RSA DPM integration

EMC Encryption as a Service 31 with CloudLink SecureVSA Both the hardware and virtual appliances come with a prepackaged software stack that includes a web application server, enterprise-class database, and access management. Client applications authenticate with the server using mutual SSL. A client application using a DPM client for encryption and key management can operate with a local protected cache for keys.

Figure 15 shows a typical deployment architecture for key management that contains at least two load-balanced nodes within the primary site for high availability and more nodes in remote sites for scalability or disaster recovery purposes, all clustered together. All nodes in a cluster are active. DPM appliances come with built-in

replication to keep all the nodes in sync. RSA DPM virtual and hardware appliances can be deployed in the same way.

Figure 15. Typical RSA DPM deployment architecture

To use RSA DPM to store CloudLink KEKs, ensure that an RSA DPM host version 3.1 or later is accessible by the CloudLink Gateway though its private LAN network. The CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide and the CloudLink SecureVSA v2.2 VMware vSphere Administration Guide provide more information on deploying, configuring, and using CloudLink.

To prepare RSA DPM for storage of CloudLink KEKs:

1. Log on to the RSA Data Protection Manager console.

2. Create an identity that belongs to a particular RSA DPM identity group, as shown in Figure 16.

Primary Datacenter Secondary Datacenter

Figure 16. Creating an RSA DPM identity

3. Create a security class object with infinite duration that belongs to the same RSA DPM identity group, as shown in Figure 17.

Figure 17. Creating a security class object

To configure CloudLink to use RSA Data Protection Manager as its key store:

1. Open CloudLink Center on the Gateway using the secadmin user account.

2. Under the topology tree, select the gateway.

3. Click Security > Key Store.

EMC Encryption as a Service 33 with CloudLink SecureVSA

 Port—TCP port number configured on the RSA DPM host (default port is 443)

 Security Class Name—Name of the security class configured on the RSA DPM host for the RSA DPM client

 Trust Certificate—RSA DPM server certificate

 Client Certificate—RSA DPM client certificate

 Password—Password used during creation of the RSA DPM client certificate

6. Click Apply.

Figure 18. RSA DPM Configuration panel in CloudLink Center

CloudLink Gateway displays the RSA DPM status as Accessible. It creates a new entry in the CloudLink Center Actions log, as shown in Figure 18, and records a Key store change security event, as shown in Figure 19.

Figure 19. Key store change security event recorded by CloudLink

As an alternative to using RSA DPM as a key store, you can configure Microsoft Active Directory as a CloudLink key store. It is very important that the Active Directory server is properly backed up to ensure the safety of the encryption key. Losing the

encryption key will cause data loss. For high availability and disaster recovery, Active Directory servers acting as CloudLink key stores are deployed on both the product site and the DR site.

Microsoft Active Directory integration

To use Active Directory to store CloudLink encryption keys, deploy a Windows Server to be accessible by CloudLink Center from its private LAN network.

During this procedure, you must provide the host name of the Windows Server, which means you must have already set up the DNS server.

To configure the Active Directory for the CloudLink encryption key store on a Windows 2003 or 2008 Server that is configured as a domain controller, the following high-level steps are required.

1. Set up an organization unit on Windows Server.

2. Create a bind user.

3. Add the bind user to the security group.

4. Record the DN of CloudLink.

5. Apply the domain controller in CloudLink.

For detailed configuration instructions, refer to the CloudLink SecureVSA v2.2 VMware vSphere Administration Guide.

Configuring Active Directory as a key store

EMC Encryption as a Service 35 with CloudLink SecureVSA

Conclusion

EMC EaaS powered by CloudLink SecureVSA enables cloud service providers to address the compliance and data security requirements of their customers. It eases concerns of cloud service customers about their data security in a multitenant environment by providing them with a tool to manage the encryption keys and security policy. It generates additional service revenue associated with a premium encryption service, which requires data encryption in the cloud, and additional workloads moving into the cloud.

CloudLink SecureVSA is very easy to deploy, and is transparent to business

applications and underlying infrastructure. It is a granular encryption solution that is workload driven and can be deployed on a per-tenant basis. It encrypts only the data for which tenants and applications require encryption. Other workloads in the cloud environment can continue to use regular cloud storage.

The three deployment models described in this White Paper demonstrate the ease with which CloudLink SecureVSA can be deployed and configured by service providers and their customers.

With flexible key management options, customers always have a choice to entrust cloud service providers to manage the key on their behalf or to use existing enterprise key management to secure their data in the service provider environment. The

enterprise key management investment is fully protected.

CloudLink EaaS secures the cloud and ultimately helps enterprises to trust the cloud.

References

For additional information, see the documents listed below.

 CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

 CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

 CloudLink SecureVSA v2.2 VMware vCloud Director Supplementary Deployment Guide

VMware documentation