Hitachi Vantara Security Advisories
Whenever a new industry-wide cybersecurity vulnerability is identified and reported, Hitachi Vantara investigates its product lines to determine any impact, and presents information here in an effort to help keep your systems protected.
A full list of vulnerabilities is available in our Knowledge portal.
KMS Integration and Compatibility Guide
Validated Key Management Server (KMS) integrations and supported software versions for the Hitachi VSP One Block storage models.
Validated KMS Vendors and Models
The following KMS vendors and models, along with their supported versions, have been validated for integration with Hitachi VSP One Block storage models.
Thales | CipherTrust Manager k170v CipherTrust Manager k470v CipherTrust Manager k570 Supported version: v2.14 |
Entrust | KeyControl Supported version: v10.2 |
IBM | Security Guardium Key Lifecycle Manager Supported version: v4.2.1 |
Utimaco | Virtual Enterprise Secure Key Manager Supported version: v8.52 |
Fortanix | Data Security Manager Supported version: v4.19 |
Fortanix | VaultCore Supported version: v2.6.2 |
Compatible Hitachi VSP One Block Models
The following Hitachi VSP One Block models are compatible with the validated KMS integrations:
- Hitachi VSP One Block 24
- Hitachi VSP One Block 26
- Hitachi VSP One Block 28
Integration Documents:
For detailed integration steps and guidelines, refer to the KMS integration documents listed below:
Thales CipherTrust Manager: | Integration Guide - v2.14 |
Entrust KeyControl: | Integration Guide - v10.2 |
IBM Security Guardium Key Lifecycle Manager: | Integration Guide - v4.2.1 |
Utimaco Security Guardium Key Lifecycle Manager: | Integration Guide - v8.52 |
Fortanix Data Security Manager: | Integration Guide - v4.19 |
Fornetix VaultCore: | Integration Guide - v2.6.2 |
Product Security Certifications
Hitachi Vantara is always working to achieve new security certifications for our range of products, in addition to all of the certifications we already have.
Hitachi Vantara Vulnerability Disclosure Policy
1. Policy introduction & policy purpose
The purpose of this policy is to establish a method all Hitachi Vantara customers and external stakeholders should follow to report any potential vulnerabilities and threats.
This policy’s objective is to ensure Hitachi Vantara’s customers trust by continuously addressing potential vulnerabilities and threats to reduce potential risks that may have an impact to Hitachi Vantara operations, infrastructure, and services.
2. Scope
This policy applies to all divisions and geographies, unless noted otherwise within this document, and is intended for all employees with a direct or indirect relationship with customers and third parties to whom Hitachi Vantara does business.
The following situations are excluded from this policy:
- When a Hitachi Vantara customer or third-party requests actions beyond a valid contract extension.
3. Process to report potential vulnerabilities and threats
3.1. Any Hitachi Vantara customer or third party may submit a report to notify about potential vulnerabilities or threats. A report submission should include the following information, but not limited to:
- Details of affected Hitachi Vantara product or solution
- Versions of software and/or microcode of Hitachi Vantara components
- A detailed description of the identified vulnerability or threat, and
- Any other relevant information such as evidence or proof of concept, where the identified vulnerability is already published, and where the individual reporting is committed to coordinated disclosure.
3.2. Contact information to report any potential vulnerability or threat:
- When a potential security vulnerability in Hitachi Vantara’s products is discovered, customers or third parties are encouraged to report the vulnerability by contacting Hitachi Vantara’s Global Support Center (GSC).
- The GSC team will work in conjunction with Hitachi Vantara’s Cybersecurity team to investigate the issue in accordance with customer contract requirements and GSC standard operating procedures.
- Hitachi Vantara recommends using an encryption program to securely transmit any confidential and personal data.
- While Hitachi Vantara will review reports submitted through the GSC, weaknesses in existing customer installation due to their individual designs, third-party components, or compromised access credentials are not considered a vulnerability within Hitachi Vantara’s products.
- For all entities without a customer relationship with Hitachi Vantara, you can report security vulnerabilities to Cybersecurity team here. (security.vulnerabilities@hitachivantara.com)
3.3. With the agreement of the reporting customers or third party, Hitachi Vantara must recognize the customer or third party with credit for the discovery of the vulnerability as part of the official Hitachi Vantara process. Hitachi Vantara does not have a “Bug Bounty” program in place. Therefore, Hitachi Vantara does recognize the vulnerability researchers through the vulnerability (CVE - Common Enumeration of Vulnerabilities) publication when applies, or a recognition letter for their contributions.
3.4. Hitachi Vantara’s product vulnerability handling generally consists of the following:
- First response,
- Initial triage,
- Investigation and planning,
- Remediation, and
- Disclosure & notification.
While Hitachi Vantara makes all effort to timely remediate vulnerabilities posing a high risk for Hitachi Vantara, its customers, and third parties, remediation times may vary depending on vulnerability complexity or threat conditions. Assuming the reported information is not known publicly, it is the intention of the customer or third-party reporting a vulnerability and Hitachi Vantara do not release any related information until there is remediation.
4. Disclaimer
The information contained herein is subject to change at any time without notice. The statements in this policy do not modify, supersede, or otherwise amend any customer rights, obligations, or terms between Hitachi Vantara LLC and any other party. The use of the information or links included in this policy is done at your own risk.