NetApp ONTAP Security Hardening - Multi-Admin Verify & Approve

 

ONTAP Multi-Admin Verification (MAV) is a security feature in NetApp ONTAP that requires multiple administrator approvals before performing certain sensitive operations. This feature helps protect against insider threats, human error, or misuse by enforcing a dual-authorization policy for specific administrative actions.

Key Concepts of Multi-Admin Verification (MAV)

• Purpose: Enhance security by requiring multiple admins to approve critical actions such as:

  • Volume deletion

  • Snapshot deletion

  • SVM (Storage Virtual Machine) or LIF deletion

  • Key management operations

  • Security configuration changes

• Minimum ONTAP Version: MAV is supported starting from ONTAP 9.11.1.

How It Works

1. Enable MAV:

   • Use the ONTAP CLI or System Manager to enable the feature.

   • Define a trusted admin group responsible for approving requests.

2. Create MAV-Protected Operations:

   • Identify which commands or actions require verification.

   • Set policies that define the number of approvals needed (typically 2 or more).

3. Request-Approve Flow:

   • Admin A initiates a sensitive action.

   • The action is pending until approved by one or more trusted admins.

   • Trusted Admin B reviews and approves (or denies) the request.

   • Once approved, the action is executed.

4. Audit Trail:

• All MAV activities are logged for traceability and auditing purposes.

Considerations

• Delayed Operations: MAV introduces an intentional delay — actions won’t proceed until approved.

• Trusted Group Management: Be careful who you include in the approver group; they have veto power.

• Not a substitute for RBAC: Use Role-Based Access Control (RBAC) together with MAV for layered security.

Deploying Cloud Volumes ONTAP (CVO) on AWS using NetApp BlueXP

 NetAPP Cloud Volumes ONTAP (CVO)

NetApp Cloud Volumes ONTAP (CVO) is a cloud-based storage solution provided by NetApp that brings the features of its on-premises ONTAP storage operating system to the cloud. It enables organizations to manage and protect their data in the cloud with the same tools and workflows they use on-prem.

What is CVO used for?

CVO is primarily used for:
File and block storage in the cloud
Disaster recovery and backup
Cloud-based DevOps environments
Data migration and hybrid cloud architectures
Cost-effective secondary storage


Technical Details

Runs as a virtual appliance in the cloud
Licensed either via:
BYOL (Bring Your Own License)
PAYGO (Pay-As-You-Go) model from cloud marketplaces

Integrates with NetApp’s BlueXP for provisioning and monitoring.

Download - Deploying Cloud Volumes ONTAP (CVO) on AWS using NetApp BlueXP

Linux NFS Server data Live Migration to ONTAP Cluster SMB Share using BlueXP Copy & Sync (CloudSync)

 

BlueXP Copy & Sync (CloudSync)

BlueXP copy and sync lets you move data between different storage systems and services across your data estate, whether on-premises or in the cloud. With copy and sync you use one or more data broker servers to create data copies, move data to different locations, and continuously sync data between locations.

This allows you to carry out a variety of data mobility projects regardless of whether the source or target are NetApp-based storage. You can mix and match nearly all NFS, SMB/CIFS, object, and cloud-based repositories as source and target, and from there use BlueXP copy and sync to accomplish cloud migrations, data protection, archiving, data consolidation, and cloud bursting for processing and analytics.

Download Live Migration

NetApp ONTAP 9.17.1 JIT (Just In Time) Privilege Elevation

 

What is JIT Elevation in ONTAP?

ONTAP JIT Elevate refers to Just-In-Time (JIT) privilege elevation in NetApp ONTAP—a feature that allows users to temporarily elevate their privileges (e.g. to admin-level) for a specific task or session, and then automatically removes those elevated permissions afterward.

 

With JIT privilege elevation, most users are assigned regular, non-administrative privileges at account creation. When they need to perform administrative activities such as volume creation and deletion, the privilege to perform these activities are assigned to them just in time and automatically resets after a fixed period.

 

Why It Matters

• Reduces security risk: Admin privileges are only active for a short time.
• Improves auditing: Makes it easier to track privileged access.
• Supports compliance: Aligns with NIST, ISO, and zero-trust principles.

Download: NetApp ONTAP 9.17.1 JIT (Just In Time) Privilege Elevation

NetApp ONTAP High Availability - Failover

 NetApp ONTAP HA

Cluster nodes are configured in high-availability (HA) pairs for fault tolerance and non-disruptive operations. If a node fails or if you need to bring a node down for routine maintenance, its partner can take over its storage and continue to serve data from it. The partner gives back storage when the node is brought back on line.

Download - NetApp ONTAP Failover Guide

Commvault IntelliSnap for NetApp

 Commvault IntelliSnap for NetApp

Enterprises today increasingly turn to array-based snapshots to augment or replace legacy data protection solutions that have been overwhelmed by exponential data growth. Management and automation are an integral part of being able effectively leverage this technology. Efficient and integrated use of array-based snapshots are key requirements to protecting virtualized applications.

Commvault IntelliSnap technology integrates with native storage array snapshot engines to provide consistent point-in-time recovery copies for large data sets and enterprise applications. IntelliSnap technology quiesces applications or file systems, triggers the storage array-based snapshot, and returns the system to a fully operational state within minutes.

Download - Commvault IntelliSnap for NetApp

Commvault Disaster Recovery solution

 

Commvault Disaster Recovery

 Senthilkumar Muthusamy

The Commvault Disaster Recovery solution uses hypervisor and Commvault components on the primary site and on the secondary (destination) site.

The Commvault deployment can reside on separate infrastructure or can be co-located with the primary site. If the Commvault deployment is co-located with the primary site, configure CommCell Disaster Recovery to ensure that the Commvault deployment remains accessible if the primary site is unavailable.

Commvault DR Configuration - Download