cluster in a file that only root can access for an extra layer of security in order to encrypt a data key that decrypts the data itself. That way your data is protected from potential threats such as stolen disks or malicious actors in the supply chain who obtain decommissioned disks.
These are Qumulo’s preventive security controls against malware. In blog three of this series, we’ll discuss Qumulo’s detective controls.
Blog 1 of 4: Introduction to Qumulo Security Architecture and Best Practices
See how Qumulo’s data services help you manage and protect massive amounts of file data.
Take a test drive. Demo Qumulo in our interactive Hands-On Labs.
Subscribe to the Qumulo blog for customer stories, technical insights, industry trends and product news.
Stefan Radtke, Field CTO EMEA, has spent his career working in technology and is the principal evangelist of universal-scale storage for Qumulo. He started as employee #1 in EMEA in 2017 as Technical Director where he built a fantastic multi-national technical team. Recently he took over the role of the Field CTO and he is now focusing on building a strong technical team for Cloud Q. He’s a certified AWS Solution Architect Professional and Azure Solution Architect Expert.