Best Practices for Using Storage Gateway

Security Considerations

ADMIN PASSWORD
Because Storage Gateway administrators can create, modify, and delete file systems, follow these password guidelines:
  • Set a strong password.
  • Ensure that the password is secure.
  • Share passwords with others only on a need-to-know basis.
DOCKER
Storage Gateway runs inside a Docker container for security and isolation. Follow these Docker-related guidelines and recommendations:
  • Avoid or minimize Docker instance operations.
  • Avoid logging in to the Docker container. If there is a genuine requirement to log in to the Docker container, use extreme caution to avoid service disruption. Do not change the Docker configuration or the Docker instance unless instructed to do so by Oracle support personal.
  • Although the NFS protocol controls access to the file system from clients, Storage Gateway file systems are also locally mounted inside the Docker container. To prevent unauthorized access to file system data, ensure that a Docker container is accessible only by an administrator or an authorized user.
  • Configure the Docker host to limit user access to the Storage Gateway Docker container.
  • Files and directories in a Docker container are also visible in the Docker host - typically file systems and directories that are provisioned in the Docker host and mapped to the container. Set the appropriate ownership and modes to ensure that only an administrator or an authorized user can access these folders. We recommend the following:
    • A dedicated Storage Gateway host.
    • Limit who can access the Storage Gateway host.
    • Set firewall rules to limit access to the Docker host and Docker container.
    • Implement backup and retention policies for the files associated with Storage Gateway.
ACCESS CONTROL
Default file system export options are too permissive. Set more restrictive export options so that only trusted NFS clients can access the file system data and metadata. Modify the advanced file system settings for NFS Allowed Hosts and NFS Export Options to restrict access to a file system. In addition to NFS protocol security, you can also set up and configure a firewall on the host to further control access to the file system. UID/GID/modes control access to files and directories. Set the appropriate ownership mode to protect sensitive data.
OBJECT STORAGE
Files in a file system are uploaded to Oracle Cloud Infrastructure and stored as objects in an Object Storage bucket. Associated file attributes are stored as object metadata. Access control for Object Storage is different from access control for a traditional file system. Anyone with permission to read or modify any object in the bucket can read or modify all objects in the bucket. To protect sensitive data, set up Oracle Cloud Infrastructure IAM policies to limit who can access objects in the bucket.
Storage Gateway transfers data to Oracle Cloud Infrastructure using HTTPS, which encrypts data packets in flight between Storage Gateway and the cloud. Data written to Object Storage is always automatically encrypted in the cloud.
NETWORKING

Only use open network port access to networks that you trust. Oracle strongly recommends that you do not open network ports to the public internet. Instead, use a private connection to the machine hosting the Storage Gateway management console, for example a VPN or SSH local forward tunnel. See Site-to-Site VPN for more information.

Use the following syntax for SSH local forward tunnel:

ssh -L localHost:localPort:remoteHost:remotePort remoteHost

See https://www.ssh.com/ssh/tunneling/example#local-forwarding for more information.