- Keep Lustre traffic on dedicated private HPC/storage networks.
- Restrict client mounts to approved compute and service nodes.
- Disable direct internet reachability for MGS/MDS/OSS hosts.
- Integrate with centralized identity services for user/group consistency.
- Use strict mount permissions and least-privilege access patterns.
- Audit privileged filesystem operations.
- Patch kernel and Lustre modules through controlled maintenance windows.
- Limit admin shell access on metadata and object storage servers.
- Monitor resource exhaustion and abnormal metadata operations.
- Use tested backup and snapshot strategy for metadata and critical data.
- Validate failover procedures for metadata targets.
- Document and test recovery from node and storage failures.