EMC ENCRYPTION AS A SERVICE

(1)

White Paper

EMC Solutions

Abstract

This White Paper describes EMC EaaS based on an AFORE CloudLink SecureVSA solution. This solution enables Cloud Service Providers to offer EaaS in a multitenant cloud environment and enables their customers to meet regulatory compliance requirements related to data security.

April 2014

EMC ENCRYPTION AS A SERVICE

With CloudLink SecureVSA



Data security for multitenant clouds



Transparent to applications

(2)

EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice.

The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.

(3)

3 EMC Encryption as a Service

with CloudLink SecureVSA

Executive summary ... 5 Business case ... 5 Solution overview ... 5 Key benefits ... 5 Introduction... 7 Purpose ... 7 Scope ... 7 Audience ... 7 Terminology ... 8 Technology overview ... 9 CloudLink vNode ... 9 CloudLink Gateway ... 9 CloudLink Center ... 10 Solution architecture ... 11 Overview ... 11 Data-at-rest encryption ... 12

Secure datastore mode ... 13

Secure NAS mode ... 13

System requirements ... 15

CloudLink vNode requirements ... 15

CloudLink Gateway requirements ... 15

Common deployment models ... 16

Overview ... 16

Model 1—Full deployment in the cloud ... 17

Model 1 workflow ... 18

Model 1 workflow reference ... 19

Model 2—Key store in the private data center with SecureVSA in the cloud ... 20

Model 2 workflow ... 21

Model 3—Key Store and CloudLink gateway in the private data center with the vNode in the cloud 24 Model 3 workflow ... 25

(4)

Encryption key management ... 29

RSA DPM integration ... 30

Microsoft Active Directory integration ... 33

Configuring Active Directory as a key store ... 34

Conclusion ... 35

References... 35

(5)

Executive summary

This White Paper describes EMC Encryption as a Service (EaaS) based on an AFORE CloudLink SecureVSA solution. The paper includes business benefits, solution architecture, deployment models, workflows, and encryption key management. This solution enables Cloud Service Providers (CSPs) to offer EaaS in a multitenant cloud environment and enables their customers to meet regulatory compliance

requirements related to data security.

As organizations realize the benefits of migrating business applications, virtual desktops, storage, back-ups, and disaster recovery solutions into the cloud, security remains a top concern. Organizations tasked with ensuring regulatory compliance (such as HIPAA, PCI, CSA, and NIST) have additional requirements that make the move to the cloud even more challenging.

When enterprises adopt cloud services, new data security challenges emerge, including:

 Enterprise workloads running on an infrastructure managed by cloud service providers

 Enterprise-sensitive data on shared cloud storage systems

 Traditional perimeter-based security that is ineffective for preventing data leakage in a cloud environment

 Data remanence issues and the challenge of data destruction on cloud storage systems shared by multiple live customers

Enterprises increasingly expect cloud providers to provide data protection services in addition to the compute infrastructure.

Service providers can assist enterprises in using EMC EaaS to secure sensitive data in a variety of cloud use cases, including Infrastructure as a Service, Storage as a

Service, Disaster Recovery as a Service, and hosted virtual desktops.

EaaS is simple to deploy and enables the efficient introduction of new customers, while it is transparent to both the cloud infrastructure and customer workloads. EaaS is the perfect solution to segregate and encrypt customer data in a multitenant cloud while providing control of the encryption keys to the data owner to ensure data is completely unreadable by unauthorized users.

The business benefits of EMC EaaS for CSPs are as follows:

 Increases per-subscriber revenues by adding encryption services to the provider’s service offerings without having to invest in new infrastructure  Expands customer opportunities by hosting workloads subject to regulatory

compliance

 Enables simple deployment and transparency to provider’s infrastructure and their customers’ workloads

Business case

Solution overview

(6)

 Encrypts only sensitive data at rest and in motion, not the entire storage array  Enables enterprises to have full control of encryption keys

 Mitigates provider’s compliance risk by enabling customers to secure sensitive data and maintain key control in the cloud with enterprise-controlled

encryption

(7)

Introduction

This White Paper describes how a cloud service provider can use CloudLink SecureVSA to deliver EaaS as a premium service offering.

This White Paper describes the following key components of this solution:  EaaS architecture

 Data encryption in a multitenant cloud environment.

 Transparent data encryption with no changes of applications and underlying storage infrastructure

 Integration with enterprise key management to secure data in a cloud environment

 Flexible key management options with encryption keys completely controlled by enterprise data owners or managed by the cloud service security

administrator as part of a managed cloud service offering

This White Paper demonstrates how you can deploy CloudLink SecureVSA in the cloud service provider infrastructure to enable multitenant EaaS.

This paper describes three deployment models:

 All CloudLink SecureVSA components and key management are deployed by the service providers and managed by the service providers.

 All CloudLink SecureVSA components are deployed and managed by the service providers and the tenants are responsible for the key management.  Hybrid deployment model where service providers install the CloudLink

SecureVSA component in the cloud and tenants deploy CloudLink SecureVSA on site and manage the encryption key.

This paper also includes the general deployment procedures and workflows for this solution. However, for detailed product installation, configuration, and on-going management procedures refer to the CloudLink SecureVSA user documentation listed in References.

While this document focuses on installing EaaS on the VMware vCloud Director or vSphere environment, CloudLink SecureVSA also supports encryption on other cloud platforms, such as Microsoft Hyper-V. For information about EaaS outside of VMware cloud environments, contact your EMC Global Service representative or email AFORE Solutions at [email protected].

This paper is intended for systems engineers, solution architects, product managers, and operation engineers of cloud service providers.

You should be knowledgeable about VMware vCloud Director, vSphere, vCenter, EMC storage systems, and networking concepts. You need at least a high-level

understanding of CloudLink SecureVSA functionality.

Purpose

Scope

(8)

This paper includes the following terminology.

Table 1. Terminology

Term Definition

RSA DPM RSA Data Protection Manager

EaaS Encryption as a Service

CloudLink Center Management console for CloudLink that integrates with encryption key stores. CloudLink Center may also be referred to as the CloudLink Gateway when describing the CloudLink node represented.

CloudLink Gateway Software virtual appliance that provides encrypted storage and the management interface (see CloudLink Center) CloudLink vNode Software virtual appliance that provides encrypted storage

DAS Direct-attached storage

DRaaS Disaster Recovery as a Service

IaaS Infrastructure as a Service

NAS Network-attached storage

SAN Storage Area Network

VDIaaS VDI as a Service

VPN Virtual Private Network

VSA Virtual Storage Appliance

(9)

Technology overview

CloudLink SecureVSA is a software-defined storage encryption solution that is designed to secure sensitive data in virtualized and multitenant cloud environments. It is delivered as a virtual storage appliance that can be deployed on a

per-application, per-tenant basis and provides a software encryption layer between virtualized applications and physical storage, as shown in Figure 1.

Figure 1. CloudLink SecureVSA

To offer EaaS, service providers install CloudLink SecureVSA in the existing VMware vSphere or vCloud Director cloud platform. CloudLink SecureVSA includes three components:

 CloudLink vNode  CloudLink Gateway  CloudLink Center

Service providers deploy this software virtual appliance over a shared storage

resource to provide encrypted virtual storage for the tenant’s workloads and establish an encrypted tunnel to a CloudLink Gateway for encryption key management.

Optionally, this tunnel can also be used as a network extension between customer networks and the network in the tenant’s virtual data center in the cloud. Service providers who want to offer self-service CloudLink-based EaaS can offer the CloudLink vNode as a service template in their service catalogs.

Service providers deploy this software virtual appliance in the service provider cloud or on-site in the customer private data center. The CloudLink Gateway establishes a secure connection for managing CloudLink vNodes in the cloud. Like CloudLink

CloudLink vNode

(10)

vNode, CloudLink Gateway supports storage encryption. The Gateway generates enterprise-controlled encryption keys, places them in a secure key store, and delivers them through the secure tunnel to the vNodes deployed in the cloud. In addition, the Gateway authenticates vNodes, monitors connectivity, and initiates performance testing.

Note: The CloudLink Gateway is not a traditional IT gateway. It is a CloudLink SecureVSA

component to which CloudLink vNodes connect.

A web-service application delivered as part of the CloudLink Gateway, CloudLink Center provides a user interface to configure and manage CloudLink SecureVSA. CloudLink Center provides secure storage encryption management, network monitoring and testing, and provides audit trails of actions, alarms, and security events. A representative display from the CloudLink Center is shown in Figure 2.

Figure 2. CloudLink Center management interface

Note: CloudLink Center is one of two management interfaces. The other is a low-level

appliance console that is used to deploy vNodes and the CloudLink Gateway.

(11)

Solution architecture

CloudLink SecureVSA is a software-defined storage encryption solution designed to secure sensitive data on a virtualized and multitenant cloud environment. It is delivered as a virtual storage appliance which can be deployed on a per-application, per-tenant basis, and provides a software encryption layer between virtualized applications and physical storage.

EaaS uses CloudLink SecureVSA to provide cryptographic protection of sensitive data while enabling the data owner to keep control over security and compliance in a multitenant virtualized cloud environment.

Service providers can offer EaaS to customers who need to encrypt their workloads and data in a multitenant cloud environment to meet data security and regulatory compliance requirements.

CloudLink EaaS adopts a secure storage overlay approach to encrypt data so that it is transparent to applications and works across various underlying storage systems that service providers use. This premium service enables secure Infrastructure as a

Service (IaaS), secure VDI as a service, and secure DRaaS in private, public or hybrid cloud environments.

CloudLink SecureVSA provides the following important capabilities:

 Presents itself as a secure datastore or multiple datastores to the hypervisor and encrypts virtual machine disks transparently without changing

applications. Service providers can deploy CloudLink as an encrypted storage overlay over physical storage systems and allocate the encrypted storage resource to respective tenants.

 Presents itself as a secure software storage appliance to virtual machines directly over Microsoft SMB, NFS, or iSCSI. Service providers are able to offer this as part of their service template and tenants can enable this encryption service in a self-service model.

 Enables the enterprise or tenant to control the encryption key and security policy related to accessing the encrypted storage.

 Integrates with existing enterprise key management, RSA Data Protection Manager (DPM), to secure data in the cloud environment. Enterprises can benefit from their existing investment and enterprise key management

expertise. As an alternative, Microsoft Active Directory server is supported as a CloudLink encryption key store.

 Supports heterogeneous cloud storage systems providing full protection for the service provider’s existing storage system investment. The software encryption layer spans the entire cloud storage infrastructure.

 Supports all existing data center operations provided by cloud platforms, including virtual machine live migration, storage backup, replication, high availability, and fault tolerance capacity.

(12)

Depending on customer requirements, service providers can offer EaaS in a variety of ways:

 CloudLink SecureVSA as an encryption service template within a service catalog. Each tenant is able to install SecureVSA in a self-service manner and use it on a pay-as-you-go basis.

 CloudLink SecureVSA as part of a storage service and encrypted storage as part of a storage resource pool for workload deployment by a particular tenant.  Encryption key management options:

 The service provider assumes full responsibility for encryption key management in a managed cloud service model.

 The tenant assumes responsibility for key management.

 A hybrid model, where an enterprise can use CloudLink on site to encrypt the data in its private data center environment, and also to encrypt the data in the service provider environment.

Figure 3 represents the solution architecture.

Figure 3. EaaS solution architecture

In a multitenant cloud, CloudLink SecureVSA is deployed on a per-tenant basis. In this shared cloud infrastructure environment, storage is connected to the hypervisor

(13)

with CloudLink SecureVSA virtual storage volume is created, vNode exposes this volume in either secure

datastore mode or secure NAS mode.

Secure datastore mode

The secure datastore mode for CloudLink SecureVSA provides encrypted storage for use by the hypervisor (VMware vSphere or Microsoft Hyper-V). In this mode, virtual machines associated with the encrypted datastore can be thought of as running in an encrypted container. The entire virtual machine can reside within the encrypted datastore.

Alternatively, administrators can choose to associate only the data volumes with the encrypted datastore, using a standard datastore for the operating system and application volume. Administrators can then combine volumes into a single large datastore. Alternatively, each attached volume can be encrypted with unique encryption keys and shared as individual datastores.

The benefit of encrypted datastore mode is that it is completely transparent to the virtual machines running with the encrypted datastore, requiring no changes or modifications to virtualized servers and applications (agentless). This mode also offers the benefits of supporting standard VMware features such as Distributed Resource Scheduler (DRS), high availability (HA), fault tolerance (FT), and Storage vMotion. Secure datastore mode is depicted in Figure 4.

Figure 4. Secure datastore mode

Secure NAS mode

The Secure NAS mode of CloudLink SecureVSA provides encrypted storage at the network level for virtual machines using NFS, CIFS/SMB, or iSCSI protocols. Similar to encrypted datastore mode, encrypted NAS mode is an agentless data‑at‑rest

(14)

(15)

System requirements

CloudLink SecureVSA supports any cloud platform based on VMware vSphere 4.1 or later and vCloud Director 5.1.

Typical system requirements for CloudLink vNode include the following:  Two vCPUs (recommended)

 4 GB vRAM (recommended)

 ESX server with CPUs that support Advanced Encryption Standard New Instructions (AES-NI), which is highly recommended for better encryption performance

 8 GB storage for deploying vNode  Network requirements:

 One network interface for managing a CloudLink Gateway

 One IP storage network interface for a vNode to present itself as a virtual storage appliance directly to virtual machines (in secure NAS mode) or to the ESX hypervisor as a datastore

 An additional network interface for virtual machines to communicate with VPN tunnel, if required

 Virtual disks from vSphere or from vCloud Director to use as an encrypted storage resource; up to 10 TB can be supported per vNode

Typical system requirements for CloudLink Gateway include:

 One vCPU (recommended) if CloudLink Gateway is used only as a management node (CloudLink Center); two vCPUs (recommended) if CloudLink Gateway is used as both a management node and storage encryption node

 1 GB vRAM (recommended) if CloudLink Gateway is used only as a

management node (CloudLink Center); 4 GB vRAM (recommended) if CloudLink Gateway is used as both a management node and storage encryption node  8 GB storage for deploying CloudLink Gateway

 Network requirements:

 One network interface for managing CloudLink vNodes

 An IP storage network interface for CloudLink Gateway to present itself as a virtual storage appliance directly to virtual machines (in Secure NAS mode) or to the ESX hypervisor as a datastore when CloudLink Gateway is used as a storage encryption node

 An additional network interface for virtual machines to communicate with VPN tunnel if required

 Virtual disks from vSphere or from vCloud Director for use as an encrypted storage resource—up to 10 TB can be supported per CloudLink Gateway  CloudLink Center is part of CloudLink Gateway; accessing the CloudLink

Center web interface requires a web browser with Adobe Flash plug-in

CloudLink vNode requirements

(16)

Common deployment models

CloudLink SecureVSA components can be distributed across the customer’s private data center and the service provider’s multitenant cloud to meet a variety of EaaS deployment situations.

This section describes three common EaaS deployment models, as represented by Tenant 1, Tenant 2, and Tenant 3 in Figure 6. Each customer has a dedicated private data center. The multitenant service provider cloud includes one resource pool for each tenant for CloudLink SecureVSA encrypted storage. Tenant 4 represents a tenant that is hosted in the multitenant cloud but does not use the encryption services of CloudLink SecureVSA.

Figure 6. Deployment models

The three customers who make use of CloudLink SecureVSA encrypted storage in this example represent the three common deployment models that are described in this White Paper:

 Model 1—All CloudLink SecureVSA components and the key store are deployed

in the Tenant 1 cloud resource pool. The service provider maintains control over the encryption keys and the security policy. From web browsers in the private data center, the customer’s users can access the encrypted storage in the service provider’s cloud using NAS protocols (CloudLink Secure NAS mode) or

(17)

 Model 2—All CloudLink SecureVSA components are deployed in the Tenant 2

cloud resource pool. The key store is hosted in the private data center, and the customer maintains control over encryption keys and security policy.

As in Model 1, the same two submodels exist here:  Single CloudLink Gateway

 Single CloudLink Gateway that manages multiple CloudLink vNodes

 Model 3—Only CloudLink vNode is deployed in the Tenant 3 resource pool. The

CloudLink Gateway and key store are hosted in the private data center, and the customer maintains control over encryption keys and security policy.

Many customers prefer the service provider to take responsibility for managing the CloudLink SecureVSA components and the key store. For these customers, service providers can use a deployment model in which the CloudLink Gateway, vNode, and key store are deployed in the appropriate tenant resource pool in the service

provider’s cloud, as shown in Figure 7.

Figure 7. Model 1 deployment

(18)

Model 1 workflow

The workflow in Figure 8 represents the tasks for a full CloudLink SecureVSA deployment in the service provider’s cloud. In this workflow, the service provider performs all tasks.

Workflow

Add private network interface for Gateway

Configure Gateway

Add SAN network interface and hard disks for vNode, and configure SAN interface properties (optional)

Configure vNode (including VPN) Deploy vNode OVF template

Upload and assign storage license for vNode

Merge disks (optional)

Configure encryption key store

Format secure storage

Configure access to secure storage

Start

Deploy Gateway OVF template

(19)

Model 1 workflow reference

Table 2 lists each task shown in Figure 8 for a full CloudLink SecureVSA deployment in the service provider’s cloud.

Table 2. Model 1 workflow references

Task Reference/topic

Deploy the CloudLink Gateway OVF

template CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

 Scalable Encrypted Storage Overlay

 Deploying the CloudLink Gateway OVF Template

Add the private network interface for the Gateway

CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

 Adding Components

 Deploy a Gateway with No Storage Configure the Gateway CloudLink SecureVSA v2.2 VMware vSphere

Deployment Guide

 Configuring the CloudLink Gateway Deploy the vNode OVF template CloudLink SecureVSA v2.2 VMware vSphere

Deployment Guide

 Deploying the vNode OVF Template Add SAN and private network interfaces,

add hard disks for vNode, and configure SAN interface properties.

 Deploying the vNode OVF Template Configure vNode, including VPN connection CloudLink SecureVSA v2.2 VMware vSphere

Administration Guide

 Managing Storage Licenses:  Uploading Storage Licenses  Assigning Storage Licenses Merge disks (optional)

Merge disks to present multiple disks as a single encrypted storage volume.

Otherwise, each disk is presented as a separate encrypted storage volume.

CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

 Managing Secure Storage

 Merging Volumes

Configure encryption key store CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

(20)

Format secure storage CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

 Formatting Volumes Configure access to secure storage (for

Secure NAS mode only)

 Managing Secure Storage:

 Configuring NFS/SMB Access to Secure Storage

 Configuring iSCSI Access to Secure Storage

Create secure datastore (for Secure

Datastore mode only) CloudLink SecureVSA v2.2 VMware vSphere Administration Guide  Managing Secure Storage

 Configuring Secure Datastore

Some customers want the service provider to be responsible for managing the CloudLink SecureVSA components but prefer to retain control over encryption keys and security policy. For these customers, service providers can use a deployment model in which the key store is hosted in the customer’s private data center, and CloudLink SecureVSA components are hosted in the appropriate tenant resource pool in the service provider’s cloud, as shown in Figure 9.

(21)

The workflow in Figure 100 represents the tasks for a key store in the private data center with all CloudLink SecureVSA components in the service provider’s cloud.

Start

Resources Workflow

Configure Gateway

Configure vNode to point of VPN setup steps Deploy vNode OVF template

End

Generate one-time passcode

Provide CloudLink Center credentials and URL, and storage license to customer

Create secure datastore (optional)

Customer Service Provider

Service Provider

Set up VPN using one-time passcode Add SAN network interface and hard disks for vNode,

and configure SAN interface properties (optional)

Add private network interface for vNode

(22)

Table 3 lists each task shown in the deployment workflow for a key store in the private data center, with CloudLink SecureVSA components in the service provider’s cloud. For each task, the table identifies the party responsible for the task and the appropriate topic for more information in the related references.

Table 3. Model 2 workflow reference

Service Provider deploys the Gateway OVF template

Service Provider adds the private network

interface for the Gateway CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

 Deploy a Gateway with No Storage Service Provider configures the Gateway CloudLink SecureVSA v2.2 VMware vSphere

Deployment Guide

 Configuring the CloudLink Gateway Service provider deploys the vNode OVF

 Deploying the vNode OVF Template Service provider adds SAN and private

network interfaces, adds hard disks for vNode, and configures SAN interface properties

 Configuring CloudLink for Use as Datastore Storage

 Process for Configuration Service provider configures the vNode to

the point where the VPN setup steps begin CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

(23)

Service provider sets up the VPN connection to connect the vNode to the Gateway using the one-time passcode

 Scalable Encrypted Storage Overlay, Configuring the vNode

Note: The steps to set up the VPN

connection, including entering the one-time passcode are provided at the end of the procedure to configure the vNode. Service provider provides the CloudLink

Center credentials and URL, and storage license to the customer

n/a

Customer uploads and assigns storage

license for vNode CloudLink SecureVSA v2.2 VMware vSphere Administration Guide  Managing Storage Licenses:

 Uploading Storage Licenses  Assigning Storage Licenses Customer merges disks (optional)

 Merging Volumes

Customer configures encryption key store CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

 Encryption Key Store Management Customer formats secure storage CloudLink SecureVSA v2.2 VMware vSphere

Administration Guide  Managing Secure Storage

 Formatting Volumes Customer configures access to secure

storage (for Secure NAS mode only) CloudLink SecureVSA v2.2 VMware vSphere Administration Guide  Managing Secure Storage:

Service provider creates secure datastore

(for Secure Datastore mode only) CloudLink SecureVSA v2.2 VMware vSphere Administration Guide  Managing Secure Storage

(24)

Some customers prefer the service provider to be responsible only for providing CloudLink SecureVSA encrypted storage. These customers prefer to maintain control over the CloudLink Gateway and the encryption keys and security policy in a hybrid cloud environment. For these customers, service providers can use a deployment model in which the CloudLink vNode is deployed in the appropriate tenant resource pool in the service provider’s cloud, and the CloudLink Gateway and the key store are hosted in the customer’s private data center, as shown in Figure 11.

Figure 11. Model 3 deployment

Model 3—Key Store and

(25)

The workflow in Figure 12 represents the tasks for the key store and CloudLink

Gateway in the private data center, with the CloudLink vNode in the service provider’s cloud. The workflow identifies whether the service provider or customer performs each task.

Resources Workflow

Configure Gateway

Configure vNode (including VPN) Deploy vNode OVF template

Customer

End

Create secure datastore (optional)

Customer

Start

Service Provider

Add SAN network interface and hard disks for vNode, and configure SAN interface properties (optional)

Add private network interface for vNode

(26)

Table 4 lists each task for a key store and CloudLink Gateway in the private data center, with the CloudLink vNode in the service provider’s cloud. For each task, the table identifies the party responsible for the task and the appropriate topics for more information in the related references.

Table 4. Model 3 workflow reference

Customer deploys the CloudLink Gateway OVF template

Customer adds the private network

interface for the Gateway CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

 Deploy a Gateway with No Storage Customer configures the Gateway CloudLink SecureVSA v2.2 VMware vSphere

Deployment Guide

 Configuring the CloudLink Gateway Service provider deploys the vNode OVF

 Deploying the vNode OVF Template Service provider adds SAN and private

network interfaces, adds hard disks for vNode, and configures SAN interface properties

 Configuring CloudLink for Use as Datastore Storage

 Process for Configuration Customer configures vNode, including VPN

connection CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

(27)

Customer merges disks (optional)

 Merging Volumes

Customer configures encryption key store CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

 Encryption Key Store Management Customer formats secure storage CloudLink SecureVSA v2.2 VMware vSphere

Administration Guide  Managing Secure Storage

 Formatting Volumes Customer configures access to secure

storage (for Secure NAS mode only) CloudLink SecureVSA v2.2 VMware vSphere Administration Guide  Managing Secure Storage:

Service provider creates secure datastore

(For Secure datastore mode only) CloudLink SecureVSA v2.2 VMware vSphere Administration Guide  Managing Secure Storage

(28)

CloudLink management

CloudLink Center provides web-based management of encryption services, including:  Key management—Configuration of key stores and key changing scheduling

policies.

 Encrypted storage management—Merging disks, resizing the storage, and locking or unlocking encrypted storage volumes.

 Secure communication management between CloudLink Gateway and CloudLink vNodes—Key delivery, VPN traffic, and authentication status of CloudLink vNodes.

 Performance monitoring—Monitoring of storage and network performance. The performance data for the past 24 hours is reported and can be exported as a spreadsheet file.

 Security event and log management—All security events and logs are displayed on CloudLink Center. They can be sent to an external application using SNMP or consolidated on a central syslog server.

CloudLink Center supports role-based administration, which separates security management from infrastructure administration. There are three pre-defined roles in CloudLink: security administrator (secadmin), regular IT administrator (admin), and observer for monitoring. Each role has its own unique privilege set as defined in Table 5.

 In a Model 1 deployment, the service providers assume the roles of “secadmin” and “admin” while the tenants assume the role of “observer.”

 In Model 2 and Model 3 deployments where the tenants control the data security and encryption keys, the tenants assume the role of “secadmin” and the service providers assume the “admin” role.

 The observer role can be assigned to both tenants and service providers, as required.

Table 5. Role-based administration

Operation SEC admin Admin Observer

Control of keys for encrypted storage   

VPN configuration and control   

Network performance and SLA monitoring   

(29)

Encryption key management

Each CloudLink SecureVSA encrypted virtual storage volume has two associated encryption keys:

 The data encryption key (DEK) is generated by the CloudLink vNode on a per-volume basis to encrypt data at block level using AES-256.

 The DEK is then encrypted with a key encryption key (KEK) and stored on the disk with the data.

Data security administrators have full control of the encryption keys and the KEKs can be updated regularly by the security administrators using CloudLink Center. Special care must be taken to ensure that enterprise-owned data are never stored or

transferred in clear text and can be promptly withdrawn by the enterprise at any time. Cloud administrators do not have access to DEKs and KEKs; therefore, neither cloud administrators, nor other tenants or intruders can access enterprise data in the cloud. KEKs are generated and managed by the CloudLink Gateway. They must be changed regularly according to key management policies and kept in a safe place to ensure the safety of encrypted data. CloudLink supports three key stores:

 RSA Data Protection Manager (DPM) provides a key store that is tamper proof and supports high availability. The RSA DPM client is integrated into CloudLink Gateway.

 Microsoft Active Directory provides an alternate secure encryption key store. This option allows an enterprise to use its existing Active Directory deployment and securely store cloud encryption keys.

 KEKs may also be stored within the CloudLink Gateway. This option is suitable for trials and testing but is not recommended for production deployment.

Figure 13. Key store configuration

(30)

administrator can monitor and control the availability of encrypted volumes by choosing whether KEKs are made available to the CloudLink SecureVSA cipher. CloudLink Center’s lock operation withdraws the KEK for an encrypted volume from the CloudLink SecureVSA, preventing it from decrypting the volume’s DEK and rendering the data stored on the volume unavailable.

Conversely, the unlock operation provides the KEK for an encrypted volume to CloudLink which then uses it to decrypt the volume’s DEK and uses the DEK to decrypt and make the data available.

Using CloudLink Center, the security administrator can also perform key change operations, either on demand or on a scheduled policy basis. Figure 14 shows the options for locking and unlocking encrypted storage.

Figure 14. Locking and unlocking encrypted storage

CloudLink SecureVSA provides out-of-box integration with RSA DPM. All storage KEKs created and managed by CloudLink can be stored securely in DPM. DPM provides centralized key vaulting, protection and recoverability of the keys. The keys are generated by CloudLink and provided to DPM for safe storage. They are then retrieved by CloudLink and provided to CloudLink vNodes that must provide access to their encrypted storage volumes (that is, to unlock the volumes). At any time, a security administrator using CloudLink Center can instruct CloudLink to lock one or all of a node’s encrypted volumes. CloudLink then issues a lock command to the node and the node destroys its cached version of the storage KEKs.

RSA DPM is available in the following form factors:

(31)

with CloudLink SecureVSA Both the hardware and virtual appliances come with a prepackaged software stack that includes a web application server, enterprise-class database, and access management. Client applications authenticate with the server using mutual SSL. A client application using a DPM client for encryption and key management can operate with a local protected cache for keys.

Figure 15 shows a typical deployment architecture for key management that contains at least two load-balanced nodes within the primary site for high availability and more nodes in remote sites for scalability or disaster recovery purposes, all clustered together. All nodes in a cluster are active. DPM appliances come with built-in

replication to keep all the nodes in sync. RSA DPM virtual and hardware appliances can be deployed in the same way.

Figure 15. Typical RSA DPM deployment architecture

To use RSA DPM to store CloudLink KEKs, ensure that an RSA DPM host version 3.1 or later is accessible by the CloudLink Gateway though its private LAN network. The

CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide and the CloudLink SecureVSA v2.2 VMware vSphere Administration Guide provide more information on deploying, configuring, and using CloudLink.

To prepare RSA DPM for storage of CloudLink KEKs:

1. Log on to the RSA Data Protection Manager console.

2. Create an identity that belongs to a particular RSA DPM identity group, as shown in Figure 16.

Primary Datacenter Secondary Datacenter

(32)

Figure 16. Creating an RSA DPM identity

3. Create a security class object with infinite duration that belongs to the same RSA DPM identity group, as shown in Figure 17.

Figure 17. Creating a security class object

To configure CloudLink to use RSA Data Protection Manager as its key store:

1. Open CloudLink Center on the Gateway using the secadmin user account.

2. Under the topology tree, select the gateway.

(33)

with CloudLink SecureVSA  Port—TCP port number configured on the RSA DPM host (default port is

443)

 Security Class Name—Name of the security class configured on the RSA

DPM host for the RSA DPM client

 Trust Certificate—RSA DPM server certificate

 Client Certificate—RSA DPM client certificate

 Password—Password used during creation of the RSA DPM client

certificate

6. Click Apply.

Figure 18. RSA DPM Configuration panel in CloudLink Center

CloudLink Gateway displays the RSA DPM status as Accessible. It creates a new entry in the CloudLink Center Actions log, as shown in Figure 18, and records a Key store change security event, as shown in Figure 19.

Figure 19. Key store change security event recorded by CloudLink

As an alternative to using RSA DPM as a key store, you can configure Microsoft Active Directory as a CloudLink key store. It is very important that the Active Directory server is properly backed up to ensure the safety of the encryption key. Losing the

encryption key will cause data loss. For high availability and disaster recovery, Active Directory servers acting as CloudLink key stores are deployed on both the product site and the DR site.

(34)

To use Active Directory to store CloudLink encryption keys, deploy a Windows Server to be accessible by CloudLink Center from its private LAN network.

During this procedure, you must provide the host name of the Windows Server, which means you must have already set up the DNS server.

To configure the Active Directory for the CloudLink encryption key store on a Windows 2003 or 2008 Server that is configured as a domain controller, the following high-level steps are required.

1. Set up an organization unit on Windows Server.

2. Create a bind user.

3. Add the bind user to the security group.

4. Record the DN of CloudLink.

5. Apply the domain controller in CloudLink.

For detailed configuration instructions, refer to the CloudLink SecureVSA v2.2 VMware vSphere Administration Guide.

(35)

Conclusion

EMC EaaS powered by CloudLink SecureVSA enables cloud service providers to address the compliance and data security requirements of their customers. It eases concerns of cloud service customers about their data security in a multitenant environment by providing them with a tool to manage the encryption keys and security policy. It generates additional service revenue associated with a premium encryption service, which requires data encryption in the cloud, and additional workloads moving into the cloud.

CloudLink SecureVSA is very easy to deploy, and is transparent to business

applications and underlying infrastructure. It is a granular encryption solution that is workload driven and can be deployed on a per-tenant basis. It encrypts only the data for which tenants and applications require encryption. Other workloads in the cloud environment can continue to use regular cloud storage.

The three deployment models described in this White Paper demonstrate the ease with which CloudLink SecureVSA can be deployed and configured by service providers and their customers.

With flexible key management options, customers always have a choice to entrust cloud service providers to manage the key on their behalf or to use existing enterprise key management to secure their data in the service provider environment. The

enterprise key management investment is fully protected.

CloudLink EaaS secures the cloud and ultimately helps enterprises to trust the cloud.

References

For additional information, see the documents listed below.

 CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

 CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

 CloudLink SecureVSA v2.2 VMware vCloud Director Supplementary Deployment Guide

EMC ENCRYPTION AS A SERVICE

EMC Solutions

Abstract

EMC ENCRYPTION AS A SERVICE

With CloudLink SecureVSA



Data security for multitenant clouds



Transparent to applications

Table of contents

Executive summary

Introduction

Technology overview

Solution architecture

System requirements

Common deployment models

CloudLink management

Encryption key management

Conclusion

References