docBloombase Spitfire StoreSafe Storage Security Server
download 
Report Transcription
Bloombase Spitfire StoreSafe Storage Security Server
Bloombase Spitfire StoreSafe Storage Security Server Bloombase Technologies Bloombase Spitfire StoreSafe Storage Security Server Bloombase Spitfire SOA Security Server Bloombase Spitfire Message Security Server Bloombase Keyparc Bloombase Spitfire KeyCastle Key Management Server Bloombase Spitfire Edge Security Suite Bloombase Spitfire Identity Security Server Overview Enterprise Data At-Rest In Risk Sensitive data are stored in clear-text in storage systems with minimal access control vulnerable to core attacks Hosts and applications require data access in plain How StoreSafe Protects Your Data On-the-fly nondisruptive application transparent encryption and unencryption Proxy Bump-in-thewire Why Traditional Methods Are Inadequate File encryption utilities – mcrypt, ccrypt, zip – Only for static files, not for dynamic files, e.g. database Database encryption tools – Oracle crypto package – Tremendous 2nd development efforts at database tier – Huge performance impact, not for business intelligence Crypto tools – openssl, JCE, Microsoft capicom, HSM – Very steep learning curve – Tremendous 2nd development efforts at application tier – Not for business intelligence applications Security = High cost + SkillN +Slow + Instability + Insecure StoreSafe Benefits Secures operational data in databases Protect backup/offsite/remote data from electronic and hardware theft Meet IT governance compliance requirements Assure digital corporate assets integrity Protects websites from deface and assure data integrity Enforce effective change management High ROI – lawsuits and worst, bankruptcy Low TCO - One solution for all applications StoreSafe Benefits Management Immediate regulatory compliance Hardware and software independent Application transparent On-the-fly encryption/decryption No programming required No application changes No user behavior changes OS independent Hardware independent Functions and Features Transparent Encryption and Unencryption Fully automated data encryption and unencryption for authorized clients On-premises: SAN, NAS, DAS, CAS, Object Store, etc Cloud: RESTful Features StoreSafe virtualizes physical storage systems Virtual storage sub-system created providing trusted/decrypted/verified replica of physical storage Supports SAN, DAS, NAS, CAS and cloud storage Data protection – Access control – Privacy – Integrity Features Level of protection – Disk / Block – File – Object Hardware and software independent Application transparent On-the-fly encryption/decryption/watermark verification Features No programming required No application changes No user behavior changes File-system independent – Works with all file-system types supported by the OS Entensive OS support Application independent – Works with virtually all applications Features Plug-in architecture for future cipher upgrades Web-based management console NIST FIPS 140-2 validated cryptographic module PKCS#11 hardware security module support Chinese National OSCCA crypto module support Industry Proven Security Industry standard cipher algorithm support Regional and special cipher support IEEE 1619 compliant OASIS KMIP support NIST FIPS 140-2 validated Security Accreditations Security – NIST FIPS 140-2 validated (NIST Certificate #1241) Algorithms – NIST FIPS-197 AES encryption and decryption (NIST Certificate #1041) – RSA and DSA public key cryptography (NIST Certificate #496) – SHA hash generation (NIST Certificate #991) – Hash Message Authentication Code HMAC (NIST Certificate #583) – Random Number Generator (NIST Certificate #591) Security Accreditations Algorithms – NIST FIPS-46-3 3DES encryption and decryption – NTT/Mitsubishi Electric Camellia encryption/decryption – DES, RC4, RC2, CAST5 encryption and decryption – 512, 1024 and 2048 bit public key cryptography – MD5 hash generation Standards – IEEE 1619 storage in security Unified Storage Support Block storage based, file based, object based FCP, FCoE, iSCSI NFS, CIFS HTTP, WEBDAV RESTful cloud Unified Storage Support Fiber Channel Protocol (FCP) Small Computer System Interface (SCSI) Internet SCSI (iSCSI) Network File System (NFS) Common Internet File System (CIFS) File Transfer Protocol (FTP) Hyper Text Transfer Protocol (HTTP) Representational State Transfer (REST) Storage System Support Storage Area Network (SAN) Network Attached Storage (NAS) Direct Attached Storage (DAS) Just a Bunch Of Disk (JBOD) SCSI-based local disk arrays Content Addressable Storage (CAS) Cloud storage Object storage, etc Proprietary Object and Cloud Storage Support EMC Atmos EMC Centera Microsoft Windows Azure Amazon Elastic Block Store (EBS) IBM Cloud Caring CAStor / Dell DX Object Storage, etc File System Support File system independent Raw / Uncooked Solaris UFS Symantec Veritas VxFS IBM JFS HPFS Red Hat GFS XFS Linux Ext3 Windows NTFS, FAT32 and FAT CDFS, etc Database Support Supports all database systems Oracle IBM DB2 IBM Informix Sybase Microsoft SQLServer MySQL Hadoop, etc Application Support Native Java client library Native C client library Java RMI connectivity Web Services connectivity Socket connectivity, etc Appliance Platform Support Hardware architecture – Intel x86-based – Intel Itanium-2 – AMD64 based – IBM PowerPC based Appliance operating platform – Bloombase SpitfireOS Operating Platform Support IBM AIX IBM z/OS IBM i5/OS HP-UX Oracle Sun Solaris Linux Windows Mac OS X, etc Virtual Platform Support VMware ESX, ESXi, Server Red Hat KVM Citrix XenServer Oracle VirtualBox Microsoft Hyper-V IBM PowerVM, etc Compute Cloud Platform Support EMC Atmos Windows Azure Amazon Elastic Compute Cloud (EC2), etc Key Management Stored separately from encrypted information Key vault protected by AES-256 strong encryption Supports 3rd party PKCS#11 HSMs and KMIP-compliant key managers Host Security and Access Control User-based authentication: LDAP, MSAD, Kerberos, CHAP Host-based authentication: network address, LUN mask High Availability Spitfire High Availability Module to provide – Automated failover of nodes or load-balancing – Cluster monitoring – Cluster management – Configuration synchronization Spitfire Quorum Server to strengthen robustness of Spitfire cluster and avoid potential split-brain scenario Management Web-based and CLI management consoles Privilege-based administrator access control Separation of duties (SoD) Recovery quorum Operator smart tokens Network Management SNMP (v1, v2, v3) Email Syslog Windows Event Monitor Audit trail Log viewer and export Dashboard Audit Trail and Logging Customizable system log Full storage access audit trail Web-based management console accessible Log export and digital signing 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 2005-02-20 20:23:47,798 20:23:47,801 20:23:47,804 20:23:47,807 20:23:47,810 20:23:47,812 20:23:47,815 20:23:47,875 20:24:56,751 20:24:58,263 20:28:32,729 20:30:20,340 20:30:21,621 20:30:38,467 20:30:57,152 DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG DEBUG audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe audit.storesafe - read read read read read read read read open open open open open open open file file file file file file file file file file file file file file file : : : : : : : : : : : : : : : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0/, from : /192.168.1.30, by : demo1 /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0/, from : /192.168.1.30, by : demo1 /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, by by by by by by by by : : : : : : : : demo1 demo1 demo1 demo1 demo1 demo1 demo1 demo1 by : demo1 by : demo1 by : demo1 by : demo1 by : demo1 Product Editions StoreSafe appliance with built-in SpitfireOS StoreSafe QEMU OVF-compliant virtual appliance StoreSafe for Windows StoreSafe for Linux StoreSafe for IBM AIX StoreSafe for HPUX StoreSafe for Solaris Specifications Maximum number of CIFS servers/shares: no definite limit Maximum number of NFS servers/shares: no definite limit Maximum number of iSCSI targets: no definite limit Maximum number of SAN LUNs: no definite limit Maximum number of RESTful service endpoints: no definite limit Technology In Depth Inside StoreSafe Application, server and storage transparent Automated encryption Turnkey and immediate regulatory compliance Scale-up and scale-out Cost-effective High availability ready for mission critical applications Storage Cryptography Transparency Extract payload from storage commands (SCSI, NFS, REST, etc) Encrypt/decrypt/verify storage contents on-the-fly and recompose cryptoprocessed commands Why Now Not Earlier? Advancement in solid state and network technologies Network speed far excels storage speed Multi-core processors Multi-processor systems High-performance computing systems Ready For Giga/Tera/Petabyte Data? Storage network access protocols Block based rather than file based Random access rather than sequencial On-demand encryption/decryption Not giga/tera/peta-byte but kilo/byte!!! Modular Pluggable Cipher Architecture Pluggable cipher architecture for future cipher upgrade User-Customed cipher support Out of the box ciphers - AES, 3DES, DES, Twofish, Blowfish, RC2, RC4, RC5, RC6, Camellia, SEED, ARIA, etc Adaptive Block-based Encryption Random accessible On-demand block-based data encryption/decryption User-defined block size for I/O optimization Enterprise applications access storage block-by-block to reduce I/O overheads and latency Some applications (e.g. Oracle) allow user to configure data unit size to boost application performance User customizable unit of encryption size Round Trip Reduction Encryption block size smaller than application unit of access I/O round trips Cipher re-initialization Payload Reduction Encryption block size larger than application unit of access Encrypt and un-encrypt more than needed Use Cases Share/File-based Encryption StoreSafe appliance with network interface cards (NIC) Transparent file encryption for NFS, CIFS, WebDAV, FTP, etc Protocol conversion iSCSI Block-based Encryption StoreSafe appliance with iSCSI host-bus adapters (HBA), converged network adapters (CNA) or simply NIC Transparent block storage encryption for iSCSI targets StoreSafe virtual storage presented as iSCSI targets Fiber Channel SAN Block-based Encryption StoreSafe appliance with fiber channel (FC) host-bus adapters (HBA) Transparent block storage encryption for LUNs of SAN targets StoreSafe virtual storage presented as FC targets Object-based Encryption StoreSafe appliance with network interface cards (NIC) Transparent object encryption for RESTful object store, cloud storage and content addressable storage (CAS) Protocol proprietary object store including EMC Atmos, Dell DX, etc Product Roadmap StoreSafe Product Roadmap Questions? Comments? Conclusion Protect Your Corporate Data – Protect your customers – Corporate governance Implement Data Protection – Access Control – Digital Asset Encryption Your Action Items Review your corporate perimeter security measures Identify your enterprise data Classify your enterprise data into levels of security Devise an encryption strategy based on the classification Evaluate impact to users and applications Implement hassle free transparent protection to your corporate storage and message systems