Security Best Practices
NexStorage has been designed with security as a fundamental principle. This guide outlines best practices to ensure your data remains secure, compliant, and protected against unauthorized access or data breaches.
Securing Data in Transit
Enforcing HTTPS
Always use encrypted connections to protect data in transit:
# Configure the NexStorage console to redirect HTTP to HTTPS
nexstorage-admin config set console.secure true
# Disable HTTP access completely
nexstorage-admin config set api.http.enabled false
For production environments, completely disable HTTP access and use only HTTPS with a valid TLS certificate.
TLS Configuration
NexStorage supports modern TLS implementations:
- Use TLS 1.3 whenever possible (default in NexStorage)
- Configure minimum TLS version to 1.2 for legacy clients:
nexstorage-admin config set ssl.minimum_version "TLSv1.2" - Configure strong cipher suites:
nexstorage-admin config set ssl.ciphers "TLS_AES_256_GCM_SHA384:TLS_CHACHA20_POLY1305_SHA256:TLS_AES_128_GCM_SHA256"
Custom Certificates
Replace the default self-signed certificate with your own trusted certificates:
# Install custom certificates
nexstorage-admin certificates install \
--cert-file /path/to/your/certificate.crt \
--key-file /path/to/your/private.key
For certificate management through services like Let's Encrypt:
nexstorage-admin certificates install-acme \
--domain storage.yourcompany.com \
--email admin@yourcompany.com
Bucket Security Configuration
Private vs Public Buckets
By default, all NexStorage buckets are private. For content that needs to be publicly accessible:
# Make specific objects public
nexstorage-client object set-acl \
--bucket my-public-content \
--object images/logo.png \
--acl public-read
# Configure bucket policy for public read access to a specific directory
nexstorage-client bucket policy set \
--bucket my-public-content \
--policy '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": "*",
"Action": "s3:GetObject",
"Resource": "arn:aws:s3:::my-public-content/public-images/*"
}
]
}'
Public buckets should be used only when necessary, and restricted to specific prefixes/directories rather than the entire bucket.
Bucket Policies
Create detailed bucket policies to control access:
{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Principal": {"AWS": ["arn:aws:iam::123456789012:user/analytics-team"]},
"Action": ["s3:GetObject", "s3:ListBucket"],
"Resource": [
"arn:aws:s3:::data-warehouse",
"arn:aws:s3:::data-warehouse/*"
],
"Condition": {
"IpAddress": {
"aws:SourceIp": "192.168.1.0/24"
}
}
}
]
}
Save this policy to a file (e.g., policy.json) and apply it:
nexstorage-client bucket policy set \
--bucket data-warehouse \
--policy-file ./policy.json
CORS Configuration
For web applications that need to access NexStorage resources from different domains:
nexstorage-client bucket cors set \
--bucket app-assets \
--config '{
"CORSRules": [
{
"AllowedOrigins": ["https://app.yourcompany.com"],
"AllowedMethods": ["GET", "PUT", "POST"],
"AllowedHeaders": ["*"],
"ExposeHeaders": ["ETag"],
"MaxAgeSeconds": 3600
}
]
}'
Object Versioning and Immutability
Enabling Versioning
Protect against accidental deletions and changes by enabling versioning:
# Enable versioning on a bucket
nexstorage-client bucket versioning enable \
--bucket critical-documents
Retrieve previous versions of objects:
# List all versions of an object
nexstorage-client object list \
--bucket critical-documents \
--prefix financial-report.pdf \
--versions
# Retrieve a specific version
nexstorage-client object get \
--bucket critical-documents \
--object financial-report.pdf \
--version-id "3a2a54b9-5a0f-4c0a-8c9e-12b3e4c7d8e9" \
--file financial-report-v1.pdf
Object Locking
For regulatory compliance or data protection, implement object locking:
# Enable object lock on a bucket (must be enabled at bucket creation)
nexstorage-client bucket create \
--bucket regulatory-data \
--object-lock
# Set retention on an object
nexstorage-client object lock \
--bucket regulatory-data \
--object patient-records.zip \
--mode COMPLIANCE \
--retention "2030-01-01T00:00:00Z"
Available lock modes:
- COMPLIANCE: Cannot be overridden by any user, including root
- GOVERNANCE: Can be overridden by users with special permissions
For legal and compliance requirements, use COMPLIANCE mode with retention periods that match your regulatory needs.
Legal Hold
Place legal holds on objects during litigation or investigations:
# Place legal hold
nexstorage-client object legal-hold set \
--bucket legal-evidence \
--object case123.zip \
--status ON
# Remove legal hold
nexstorage-client object legal-hold set \
--bucket legal-evidence \
--object case123.zip \
--status OFF
Identity and Access Management
NexStorage provides IAM-compatible access control for fine-grained permissions management.
User Management
Create dedicated users for different applications or teams:
# Create a new user
nexstorage-admin user create \
--name analytics-service \
--description "Service account for analytics pipelines"
# Generate access keys for the user
nexstorage-admin user keys create \
--name analytics-service
Policy Management
Create custom policies to enforce principle of least privilege:
# Create a read-only policy
nexstorage-admin policy create \
--name ReadOnlyAccess \
--document '{
"Version": "2012-10-17",
"Statement": [
{
"Effect": "Allow",
"Action": [
"s3:GetObject",
"s3:ListBucket"
],
"Resource": "*"
}
]
}'
# Assign the policy to a user
nexstorage-admin user policy attach \
--name analytics-service \
--policy ReadOnlyAccess
Temporary Credentials
For short-term access needs, use temporary credentials:
# Generate temporary credentials valid for 1 hour
nexstorage-admin user temp-credentials \
--name admin \
--duration 3600 \
--policy-file ./temp-policy.json
Auditing and Logging
Enabling Comprehensive Audit Logs
Configure detailed audit logging:
# Enable audit logging
nexstorage-admin config set audit.enabled true
# Configure audit log destination
nexstorage-admin config set audit.destination "file"
nexstorage-admin config set audit.file.path "/var/log/nexstorage/audit.log"
# For Elasticsearch integration
nexstorage-admin config set audit.destination "elasticsearch"
nexstorage-admin config set audit.elasticsearch.url "https://elasticsearch.yourdomain.com:9200"
nexstorage-admin config set audit.elasticsearch.index "nexstorage-audit"
Access Logging
Enable access logs for all bucket operations:
# Enable access logging for a bucket
nexstorage-client bucket logging set \
--bucket production-data \
--target-bucket log-archive \
--target-prefix "access-logs/production-data/"
Log Analysis
Set up regular log analysis with tools like:
- Elasticsearch/Kibana for log visualization
- Automated scanning for suspicious patterns
- Integration with SIEM systems
# Example: Forward logs to a SIEM system
nexstorage-admin config set audit.forward.enabled true
nexstorage-admin config set audit.forward.endpoint "https://siem.example.com/api/logs"
nexstorage-admin config set audit.forward.format "json"
Encryption
Server-Side Encryption
Configure default encryption for all objects:
# Enable SSE-S3 (NexStorage-managed keys)
nexstorage-client bucket encryption set \
--bucket confidential-data \
--type "SSE-S3"
# Enable SSE-KMS (Integration with KMS)
nexstorage-client bucket encryption set \
--bucket highly-confidential \
--type "SSE-KMS" \
--kms-key-id "arn:aws:kms:us-east-1:123456789012:key/abcd1234-ef56-gh78-ij90-klmn1234pqrs"
Client-Side Encryption
For the highest level of security, implement client-side encryption:
Python Example:
from nexstorage import NexStorageEncryptionClient
from cryptography.fernet import Fernet
# Generate encryption key
key = Fernet.generate_key()
# Create encrypted client
encrypted_client = NexStorageEncryptionClient(
access_key="YOUR_ACCESS_KEY",
secret_key="YOUR_SECRET_KEY",
endpoint_url="https://s3.nexstorage.nexvecta.com",
encryption_key=key
)
# Upload with automatic encryption
encrypted_client.upload_file("sensitive.pdf", "encrypted-bucket", "documents/sensitive.pdf")
# Download and decrypt
encrypted_client.download_file("encrypted-bucket", "documents/sensitive.pdf", "sensitive-decrypted.pdf")
JavaScript Example:
const { NexStorageEncryptionClient } = require('nexstorage-js');
const crypto = require('crypto');
// Generate encryption key
const key = crypto.randomBytes(32);
// Create encrypted client
const encryptedClient = new NexStorageEncryptionClient({
accessKeyId: 'YOUR_ACCESS_KEY',
secretAccessKey: 'YOUR_SECRET_KEY',
endpoint: 'https://s3.nexstorage.nexvecta.com',
encryptionKey: key
});
// Upload with encryption
encryptedClient.putObject({
Bucket: 'encrypted-bucket',
Key: 'documents/sensitive.pdf',
Body: fs.createReadStream('sensitive.pdf')
}).promise();
// Download and decrypt
encryptedClient.getObject({
Bucket: 'encrypted-bucket',
Key: 'documents/sensitive.pdf'
}).promise()
.then(data => fs.writeFileSync('sensitive-decrypted.pdf', data.Body));
When using client-side encryption, you are responsible for key management. Loss of encryption keys will result in permanent data loss.
Security Monitoring and Response
Setting Up Alerts
Configure real-time security alerts:
# Set up email alerts for unauthorized access attempts
nexstorage-admin alerts create \
--name "unauthorized-access" \
--condition "user.status = 'denied'" \
--severity "high" \
--channels "email:security@yourcompany.com"
# Set up webhook alerts for object deletions in critical buckets
nexstorage-admin alerts create \
--name "critical-deletion" \
--condition "bucket.name = 'financial-records' AND event.name = 's3:ObjectRemoved:*'" \
--severity "critical" \
--channels "webhook:https://alerts.yourcompany.com/nexstorage-hook"
Security Best Practices Auditing
Regularly audit your NexStorage security configuration:
# Generate a security audit report
nexstorage-admin security audit \
--output-format html \
--output audit-report.html
The audit report checks for:
- Public buckets
- Weak access controls
- Missing encryption
- Insecure network configurations
- Logging and monitoring gaps
Network Security
IP-Based Access Restrictions
Restrict API access to specific IP ranges:
# Allow access only from corporate networks
nexstorage-admin network allow-list add \
--cidr "10.0.0.0/8,192.168.0.0/16" \
--description "Corporate networks"
VPC Endpoints (AWS Deployment)
For AWS deployments, use VPC endpoints for secure private connectivity:
# Create VPC endpoint in AWS (AWS CLI)
aws ec2 create-vpc-endpoint \
--vpc-id vpc-01234567890abcdef \
--service-name com.amazonaws.us-east-1.s3 \
--route-table-ids rtb-01234567890abcdef
Then configure NexStorage to accept connections from the VPC endpoint.
Regulatory Compliance
GDPR Compliance
For GDPR compliance:
- Enable object locking and retention policies
- Implement data classification tags:
nexstorage-client object tag set \
--bucket customer-data \
--object profiles/user123.json \
--tags "DataClassification=PII,Retention=7years,GDPRRelevant=true" - Automate right-to-be-forgotten processes:
# Example script to identify and handle deletion requests
nexstorage-client object list \
--bucket customer-data \
--query "Tags.GDPRDeletion=requested" \
| xargs -I{} nexstorage-client object delete --bucket customer-data --object {}
HIPAA Compliance
For healthcare data:
- Enable encryption for all buckets
- Implement strict access controls
- Configure comprehensive audit logging
- Sign a Business Associate Agreement (BAA) with NEXVECTA
Compliance Scanning
Regularly scan stored data for compliance issues:
# Run compliance scan on sensitive buckets
nexstorage-admin compliance scan \
--buckets "patient-data,financial-records" \
--scan-type "pii,pci" \
--output-format json \
--output compliance-report.json
Security Checklist
Use this checklist to ensure your NexStorage deployment follows security best practices:
- Enforce HTTPS for all connections
- Configure custom TLS certificates
- Create dedicated users for applications and services
- Implement the principle of least privilege
- Enable default encryption for all buckets
- Enable versioning for critical data
- Configure object locking for compliance requirements
- Set up comprehensive logging and monitoring
- Regularly audit security configurations
- Implement network-level restrictions
- Establish an incident response plan
- Regularly rotate access keys
- Backup NexStorage configuration
- Keep NexStorage software updated
Next Steps�
Now that you've secured your NexStorage environment, learn how to: