SUBNET Security Features and Services

In our previous blog post on SUBNET we talked about how you can support your MinIO clusters and meet SLAs by having direct access to engineers who work on the codebase on a daily basis. Using the SUBNET portal, everyone on your team is able to collaborate with our team to track and resolve potential issues. The SUBNET portal also serves as a searchable knowledge base so relevant details for previous issues are readily available.

This is the fourth post of our series on the features and capabilities available through our commercial relationship. If you missed our previous posts on the methods of communication and direct-to-engineer experience, exploring SUBNET Healthcheck and Performance and SUBNET Call-Home Diagnostics, then we recommend that you take a look at them to gain a better understanding of the features and capabilities offered through our commercial relationship.

MinIO code is secure and we go to great lengths to ensure that your data is always protected.

Security testing and patching of core MinIO code happens whether or not you’re a licensed MinIO customer. The code released to our community is as secure as we can make it. Everyone from community users to Standard and Enterprise licensees benefits from making MinIO as secure as we can.

Standard and Enterprise customers gain additional security services and features when they subscribe to SUBNET, and this blog post focuses on the software updates and security patches, critical security and bug detection and the annual security and policy review.

Software Release and Long Term Support

MinIO uses rigorous internal software processes and feedback from our massive global community to identify and remediate security vulnerabilities and production impacting bugs. Every MinIO build is scanned for known CVEs and other potential vulnerabilities before it is released. All releases are stress tested and tested functionally for CPU, memory and drive performance. Commercial customers get customized attention on how to adopt security patches and adapt to the constantly changing security landscape.

Standard clients receive one year of security and bug fixes and technical support, while Enterprises receive this benefit for five years. For enterprises in heavily regulated industries or with extensive MinIO deployments, upgrading to a new version may involve careful planning, and we support this need.

We give you the flexibility to upgrade a version only if you want to. Every release includes detailed release notes and, if you have any questions, you can always reach us through the SUBNET portal and one of our engineers will be able to help with the release. Please see Best Practices for Updates and Restarts to learn more about our recommendations for deploying new releases.

Security and Policy Review

MinIO was designed and built to be secure, and we are here to help you implement it securely. Our engineers will work with you to install the best choice of operating system with the latest security releases.

Our engineers will also help you with firewall configuration and other network security measures. In addition, we monitor licensed MinIO deployments using SUBNET Call-Home Diagnostics to quickly surface any security and policy issues.

MinIO engineers will readily work with you to develop and implement your own security policies. We typically do this prior to the initial production deployment and annually afterwards.

We will help you evaluate and remediate potential security vulnerabilities. Some of the questions we’ll ask during the security review include:

  • Which MinIO components are going to be deployed (MinIO Server, MinIO Operator, Sidekick, KES, etc.)?
  • Which version of each component will be deployed in which configuration (number of nodes, environment, networking, etc.)
  • Are you running TLS between applications and MinIO, and between MinIO components?
  • What is the internal authentication model, the external authentication model, and what are the differences?  In particular for MinIO, which identity provider will be used (internal or external, LDAP or OpenID compliant).
  • Have you defined individual and group access policies using the principle of least privilege access?
  • Are you using service accounts for applications and relying on least privilege access?
  • Is there encryption at rest?
  • Is there an external KMS and MinIO KES to manage certificates?
  • How frequently will/are MinIO components updated?
  • Is Versioning enabled for critical buckets?
  • Are you aware of Object Locking abilities to protect sensitive data?
  • Do you have a solution and process in place to monitor MinIO in order to detect potential security weaknesses and incidents?
  • What procedures do you have in place to audit actions taken by a user, a service account or MinIO itself?
  • Have you designed for high availability and business continuity? MinIO supports Bucket Replication, Batch Replication and Site Replication. We will help you determine and configure the best form of replication to meet your BC/DR requirements.

Holistic Security

Since SUBNET is a critical component of our commercial offerings, we have taken additional steps to secure and certify it. MinIO has implemented an Information Security Management System (ISMS) program consistent with and conforming to the ISO/IEO 27001 standard for Information Security Management.

SUBNET only stores information related to support tickets, customer conversations and user profiles. Health Reports, submitted at will, only contain general statistics on the cluster and no proprietary or identifiable data from the cluster. MinIO personnel do not have access to your data hosted on your MinIO cluster.  

SUBNET Simplifies Security

This blog post provided a guided tour of the security benefits of purchasing a commercial MinIO license, including software patches, security updates, long term support, the Security and Policy Review, and last but not least the security of SUBNET itself. Regardless of what you build on top of MinIO, we’re here to help keep it safe.

If you’d like to learn more about any of the security topics or services discussed in this post, please reach out to us on Slack or hello@min.io.