RackTop employs cybersecurity best practices throughout the entire product lifecycle from development, deployment, sustainment and system retirement.

RackTop provides company wide training to promote security awareness and foster an understanding of the risks facing the company and our customers. Additionally, RackTop fosters an environment where the software development organization understands the principles of secure software design.

The secure by design culture of RackTop includes security reviews as part of product designs and architectures. A security analysis is performed against implementations to detect security weaknesses and common security vulnerabilities.

RackTop uses automated scanning tools such as Nessus to continuously monitor, detect and remediate vulnerabilities. RackTop is vigilant about preventing vulnerabilities from entering the product during the development and product delivery process; and providing corrective configuration actions or updates to eliminate vulnerabilities in fielded products.

As part of the product lifecycle, the project management team tracks and reviews serious findings from vulnerability scans and security reviews. The project management team ensures they are being worked with the highest development priority for security updates and product releases.

RackTop secures software updates by providing signed code in a proprietary RAP format. Fielded systems validate the signature before installing the software update. RackTop’s operating system will not allow unsigned binaries to persist a reboot to provide further protection against malware and advanced persistent threats. Firmware for RackTop provided hardware is also managed in a similar way using signed binaries to protect the authenticity and integrity of the software and hardware.

Updates are provided to internet connected machines over a secure channel with certificate based authentication. For customers who do not have internet connectivity RackTop provides secure password protected access to a web accessible repository. Customers can securely import the software via their organizationally approved methods and upload it to their RackTop System to perform the secure update process.

RackTop understands the need for end-to-end security in both software and hardware. RackTop ensures that it orders original manufacturer’s authentic hardware through authorized manufacturers and distributors. To further improve security, RackTop always uses TAA compliant hardware and BAA compliant hardware whenever available.

RackTop employs FIPS Validated 140-2 Level 2 Self Encrypting Drives within its systems to protect the data at rest. The data on the drives are encrypted using a data encryption key that is never exposed to the user or an external application.

Cryptographic data purge features along with statements of volatility allow end user organizations to appropriate destroy and retire the information system. RackTop is continuously increasing the security and resiliency of the product to defend against evolving advanced persistent threats.

Administrative Accounts can be configured to use Active Directory for authentication and authorization. If local accounts are required, users should be added and placed in the bsradmins and allowssh groups.

BrickStor SP enables admins to configure the strength and expiration of passwords. In addition, BrickStor SP prevents users from reusing the same password. Configure password strength for the system by editing the 'passwd' settings file:

vi /etc/default/passwd

Add the following entries with the appropriate values to the file:

BrickStor SP’s Key Manager can store the keys for Self-Encrypting Drives (SEDs) and dataset/volume encryption or be configured to an external key manager over KMIP. This must be configured before the use of SEDs or dataset encryption. The key manager should be configured from the command line, using setup.sh and following the menu prompts under menu option 8.

BrickStor SP supports two levels of FIPS encryption by using Self Encrypting Drives and dataset/volume level encryption. Self-Encrypting Drives must be enrolled into the system. Admins can use the myRack Manager Rack View.

Click on any of the drives in Rack View, select the more option, and then click enroll. Select all pools and drives.

Once the drives are enrolled, they will display with a shield in the hardware view:

The shield indicates the drive is enrolled and the FIPS ownership process has been completed. Now the system will manage the drive encryption keys.

Drives can be crypto erased in compliance with NIST purge standards by selecting the drive(s) you wish to erase and selecting Crypto Erase Drives.

Data can be replicated to another pool or system on a per dataset basis. Data in flight is protected with TLS encryption. Datasets and volumes that are encrypted on the source will also be encrypted on the destination. These datasets are not mounted or decrypted on the destination during normal operations. To recover a file or snapshot on the destination, the decryption keys for encrypted datasets and volumes must be imported on the destination system. Replication supports automatically forwarding keys and is configurable on a per dataset basis.

BrickStor SP includes features for sending telemetry data automatically to the myRackTop cloud for improved support. This information stream can be disabled with the following steps:

Edit the file /etc/racktop/myrackd/myrackd.conf and change the line below:

Then restart the myrackd service:

svcadm restart myrackd

BrickStor SP checks for online updates daily for Internet connected systems. To disable this, perform the following steps:

Edit the file /etc/bsrupdated/bsrupdated.conf and change the line below:

Then restart the bsrupdated service:

svcadm restart bsrupdated

It is important to have consistent time across all systems for security and event logs. BrickStor SP should be connected to an NTP time source. By default, the system will look to Active Directory as the time source after a domain join. However, NTP can be configured to point to any compatible time source. The system will use the time source and time zone selected for all log Information. However, the GUI will adjust the times to the local time zone set on the desktop that launched the GUI.

BrickStor SP can be joined to Active Directory and LDAP servers to support users and group permissions.

User Behavior Auditing can be enabled on a per dataset basis. The log provides the identity, source IP address, file path, file protocol, and operation. It also can provide permission changes.

By default, the following ports are open to allow BrickStor SP to take advantage of various features and functionality. The following table lists these ports.