Security: Data security policy and procedures

April 2022

Data security is the foundation on which privacy and compliance are built. In the Trust Center, we clarify the data security policies and procedures that govern how we manage the security of our own systems and the data our customers entrust to us.

NetApp follows the requirements of global data security laws that require reasonable security measures for storing, transmitting, and processing data. We take measures that are broadly recognized as integral to appropriate security including encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp offers an array of encryption solutions as well as encryption key management. Other measures include a wide range of strategies and tools to help your organization stay resilient against ransomware threats, and strict data retention and deletion policies that support data minimization. NetApp security researchers work diligently to detect, mitigate against, and respond to software bugs and security vulnerabilities.

NetApp implements these safeguards to protect its information systems and the data stored in them. And, following the model of shared responsibility, we also offer strategies, tools, and services to empower our customers to do the same.

When an organization transforms itself from an on-premises infrastructure to a hybrid, private, or public cloud infrastructure, sharing responsibility with the cloud service provider for the security of data is key to this fundamental shift. The shared responsibility model addresses which parties in this cloud computing environment are responsible for managing the security of data—its confidentiality, integrity, and availability.

NetApp, as the service provider, is responsible for the secure operations of NetApp cloud services, such as the physical security of NetApp data centers and patching vulnerabilities in our SaaS solutions. 

You, our customer, may be responsible for secure operations in the cloud, such as ensuring that corporate policies like password complexity are enabled and followed across virtual deployments just as they were on premises.

NetApp also offers a choice of partner cloud infrastructure providers, including Amazon Web Services, Microsoft Azure, and Google Cloud, who manage the secure operations of their offerings.

Global privacy laws require reasonable security measures for storing, transmitting, and processing personal information. In the United States, reasonable security is a legal requirement for specific classifications of information such as financial, health, and other personal data. It underpins laws governing fair business practices as well as privacy laws outside the United States, such as the EU GDPR. 

Although there is no defined standard or engineering control set attached to reasonable security, regulators and courts recognize certain measures as integral to it. These measures include encryption, authentication and authorization controls, breach reporting, data loss prevention, and patch management.

NetApp implements these safeguards to protect its information systems and their stored data, and also builds products and services to empower our customers to do the same.

Ransomware attacks, a threat to organizational security and data availability, cost far more than the ransom price demanded. There are also the costs of recovery, operational disruption and lost revenue, potential legal implications, and even loss of brand value. 

Ransomware response strategies are vital to preparing for such attacks, and business continuity plans that include data backup and recovery can be instrumental in reducing the impact of a ransomware attack. Viable backups, isolated from a ransomware attack loop, are a key component, and streamlining recovery point objectives to uninfected data points helps protect against reinfecting systems. 

As a global leader in data storage, NetApp offers a broad range of strategies, tools, and services to help your organization stay resilient against ransomware threats, mitigate recovery efforts, and reduce recovery time.

Security vulnerabilities are widely recognized throughout the computer industry and by businesses and organizations around the world. NetApp has addressed security vulnerabilities by establishing a Secure Development Lifecycle (SDL). NetApp’s SDL is a repeatable 6-step process for developing secure software based on industry best practices and standards. It provides a framework and a process to help product teams evaluate and respond to potential security vulnerabilities in the development of all NetApp products and services.

Rigorous security training and the appointment of security champions lay the foundation for the SDL. The SDL process itself begins with a security assessment and release of the compliance and test plans. It follows with a thorough evaluation of product security vulnerabilities, implementation of solutions, and validation that any identified vulnerabilities have been resolved. It ends with risk communication procedures and monitoring through a Product Security Incident Response Team (PSIRT).

Patches are typically released to address known issues in software or data, such as a software bug or a security vulnerability. NetApp security researchers work diligently to protect our products and services. They participate in security communities that track published vulnerabilities. They also manage a program through which customers and researchers outside these communities submit information about potential security vulnerabilities. NetApp scores and tracks these submissions according to our vulnerability handling policy and regularly releases patches through Security Advisories.

Management of these patches is an integral part of the reasonable security measures necessary to secure your networks and data. NetApp’s vulnerability and patch management operations are also designed to support customers at all positions in the shared responsibility model.

Encryption is widely acknowledged to be fundamental to the security of personal information. Some regulations, such as U.S. IRS Publication 1075, require certain information to be encrypted using specified technology while the data is at rest or in transit. Other regulations, such as the EU GDPR and California Consumer Privacy Act (CCPA), don’t require encryption, but they do recognize the important role it plays in mitigating against data breaches involving personal information.

NetApp offers an array of encryption solutions. These include both hardware and software encryption, at either the volume or disk level, as well as encryption key management for administering the keys used to encrypt and decrypt data.

A fundamental principle of data security is that organizations should not collect or hold more personal information than is necessary, and that data should be deleted when it’s no longer needed for authorized purposes. This principle of data minimization reduces compliance complexity and protects data against harm in the event of a security breach. 

The most common data minimization method is to enact and enforce data retention and data deletion policies that direct which information a company should retain, for how long, and when and how to delete it.

NetApp’s own data deletion policies support data minimization for data stored on drives that customers return: Customers are instructed to delete, encrypt, or render unrecoverable all data stored on returned media before it is returned.