StorageCare™ Guardian Security
StorageCare™ Guardian Security
WHITE PAPER
StorageCare™ Guardian Security
Notice
This White Paper may contain proprietary information protected by copyright. Information in this White Paper is subject to
change without notice and does not represent a commitment on the part of Quantum. Although using sources deemed to
be reliable, Quantum assumes no liability for any inaccuracies that may be contained in this White Paper.
Quantum makes no commitment to update or keep current this information in this White Paper, and reserves the right to
make changes to or discontinue this White Paper and/or products without notice.
No part of this document may be reproduced or transmitted in any form or by any means, electronic or mechanical,
including photocopying, recording, or information storage and retrieval systems, for any purpose other than the
purchaser’s personal use, without the express written permission of Quantum.
This paper is not intended as legal advice on the regulations driving compliance. Quantum recommends that customers seek
qualified expert advice to ensure certifiable compliance.
©2006 Quantum Corporation. All rights reserved. Quantum, the Quantum logo, DLT, DLTtape and the DLTtape logo are
registered trademarks of Quantum Corporation, registered in the U.S., and other countries. The DLT logo, Backup. Recovery.
Archive. It’s What We Do., DLTSage, Dynamic Powerdown, FastSense, FlexLink, GoVault, MediaShield, Optyon, Pocket-sized.
Well-armored, SiteCare, SmartVerify, StorageCare, SiteCare, Super DLTtape, and SuperLoader are trademarks of Quantum.
LTO and Ultrium are trademarks of HP, IBM and Quantum in the U.S. and other countries. All other trademarks are the
property of their respective companies. Specifications are subject to change without notice.
2
Purpose of this Document
Network and information security is a primary concern for
today’s IT professionals. This document outlines the security
features of StorageCare Guardian, Quantum’s proactive
remote support solution. As you will see, StorageCare
Guardian is a comprehensive solution that adds great value to
your Quantum hardware purchase, while preserving the
security of your critical information assets.
StorageCare™ Guardian Security
2. Quantum BackEnd Servers
StorageCare Guardian Overview
StorageCare Guardian is a remote monitoring and diagnostic
solution that enables Quantum to proactively monitor the
health of Quantum systems over a secure Internet connection.
It also allows Quantum to use intelligent diagnostics data to
remotely service the equipment if issues arise. With
StorageCare Guardian, Quantum customers can benefit from
highly reliable backups and faster resolution time.
StorageCare Guardian’s proactive monitoring and analysis
capabilities allow error conditions to be discovered
immediately to help prevent outages or failures. As soon as a
problem occurs or is impending, Quantum support or a
Quantum Authorized Service Provider is immediately notified
via e-mail. This allows proactive diagnosis of the issue. If part
replacements are necessary, the appropriate parts are
identified and can accompany the service engineer upon
arrival, saving the customer from the inconvenience of
multiple site visits. This proactive monitoring and alerting
capability greatly increases the overall reliability of the
Quantum product.
StorageCare Guardian allows for the time interval to be
compressed between when the problem occurs and when the
problem is discovered. Additionally, the amount of time is
shortened between when a support case is opened and when
the issue is resolved. StorageCare Guardian’s remote support
capabilities can even avoid some on-site visits altogether,
cutting downtime to a minimum.
StorageCare
Guardian Agent
1. Customer Site
diagram above), where a suite of applications provide access
to the real-time representation of the device at the customer
site. The back-end applications allow Quantum support and
Quantum Authorized Service Providers to:
• View real-time device status
• View system configuration
• Gather diagnostic data (event logs, error logs)
• On customer approval, connect directly to the web management
and/or telnet management interface of the device
StorageCare Guardian does much more than display raw
information collected from the Quantum device at the
customer site; it also allows for intelligent rules and parsing
routines to be applied to the collected data. For instance, a
rule can be created to trigger an alarm when a drive on a
DX100 fails, if the voltage on a PX502 power supply falls out
of limits, or if the temperature sensor of a PX720 reaches a
maximum threshold. Collected drive logs and TapeAlert
events can be parsed for indicators of a bad tape drive or
media cartridge. This additional level of intelligence and
analytic capability is one of the most powerful elements of
Quantum’s StorageCare Guardian solution.
StorageCare Guardian Architecture
The StorageCare Guardian system is comprised of two
components: the Guardian agent software that runs on a
Windows, Solaris or Linux server at the customer site, and the
Quantum enterprise servers and applications that provide
access to the information provided by the agents.
The StorageCare Guardian agent software at the customer site
(#1 in the diagram above) communicates with the Quantum
devices at the customer site on a regular basis, checking the
status of key data elements that provide a picture of the
health of the devices. Additionally, the agent periodically
communicates with the Quantum back-end servers (#2 in the
System Requirements
The simple requirements for
the server where the
StorageCare Guardian
agent will be installed are
as follows:
• Microsoft Windows 2000,
Windows 2003 Server,
Windows XP, Sun Solaris
8, Solaris 9 or Red Hat
Enterprise Linux version 3
or 4 operating system
3
StorageCare™ Guardian Security
• Web connectivity to managed Quantum devices (i.e., can
open a web connection to the Quantum device’s web
management interface)
• Web connectivity to the Internet (i.e., can open a web
connection to http://www.quantum.com)
• Stable system (i.e. a server in a data center that is up
almost all of the time)
• DNS properly configured (can resolve DNS names to TCP/IP
addresses)
The StorageCare Guardian agent software utilizes only a few
percent of a typical system’s CPU - even when actively
collecting data from multiple Quantum devices. In addition,
very little network bandwidth is used on the local area
network, and even less bandwidth is required for sending to
Quantum (only changes are sent), so added network traffic
need not be a concern.
Key Security Features
StorageCare Guardian was designed from the ground up to be
completely secure, providing best-in-class support capability
with no changes required to your existing network or security
infrastructure. The following sections provide more detail on
the following topics relating to information security:
• Network Security
• Data Security
• Access Control
• Best-in-Class Security
• Enterprise Server Security
Network Security
StorageCare Guardian leverages your existing network and
security infrastructure. No changes are required in order for
the StorageCare Guardian agent software to work. As long as
the server designated to act as the Guardian agent can
communicate with the Quantum devices and open an
outbound connection to the Internet, StorageCare Guardian
will provide the security necessary to protect your information
assets.
The StorageCare Guardian agent server does not require a
visible TCP/IP address. This is because Quantum will never
initiate a connection to the StorageCare Guardian agent
server at your site (this would be stopped by your firewall in
any case). Rather, the StorageCare Guardian agent initiates all
communications with the Quantum back-end servers. The
Guardian agent communicates with only a single Quantum
Enterprise server, and will respond only to messages from the
Quantum Enterprise server after it has initiated the
connection.
Communications on the local area LAN use TCP port 80 or
443, depending on the settings of the Quantum device. Port
80 will be used by default, and if the device has SSL enabled
port 443 will be used. ALL communications between the
agent and the Quantum Enterprise server are sent via secure
HTML (port 443) and are 128-bit SSL encrypted. In addition,
trusted digital certificates (obtained through VeriSign) protect
both ends of the connection from unauthorized access.
Messages sent from the agent to the Enterprise server are
XML via secure HTTP, while responses from the Quantum
Enterprise server are SOAP (Simple Object Access Protocol) via
secure HTTP.
As mentioned previously, StorageCare Guardian sends only
changes to the Quantum Enterprise server. This minimizes the
actual traffic between the customer site and Quantum. Once
every 5 minutes, StorageCare Guardian connects to the
Quantum device(s) via the web management interface and
collects a snapshot of information. This snapshot is compared
to the previous one for that device, and any changes are sent
as updates to the Quantum Enterprise server. On a separate
schedule, once each minute, the agent also sends a small
message to Quantum as a form of “heartbeat” to show that
the agent is active. It is these messages that enable Quantum
support personnel to queue a request to the agent software
for up-to-date information, for instance an error log or event
log. The next time the agent “checks in”, the request is
delivered, and depending on the Policy Manager settings for
the agent, will either be granted or denied at the agent level.
Policy Manager will be discussed in greater detail in the Access
Control section of this document.
4
StorageCare™ Guardian Security
Data Security
One of the most common concerns customers raise regarding
StorageCare Guardian is the security of the data stored on the
Quantum device. The good news is, StorageCare Guardian
does not impact the backup process, data, or other IT
processes in general in any way.
A key design element of StorageCare Guardian was that only
the web management interface of the Quantum device would
be used to collect the device data. There is no in-band (i.e.
SCSI, Fibre Channel or iSCSI) communication from the
StorageCare Guardian agent software to the Quantum device.
This solution has several key benefits in terms of data security
– not only can we ensure to our customers that StorageCare
Guardian will never conflict with backup software in any way,
but we also can say with confidence that we have no access
to the data stored on the Quantum device! There are no
actions that can be taken via StorageCare Guardian that
would enable your data to be read, or overwritten. In fact, by
default only programmatic (pre-scripted, software-controlled)
access is possible to the device; no human access is available
to Quantum support personnel without direct customer
intervention. This protects not only your storage assets (i.e.
we cannot reboot your library or take it off-line without your
approval) but also Quantum.
Everything that Quantum support personnel need to
determine the health of the Quantum device at the customer
site is available within the StorageCare Guardian back-end
applications. These applications show a representation of the
device, and allow support personnel to view status and
configuration, review log files, etc. without the need to
actually connect “live” to the device. Should the need arise
for Quantum support personnel to gain real-time access to the
device, the customer can, at their discretion, enable access by
support personnel to the web and/or telnet management
interfaces of the Quantum device. When the need for access
has been completed, it can be turned off as easily as it was
enabled.
status of “OK”) or actual analog values such as power supply
voltages, fan speeds and temperature readings. This more
dynamic information is collected by the agent every 5
minutes. Other more static information such as the
configuration of the device, firmware revisions, log files etc.
are collected weekly or on-demand only.
Access Control
As stated several times, Quantum’s StorageCare Guardian was
designed from the ground up with security in mind. One of
the key elements to guarding the security of your data is the
Policy Manager function of StorageCare Guardian. While the
Enterprise applications determine what is possible, the Policy
Manager on your agent (or on an optional centralized server)
determines what will be allowed.
By default, the Policy Manager is packaged as an integral part
of the StorageCare Guardian agent, and is accessed via the
Agent Configuration Utility. This is the same utility that runs
during the StorageCare Guardian software installation, when
you add your Quantum devices into the agent configuration.
Policy Manager is one of the pages of the utility, and is
accessed by clicking on the “Policy Manager” heading on the
left side of the utility interface.
The default integrated Policy Manager is designed for ease of
use, and fits the needs of most Quantum customers. This
version of the Policy Manager sets access permissions for a
single agent. If multiple agents are used at a customer site,
for instance if the company has multiple sites around the
world, an agent is typically installed at each site. By default,
each agent has its own Policy Manager settings, and changes
made to that agent’s Policy Manager affect all devices
monitored by that agent.
You may also be wondering exactly what data is collected
from the Quantum device. For the most part, only a predefined set of data elements that has been designed
specifically for each device is collected from the device. Only
information relating to the status and configuration of the
device is transferred from the agent to Quantum. For
instance, although the agent software must know the TCP/IP
address for each of the Quantum device(s) in other to
communicate with them, these addresses are not transferred
to Quantum. Most of the data elements are state values (such
as a DX system state of “Running” or a PX720 power supply
5
StorageCare™ Guardian Security
As discussed in the Data Security section, the Policy Manager
by default allows the access option “Diagnostic Data
Collection” only. This is the programmatic (softwarecontrolled) collection of data from the Quantum device, but
does not allow any access that could impact the operation of
the device. For instance, the default settings allow a
Quantum support representative to log into the Guardian
Console and view the device “dashboard” for the Quantum
devices configured in your StorageCare Guardian agent,
which shows the current status of the device, all Guardiangenerated alarms for the device, snapshots of the device
configuration, and access to event logs, error logs and drive
logs (product-dependent). However, none of these actions
requires actually logging into the web or telnet management
interface of the device; this is done purely through device
dashboard in the StorageCare Guardian software. Since we
cannot actually log into the device, we cannot do things that
could negatively impact the operation of the device, such as
placing the device off-line, shutting it down or changing its
configuration.
Of course, if you feel it is appropriate at any time to allow
Quantum support personnel to access the web or telnet
management interface of your devices, you can enable these
options on the Policy Manager page of the Agent
Configuration Utility. Apply the changes (press “Deploy
Changes to Agent”) and the change takes place immediately.
There are a number of access policies that can be enabled or
disabled at your discretion. These access policies are under
your control. We ask that you leave the “Diagnostic Data
Collection” option enabled at all times, so Quantum is able to
proactively monitor your Quantum devices 7x24x365 and be
immediately notified if a problem occurs (or is imminent).
While it is possible to disable this option and still have the
software installed, you lose the ability of Quantum to
proactively monitor your hardware; you also forgo the history
of events and data values that proactive monitoring enables.
There is also an optional version of the Policy Manager
(available at no cost) that can be installed on a centralized
server (Windows only at this time) within an enterprise. This
may make sense for customers with many sites spread around
the world, and where there is a need for centralized access
management. Where the integrated Policy Manager function
sets access policies for the devices managed by that agent, the
central Policy Manager software is a web-based application
allowing all agents within an enterprise to use the same set of
permissions. This version of the Policy Manager also adds a
third level of access permission beyond “Always Allow” or
“Always Disallow”, which is “Allow on Approval”. When
access is attempted for an access policy set to “Allow on
Approval”, an e-mail is sent to the person(s) designated as
Policy Manager. The e-mail contains the name of the
Quantum user attempting access, the type of access and the
name of the device access is being requested for. Two links
are provided in the e-mail: “Approve” and “Deny”. If the
“Approve” link is selected, access is granted. If not, the
connection is refused.
There are pros and cons to both Policy Manager options. The
default, integrated Policy Manager is easy to use, and is
installed by default with the StorageCare Guardian software.
However, it only allows a given type of access to be “On” or
“Off”, and affects all devices monitored by that agent. The
optional centralized Policy Manager server may require an
additional server (for the highest level of security, the
centralized Policy Manager server can be installed on a server
not acting as a StorageCare Guardian agent), is a separate
software installation, and is currently available on Windows
only (a Solaris version is on the StorageCare Guardian
roadmap). However, it offers centralized management and
much greater granularity for devices and permissions. The
good news is, both options are free, and it is possible to start
with the local (integrated) Policy Manager, and move to the
centralized Policy Manager at a later date if and when you feel
it is appropriate. You need only un-check the “Enable local
Policy Manager” box and the previously grayed-out “Policy
Manager” tab will become available. Click on this tab, and
you can configure the information for your central Policy
Manager server once you set it up.
StorageCare Guardian’s Policy Manager options give you the
control to determine how Quantum can access your devices,
and how.
Best in Class Security
StorageCare Guardian utilizes an enterprise class technology
which was originally developed in the medical devices field,
helping the manufacturers of DNA sequencers, hospital
prescription dispensing stations and many other medical
devices to remotely communicate with and support their
products in hospitals and university research labs. This same
powerful, flexible technology is the basis of Quantum’s
StorageCare Guardian Solution. Since the technology used
here has a strong heritage in the medical devices industry, it
has provided for best-in-class security features. For example,
an audit log is kept of all actions taken by users of the system
with each entry showing the date, time, user, device and the
action taken.
The underlying secure transport technology used by
StorageCare Guardian has been tested and validated
repeatedly by industry-leading security firms such as @Stake
(now part of Symantec Corporation) and VeriSign. Quantum
6
StorageCare™ Guardian Security
is also VeriSign Security Certified™. StorageCare Guardian has
undergone an extensive application security assessment by
VeriSign Corporation based on open industry standards.
VeriSign Security Certification gives Quantum customers
added assurance that information security best practices are
being utilized when diagnostic data is transferred between
installed systems and Quantum’s remote support solution.
The certification document will be made available to Quantum
customers on request.
Enterprise Server Security
The same emphasis on security used in developing the
StorageCare Guardian agent is also evident in the design of
the back-end application infrastructure that resides at
Quantum. While the StorageCare Guardian Console allows
Quantum to provide better levels of service to our customers
than ever before, it is important that these applications and
the data they access are kept secure from unauthorized
access.
One critical element of the security of StorageCare Guardian’s
Enterprise systems is the design of the network. StorageCare
Guardian is a three-tier application, with one tier residing on
the StorageCare Guardian agent at the customer site, a
second tier on a web server on a protected DMZ, and a third
tier (application and database servers) behind a second
firewall. The use of two levels of firewall protection ensures
that no unauthorized access to Quantum’s StorageCare
Guardian servers is possible.
system has its own set of controls determining which devices
can be viewed, and what actions are possible. Available
actions are based on the type of user account and are tightly
controlled.
While not directly related to security, the highly extensible
architecture of StorageCare Guardian’s back-end
infrastructure means that Guardian will be there when you
need it, watching over your Quantum storage investment.
The back-end infrastructure is designed to be easily expanded
to keep pace with rapid adoption of StorageCare Guardian, up
to hundreds of thousands of devices monitored.
Summary
We hope that this document has helped you see the depth of
Quantum’s commitment to security in StorageCare Guardian.
Our business is data protection, and we want to make sure
your data is safe. StorageCare Guardian’s bullet-proof
security ensures that Quantum can proactively monitor your
hardware investments while maintaining world-class security.
Additional Resources
In addition to this white paper, there are many other
resources available on the StorageCare Guardian information
page, located at http://guardianinfo.quantum.com. There you
can find a technology white paper, a flash demo, overview
datasheet and more. If you have any questions at all, feel free
to drop a line to guardianinfo@quantum.com
Another key element of StorageCare Guardian’s back-end
infrastructure security is the extensive use of access controls.
For instance, LDAP authentication is required to log into the
web applications. Strict account management policies ensure
that passwords expire and cannot be easily guessed. In
addition, each user account in the StorageCare Guardian
For more information,
visit quantum.com
©2006 Quantum Corporation. All rights reserved. Quantum, the Quantum logo, DLT, DLTtape and the DLTtape logo are registered trademarks of Quantum Corporation, registered in the U.S., and other countries.
The DLT logo, Backup. Recovery. Archive. It’s What We Do., DLTSage, Dynamic Powerdown, FastSense, FlexLink, GoVault, MediaShield, Optyon, Pocket-sized. Well-armored, SiteCare, SmartVerify, StorageCare,
SiteCare, Super DLTtape, and SuperLoader are trademarks of Quantum. LTO and Ultrium are trademarks of HP, IBM and Quantum in the U.S. and other countries. All other trademarks are the property of their
respective companies. Specifications are subject to change without notice.
United States of America
Quantum Corporation
141 Innovation Drive
Irvine, CA 92617
U.S.A.
phone 949.856.7800
fax 949.856.7799
European Headquarters
Quantum Corporation
3 Bracknell Beeches
Old Bracknell Lane West
Bracknell
Berkshire RG12 7BW
United Kingdom
phone +44 1344 353500
fax +44 1344 353510
Asia Pacific
Quantum Storage Singapore Pte Ltd
9 Temasek Blvd. #08-03
Suntec Tower Two
Singapore 038989
phone +65 6432 2812
fax +65 6432 2790
WP00086 Jun 2006
Loading...