• No results found

365 Cloud Storage. Security Brief

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "365 Cloud Storage. Security Brief"

Copied!
8
0
0

Loading.... (view fulltext now)

Download now ( 8 Page )

Full text

(1)

365 Cloud Storage

(2)

365 Cloud Storage is physically located in 365 Data Centers HIPAA and SSAE 16 compliant data centers.

Private network access is provided via a dedicated cross connects, metro Ethernet or metro fiber connectivity. Additionally, the VPSA™ GUI and RESTful API uses HTTPS and 256-bit SSL-encrypted communication and secure identity management system.

365 Cloud Storage supports 128-bit Encryption of Data-at-Rest (DAR) and Data-in-Flight (DIF).

The VPSA architecture provides complete data privacy for end users by granting dedicated compute resources (RAM and CPU vCores) and dedicated networking resources (NIC VFs) to partition IO stack data handling per-user as well as dedicated physical drives. The VPSA also requires the usage of Challenge-Handshake Authentication Protocol (CHAP) over iSCSI to authenticate a Cloud Server to a VPSA. CHAP requires that both the Cloud Server and VPSA know a shared CHAP Secret. This secret is never sent on the wire.

Physical security

Access Control

Data Encryption

Data Privacy

Surveys reveal time and again that security and data protection concerns are the top barriers to Cloud adoption.

At 365 Data Centers, we take these concerns seriously and have made security an integral part of our storage offering. Our storage-as-a-service (STaaS) offering is based on Zadara’s Virtual Private Storage Array™ (VPSA) technology.

365 Cloud Storage provides physical security, access, data privacy and data encryption to ensure security and data privacy.

With multiple layers of security, our customers can enjoy full, end-to-end data privacy and protection from our physical storage infrastructure all the way to customers’ physical or virtual servers.

(3)

Customers access 365 Cloud Storage securely via a cross connect from their colocation cabinet or a dedicated fiber or Ethernet Private Line into our data center.

• Cross connect options include Single Mode Fiber (1 Gbps or 10 Gbps) or Ethernet Copper (1 Gbps).

• Network connectivity options include Metro Fiber or Metro Ethernet (requires sub-4 ms RT latency.

• The 365 Cloud Console and VPSA expose RESTful API calls via the HTTPS protocol. This requires 256-bit SSL-encrypted communication and securely identifies the web server with which the client is communicating.

• The VPSA GUI client also communicates with the VPSA web server RESTful API via HTTPS to ensure the same level of security.

365 Cloud Storage is physically located in all of 365’s seventeen U.S. data centers. Our data centers feature, at minimum, the following important physical security attributes:

• 24x7 surveillance

• Redundant power feeds and generators

• Robust fire suppression

• Carefully monitored climate control

(to protect the servers that store customer data)

• HIPAA and SSAE 16 compliance

Private Access

Secure Communication

Physical security

(4)

• Each end user creates an account within the 365 Cloud Console. The user’s Cloud Console Password is not stored as plain text in the Cloud Console DB.

• Instead, a cryptographic hash value (using a one-way SHA-1 hash function) is stored for further Cloud Console login authentication.

• When a user creates the first VPSA at 365 Data Centers, a corresponding tenant is created within the Cloud Storage Identity Management Server (which is based on OpenStack Keystone).

• The Cloud Console generates a random 128-bit Tenant Password for that tenant and provides the password, in encrypted form, to the Identity Management Server.

• Thereafter, the Tenant Password is used by the Cloud Console and the

VPSA for retrieving a Keystone API Token and establishing a session-based communication for managing the objects (i.e, VPSAs) belonging to that tenant.

• For accessing the VPSA (via API or GUI), the Cloud Console provides (via email) an initial 5-character temporary access code. This code can be used only once. The user is requested to enter a strong VPSA User Password to replace the 5-character temporary access code.

• The 365 Cloud Console Password and VPSA User Password can be

different. This enables support for different permission levels (roles) within an organization.

• In the event a user forgets the VPSA password, an email will be sent to the user with a new temporary 5-digit access code. The existing VPSA User Password will protect access to the VPSA until the new access code is used.

(5)

• A cryptographic hash value (using a one-way SHA-1 hash function) of the VPSA User Password is stored in the VPSA database for further VPSA login authentication.

• 365 Cloud Storage employs a session-based authentication mechanism as a means to identify a user for every HTTP request to a VPSA. The client initiates a session by logging in with the VPSA User Password. Upon successful authentication, a Secret API Token is sent back to the client

application for any subsequent REST API communication with the VPSA to identify the authenticated user and validate the session.

• A user can generate a new Secret API Token at any time, thus invalidating the previous token and any sessions using it.

The VPSA architecture provides the basic building blocks for granting complete data privacy for cloud storage Users:

• Each VPSA Virtual Controller is granted dedicated compute resources (RAM and CPU vCores) and dedicated networking resources (NIC VFs) to partition IO stack data handling per-user.

• Physical drives are the basic storage allocation unit. As a result, only a

single VPSA and hence a single User has access to any given physical drive.

• Physical drives are exposed as iSCSI LUNs to the VPSA Virtual Controllers via a separate back-end network, which is not accessible from outside the Zadara Storage Cloud.

• IQN-based SCSI LUN Masking is used to ensure that physical disk drives are exposed only to the authorized VPSA.

VPSA Architecture

(6)

• Each user can look up the physical location (by Storage Node Number) of the drives assigned to that user.

• VPSA Virtual Volumes are presented as iSCSI LUNs and are ‘attached’ to selected Cloud Servers. Again, SCSI LUN Masking is used to prevent access to those Virtual Volumes from other Cloud Servers.

• VPSA requires the usage of Challenge-Handshake Authentication Protocol (CHAP) over iSCSI to authenticate a Cloud Server to a VPSA. CHAP

requires that both the Cloud Server and VPSA know a shared CHAP Secret. This secret is never sent on the wire.

• Each VPSA maintains its CHAP credentials. When a VPSA is created, it autogenerates CHAP Username (corresponding to the VPSA name) and a random 12-character CHAP Secret.

• A VPSA User can modify both CHAP Username and CHAP Secret at any time.

• Existing iSCSI connections will remain valid, but the new credentials will be required for establishing new connections.

• A VPSA user must enter these values at the Cloud Server (iSCSI Initiator) side to be able to establish an iSCSI connection with the VPSA.

• The VPSA uses a 128-bit Secret Key to encrypt the CHAP Secret, using the Advanced Encryption Standard (AES), before storing the CHAP Secret on disk. The Secret Key itself is stored in a separate location in the Zadara Storage Cloud. The VPSA retrieves the Secret Key from the Zadara Storage Cloud at runtime, decrypts the CHAP Secret and stores it in Kernel Space only. This means that core-dumping the user-mode process of the VPSA will not reveal the decrypted CHAP Secret.

(7)

365 Cloud Storage supports Encryption of Data-at-Rest (DAR) and Data-in-Flight (DIF). Because data encryption requires compute overhead, we leave it up to end users to evaluate the trade-off between security and performance. Hence both DAR and DIF encryption are optional features and are disabled by default.

Data Encryption

• Encryption management of Data-at-Rest is done at the VPSA Virtual Controller and is defined on a Volume-by-Volume basis, i.e. a user can decide that some Volumes are encrypted, while others are not.

• A VPSA generates a unique random 128-bit Encryption Key per encrypted Volume, and uses the Advanced Encryption Standard (AES) to encrypt and decrypt the Volume data.

• The Volume Encryption Keys are stored on disk as ciphertext, using AES with a 128-bit Master Encryption Key, which is generated from a user-supplied Master Encryption Password.

• The Master Encryption Password is not saved on disk. Only its SHA1

hashsum is saved on disk, for verification purposes only. Since it is virtually impossible to restore the Master Encryption Password from the SHA1

hashsum, each user is fully responsible to retain and protect the Master Encryption Password. During VPSA operation, the Master Encryption Password itself is held in kernel memory of the VPSA. Core-dumping any User Mode process within the VPSA will not reveal the Master Encryption Key.

• The above method ensures that encrypted Data-at-Rest cannot be

accessed without explicitly knowing the user-supplied Master Encryption Password, thus providing full protection to end users who opt for Data-at-Rest encryption.

(8)

• For advanced security needs, 365 Cloud Storage supports encryption of Data-in-Flight between the User Server and the VPSA using Internet Protocol Security (IPSec).

• 365 Cloud Storage uses Internet Key Exchange (IKE) protocol to negotiate the IPSec encryption keys with a user’s Cloud Server. The encryption keys used to encrypt the Data-in-Flight are stored in kernel memory only (of both the VPSA and Cloud Servers), and are never stored on disk in any form. Periodically, encryption keys are renegotiated by VPSA and Cloud Servers’ IKE daemons.

• A user can configure the renegotiation trigger for each Cloud Server. For example, encryption keys can be renegotiated every hour, every 10 Gb of sent/received data, etc.

References

Download now ( PDF - 8 Page - 258.80 KB )

Related documents

115 T.C. No. 28 UNITED STATES TAX COURT. COGGIN AUTOMOTIVE CORPORATION, Petitioner v. COMMISSIONER OF INTERNAL REVENUE, Respondent

Simultaneously, (1) Coggin Pontiac, Inc., contributed the assets and liabilities of its Pontiac dealership (valued at $5,737,129) to CP-GMC Motors, Ltd., (2) Coggin Pontiac,

Subfamily Phyllostominae Gray, 1825 from Mammals of South America

DIS T RIB UTI 0 N: Micronycteris hirsuta is known in South America from Colombia, Venezuela, Trinidad, Guy- ana, Surinam, French Guiana, Ecuador, Peru, Bolivia, and from an

The Cloud On A Clear Day. Neal Juern

What has “Gone Cloud” Examples of Cloud Services Email – Office 365 (Outlook.com) / Google Apps Phones – VoIP Systems (cloud hosted)

CONSUMERS ENERGY COMPANY JACKSON, MICHIGAN DTE ELECTRIC COMPANY DETROIT, MICHIGAN

Fish and Wildlife Service and the Michigan Conservation Department, shall make or pay the cost of making biological and limnological studies before and after construction of the

The Termination of Administrative Contracts in the Romanian and French Law

Under these concession contracts, in the case of non-observance of the contractual obligations by the concessionaire the contract may be cancelled by unilateral

On the Commonality of 10-30 AU Sized Axisymmetric Dust Structures in Protoplanetary Disks

So far, ALMA high spatial resolution observations have been only carried out for several well-studied classical T Tauri or Herbig star disks or transition systems ( disks with a

A report on the fauna of the estuaries of the River Tamar and the River Lynher

Membranipora Lacroixii and Bowerbankia imbricata were taken up as far as half a mile above Halton Quay, where the salinity range from high to low water was approximately 210/00to

BY AMORY B. LOVINS Focusing on energy efficiency will do more than protect Earth s climate it will make businesses and consumers richer

For instance, saving one unit of output energy by reducing friction inside the pipe will cut the needed fuel input by 10 units, slashing cost and pollution at the power plant