ECS: Compliance for CAS

Summary: This article is describing the compliancy of ECS for CAS.

This article applies to This article does not apply to This article is not tied to any specific product. Not all product versions are identified in this article.
Check out other resources

Instructions

Compliance

Describes ECS features that support government and industry standards for the storage of electronic records.

ECS meets the storage requirements of the following standards, as certified by Cohasset Associates Inc:

  • Securities and Exchange Commission (SEC) in regulation 17 C.F.R. 240.17a-4(f)
  • Commodity Futures Trading Commission (CFTC) in regulation 17 C.F.R. 1.31(b)-(c)

Compliance has three components:

  • Platform hardening: Addressing common security vulnerabilities.
  • Policy-based record retention: Limiting the ability to change retention policies for records under retention.
  • Compliance reporting: Periodic reporting by a system agent records the system's compliance status.

Platform hardening and Compliance

The following ECS security features support Compliance standards.

ECS platform security features:

  • User root access to nodes is disabled (no user root logins permitted).
  • ECS customers can access nodes through the admin user set up during first-time installations.
  • The admin user runs commands on nodes using sudo.
  • There is full audit logging for sudo commands.
  • ESRS can shut down all remote access to nodes. In ESRS Policy Manager, set the Start Remote Terminal action to Never Allow.
  • All unnecessary ports (ftpd, sshd) are closed.
  • The emcsecurity user with the Lock Administrator role can lock nodes in a cluster. This means that remote access over the network by SSH is disabled. The Lock Administrator can then unlock a node to allow for remote maintenance activities or other authorized access.

 

NOTE: Node locking does not affect authorized ECS Portal or ECS Management API users.

 

Compliance and retention policy

Describes enhanced rules for record retention on a Compliance-enabled ECS system. ECS sets object retention features to On at the object, bucket, and namespace levels. Compliance strengthens these features by limiting changes that can be made to retention settings on objects under retention. Rules include:

  • Compliance is set at the namespace level. This means that all buckets in the namespace must have a retention period greater than zero. For CAS, buckets with zero retention can be created, as long as the Enforce Retention Information in Object setting is turned On.
  • You can only turn Compliance on when you create a namespace. (You cannot add Compliance to an existing namespace.)
  • You cannot turn Compliance off once it is turned on.
  • All buckets in a namespace must have a retention period greater than zero.
    NOTE: If you have an application that assigns object-level retention periods, do not use ECS to assign a retention period greater than the application retention period. This action causes application errors.
  • A bucket with data in it cannot be deleted regardless of its retention value.
  • Applying the Infinite option to a bucket means that objects in the bucket in a Complianceenabled namespace cannot be deleted permanently.
  • The retention period for an object cannot be deleted or shortened. Therefore, the retention period for a bucket cannot be deleted or shortened.
  • You can increase object and bucket retention periods.
  • No user can delete an object under retention. This includes users with the CAS privilegeddelete permission.

Compliance agent

Describes the operation of the Compliance agent.

Compliance features are turned on by default, except for Compliance monitoring. If monitoring is turned on, the agent periodically logs a message.

Affected Products

ECS Appliance

Products

ECS Appliance, Elastic Cloud Storage
Article Properties
Article Number: 000014709
Article Type: How To
Last Modified: 19 May 2025
Version:  6
Find answers to your questions from other Dell users
Support Services
Check if your device is covered by Support Services.