StorageGuard overview
StorageGuard™ addresses the challenges of securing the vulnerable enterprise data storage and backup platforms. It automatically collects the up-to-date configurations of the enterprise’s data storage systems and checks for security misconfigurations and vulnerabilities, including violation of vendor security best practices, organizational security baseline configuration requirements, ransomware protection guidelines, non-compliance with information security standards, and more. It informs the relevant IT teams of violations and how to repair them to close the security gaps that put critical data systems at risk.
Key benefits of StorageGuard
- Meets vendor and community-driven security configuration best practices.
- Validation of Configuration Compliance with information security standards (ISO, CIS Controls, PCI DSS, NIST, NERC CIP, DORA, and more).
- Automatically validates security baseline configurations.
- Automatically detects security vulnerabilities and misconfigurations.
- Tracks and reports on security configuration changes.
- Provides remediation guidelines for detected misconfigurations and facilitates automatic healing.
- Provides the platform for easily implementing custom security configuration checks for storage, backup, and host systems.
- Supports all leading enterprise data storage systems, including SAN, NAS, HCI, Storage Network, Storage Management, Storage Virtualization, Data Protection Systems, and more.
- An enterprise-grade solution – A secure and scalable solution that can be easily customized and/or integrated with other management systems.
New in Version 9.2.7
New features and highlights
This StorageGuard release introduces new features and major enhancements in the following areas:
Comparison tool
StorageGuard now features a powerful new module that lets users benchmark configurations against a “Golden Copy” asset. This makes it easier than ever to spot and fix baseline configuration drifts, ensuring consistency and uniform security configuration across all assets.
Summary view:
Detailed view:
Baseline Version control
Users can now roll back any Baseline change and export the complete Baseline to local or network storage:
Newly Supported Platforms
The new release enables StorageGuard to collect security configurations and automatically detect best practice violations or vulnerabilities across newly supported platforms:
New: HPE Alletra 5000 / 6000 (formerly Nimble)
Enhanced Platform Support
The new release strengthens StorageGuard’s coverage for existing platforms, improving detection of security misconfigurations, best practice deviations, and vulnerabilities:
HPE Alletra 9000 (3PAR / Primera)
Veeam Backup and Replication
New Integration Options
Atlassian Jira
StorageGuard can now automatically open tickets in the customer’s Atlassian Jira for findings related to detected baseline configuration drifts and vulnerabilities, helping teams streamline remediation workflows
and ensure faster issue resolution.
The configuration can be done in the “Settings → Interfaces → ITSM Systems → REST (No Token)” screen.
HashiCorp Vault
StorageGuard now supports integration with HashiCorp Vault for secure credential management, allowing users to store and retrieve authentication data safely, simplify credential rotation, and enhance overall security during scans. The configuration can be done in the “Settings → Scan → Authentication → Credentials” screen.
Webhooks
StorageGuard now supports webhooks as an integration method for sending events and findings to external systems in real time. When specific events occur, StorageGuard sends an HTTP POST request with relevant data to the configured webhook endpoint. You can add or edit webhooks in the “Settings → Interfaces → Webhooks” screen to enable seamless automation and faster response workflows.
Risk knowledgebase update
The StorageGuard risk knowledge base has been updated with additional industry security best practices, vendor recommendations and vulnerabilities.
Additional changes and enhancements
The following section highlights additional notable changes or enhancements:
| ID | Description |
| SG-27919 | Added risk closure reason to Vulnerabilities dashboard calculation |
| SG-27671 | Reports improvements: Risk note and check comments columns added to Configuration Compliance report |
| SG-27517 | Reports improvements: Priority and Severity columns added to Configuration Compliance report |
| SG-25859 | Reports improvements: Added Scan troubleshooting report that can be filtered by system type |
| SG-23744 | Reports improvements: Added customizable parameters, command API and evidence columns to Configuration Compliance report |
| SG-27504 | Added checks hierarchy and a new scan result, “non-applicable,” to indicate when a specific check is irrelevant because a higher-level check is disabled |
| SG-23751 | Added “Deployment Health Check” UI and enhancement report (beta version) |
| SG-28893 | Added backup retention option to full cycle dumps |
| SG-27893 | Improved StorageGuard accessibility to align with WCAG 2.2 standards |
| SG- 25916 | Added option to save reports into shared folder which requires credentials |
| SG-27919 | Added risk closure reason to Vulnerabilities dashboard calculation |
| SG-27671 | Reports improvements: Risk note and check comments columns added to Configuration Compliance report |
| SG-27517 | Reports improvements: Priority and Severity columns added to Configuration Compliance report |
| SG-25859 | Reports improvements: Added Scan troubleshooting report that can be filtered by system type |
| SG-23744 | Reports improvements: Added customizable parameters, command API and evidence columns to Configuration Compliance report |
Fixed issues
The following issues are resolved:
| ID | Description |
| SG-29026 | Inaccurate finding for SG-C0459T187V01: Share scan status - cDOT |
| SG-29022 | Improved: SG-C0044T061V01: Approved KMS server |
| SG-28888 | Resolved: SG-C0209T187V05: Idle session timeout and SG-C0209T187V01: Idle session timeout - CLI |
| SG-28866 | Inaccurate finding for SG-C0307T187V01: Admin account status - cDOT |
| SG-28864 | Improved: SG-C0325T187V01: File share access rights - cDOT |
| SG-28863 | Inaccurate finding for SG-C0392T187V01: Minimum account lockout duration - cDOT |
| SG-28862 | Inaccurate finding for SG-C0423T187V01: MOTD status - cDOT |
| SG-28860 | Improved: SG-C0234T187V01: Maximum password age - cDOT |
| SG-28857 | Improved: SG-C0114T187V01: Sensitive data removal - autosupport |
| SG-28842 | Improved: SG-C0030T187V01: Centralized authentication service status |
| SG-28803 | Inaccurate finding for SG-C0467T061V01: Automatic retention lock status |
| SG-28453 | Inaccurate finding for SG-C0012T169V01: Server password set status |
| SG-28452 | Inaccurate finding for SG-C0395T169V01: SMTP server configuration |
| SG-28450 | Improved: SG-C0365T169V01: SSL authentication status |
| SG-28449 | Improved: SG-C0390T169V01: TLS level |
| SG-28448 | Inaccurate finding for SG-C0239T169V01: Multi-factor authentication |
| SG-28150 | Improved: SG-C0039T187V01: LDAP server configuration - cDOT |
| SG-28034 | Improved: SG-C0072T193V01: Tenant object encryption status |
| SG-27952 | Improved: SG-C0343T187V01: CIFS SMB encryption (policy) - cDOT |
| SG-27951 | Improved: SG-C0447T187V04: Self-signed certificate - cDOT |
| SG-27808 | Improved: SG-C0031T175V01: Authentication server configuration |
| SG-27721 | Improved: SG-C0417T031V01: Password hash strength |
| SG-27719 | Improved: SG-C0178T031V01: FIPS verification |
| SG-27670 | Improved: SG-C0071T073V01: SED node status |
| SG-27652 | Improved: SG-C0172T037V01: NTP service status |
| SG-27629 | Improved: SG-C0381T181V01: HTTP service status |
| SG-27620 | Improved: SG-C0162T031V01: Expired SSL certificate and SG-C0447T031V01: Self-signed certificate |
| SG-27616 | Inaccurate finding for SG-C0013T031V01: Approved NTP servers |
Important Notes
Database Locale requirement
The database instance used as the backend database for the Continuity Software Platform must be configured with the English Locale. This requirement is complementary to other requirements identified in the Deployment guide and/or other documents.
Web Browser Support
StorageGuard supports Google Chrome, Firefox, and Microsoft Edge. Microsoft IE is not supported.
Recommended display size and resolution
StorageGuard’s web user interface is best displayed and operated with these specs:
- Full HD resolution (1080p)
- Screens 21” or larger
- Aspect ratio of 16:9.
Using smaller screens, coarser resolution, or both might cause incomplete display of some information. Use the browser’s zoom-out function to display all content.
Scan of Storage and Replication Management servers
It is recommended to scan all production / DR storage management servers as hosts. This is required even for management servers are already configured for scanning as storage proxies. A storage proxy scan operates at the API/CLI level whereas scanning the storage management servers as a host enables collection of additional configuration files and settings.
Scan of Windows hosts through WMI
Scanning of Windows hosts updated with KB3139940 might fail with an “Access Is Denied” message. To overcome this failure, please make sure that the user configured to authenticate to this server is a member of the Local Administrator group on the StorageGuard server. As of version 7.2.1, StorageGuard also provides an alternative method of scanning Windows servers using WMI which requires PowerShell version 5.1 or higher.
User account for technical support only
The csadmin user provides access to support tools that can cause damage if not used properly; This user is intended to be used by Continuity Software support engineers only. Enable and login with the csadmin user only when directed to do so by support personnel. This user is locked by default.
Recommended scan protocol for Windows hosts
StorageGuard supports a variety of scan options for Windows hosts. The recommended scan option is using WinRM over HTTPS.
Known Issues
The following section highlights additional notable known product issues:
| Id | Description |
|---|---|
| SG-29966 | Several ONTAP checks do not support detection based on REST API, only based on ZAPI: SG-C0162T187V04: Expired SSL certificate - OU, SG-C0447T187V02: Self-signed certificate - OU, SG-C0195T187V01: Firewall status, SG-C0384T187V01: Active Telnet (Firewall policy) |
| SG-29904 | The Cisco probe may execute commands for disabled features resulting in "Cmd exec error" |
| SG-29913 | Certain ONTAP checks may incorrectly result in Insufficient Information status: SG-C0025T187V01: LDAP server redundancy, SG-C0128T187V01: CIFS SMB anonymous user access restriction, SG-C0546T187V01: LDAP AD enabled, SG-C0551T187V01: Dynamic authorization status, SG-C0001T187V01: Audit logging status, SG-C0024T187V01: Authentication server redundancy, SG-C0098T187V01: Data retention period , SG-C0163T187V01: Approved AD domain, SG-C0097T187V01: Data retention mode, SG-C0141T187V01: IPv6 status, SG-C0242T187V01: NDMP authentication type, SG-C0300T187V01: Snapshot autodeletion, SG-C0552T187V01: Authorization policy rules |
| SG-29861 | Under Compliance, the details column may present "Successfully scanned" even though the relevant API/CLI command failed; this is because the "Successfully scanned" message refers to the overall system's scan status and not specifically for the API/CLI command used in this check. Workaround: Review failed commands under the Scan Troubleshooting or Task Manager UI |
| SG-29877b | The Pure Storage probe executes two incorrect API calls |
| SG-29876 | Under Scan Troubleshooting, the Storage column may not show the Storage System Name; Workaround - the name is presented in the Summary column |
| SG-29840 | The inventory does not present all Commvault component systems such as HSX Storage and Media Agents |
| SG-28910 | The DDOS "SG-C0386T061V01: Telnet uninstalled" check analyzed the service status instead of installation status |
| SG-28627 | System Properties for controlling the Unisphere for PowerMax (U4P) timeout are missing (Contact support for workaround guidance) |
| SG-28166 | The Brocade "SG-C0419T031V01: SNMPv3 user authentication protocol" check shows SNMPv3 users without authentication instead of incorrect hash algorithm |
| SG-27593 | The StorageGRID "SG-C0306T193V01: Syslog communication protocol" check may result in incorrect Insufficient Information status |
| SG-27461 | The Brocade "SG-C0387T031V01: SAN Fabric - Zone member identification" check may incorrectly result in Insufficient Information status |
| SG-25718 | ONTAP "SG-C0148T187V01: User protocols status" check: Summary incorrectly refers to HTTP instead of RSH/Telnet (workaround: Review the finding detail) |
| SG-21689 | Uninstalling SG update from "Add/Remove Programs" does not work as expected |
| SG-29915 | Node name presented instead of System Name on HA-Enabled Dell PowerProtect DD |
| SG-29150 | Incorrect resolution may be shown for vulnerability findings for EOL Brocade switches that cannot be upgraded to FOS 9.x |
| SG-29682 | Inventory UI may perform slower than expected when large amount of Backup Clients and Agents is collected (contact support for a solution) |
| SG-18696 | The Cisco "SG-C0387T037V01 SAN Fabric - Zone member identification" check may fail to execute in certain conditions |
| SG-29747 | Incorrect name for PowerMax check SG-C0175T121V01; the correct name is "Event types enabled for syslog" |
| SG-29746 | Inaccurate name for PowerMax checks SG-C0025T091V01, SG-C0039T091V01, SG-C0060T091V01, SG-C0243T091V01, SG-C0449T091V01; these checks inspect DNS and LDAP configurations on PowerMax NAS |
| SG-27459 | Brocade FOS commands executed as part of a script do not report an error if fail to execute |
| SG-29683 | NetBackup Flex Appliance authentication will fail when the password contains special characters |
| SG-29878 | The HPE 3PAR / Primera probe runs several malformed commands resulting in a command error |
Limitations
Assigning a profile to an Active Directory group
- When assigning a profile to an AD Universal Group, the StorageGuard master server must have access to the Global Catalog of the AD Forest.
- When assigning a profile to an AD Local Domain Group, StorageGuard will not be able to assign the Profile to AD Users from a different Domain – even though such configuration is valid within AD. In other words – an AD user can log in to StorageGuard (with all the correct profiles assigned) only if each AD Local Domain Group it belongs to is part of the same AD Domain the AD user belongs to.
Special characters are converted during object import to StorageGuardWhen importing names and properties of objects from CSV/CMDB/API, special characters such as “&”,‘no-break- space’ and certain UTF8 chars are converted to alphanumeric chars.
In specific cases scan error messages are not sufficiently informative
The Scan Troubleshooting screen occasionally presents scan error messages that include the error code but no additional details.
Workaround: Run the erroneous command or script manually to see the full scan error message. If further assistance required, contact Technical Support.
SSH key supports only keys with less than 4000 characters [P-6645]
Elevated rights required for certain read-only Commvault API calls
Few of the optional read-only API calls executed by StorageGuard on Commvault require elevated rights - SNMP & Audit Trail API. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands.
Elevated rights required for certain read-only Dell EMC Data Domain commands
Few of the read-only commands executed by StorageGuard on Data Domain require the limited-admin role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only user role.
Elevated rights required for certain read-only Dell EMC Unity API calls
Few of the read-only API calls executed by StorageGuard on Unisphere for Unity require the securityadministor role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for certain read-only Hitachi Ops Center API calls
Few of the read-only API calls executed by StorageGuard on Hitachi Ops Center require the Security Administrator role. It's recommended to grant these rights to enable StorageGuard to perform a comprehensive risk analysis however it is not mandatory. Whether these rights are granted or not, StorageGuard will only run read-only APIs and commands. Alternatively, configure the scan user with the read-only operator role.
Elevated rights required for scanning Windows hosts
It’s recommended to scan a Storage Management system both at the application level and the OS level. OS-level scan is optional but recommended for a comprehensive security configuration analysis. The OS-level scan is performed by connecting through either WinRM or WMI and then running read-only commands and queries. These commands and queries, even though read-only, require elevated rights.
NetBackup version support
StorageGuard supports scanning NetBackup systems from release 8.1 and above. NetBackup 7.x and 8.0.x are not supported.
CVE detection limitation
StorageGuard may report a CVE vulnerability that was either worked around or mitigated through remedial steps other than applying software updates.
CVE detection knowledgebase
The CVE knowledgebase is limited to advisories and CVEs that have been announced by the vendor, MITRE or other source to the community.
PowerMax 5978 patch level
StorageGuard cannot determine the patch level for Dell PowerMax 5978 arrays, only the microcode.
Revision History
Document revision history:
| Revision | Date | Description |
| 1.0 | 21 Oct 2025 | Initial publication |
| 1.1 | 10 Nov 2025 | Updated known issues and limitations |
Comments
0 comments
Please sign in to leave a comment.