SimpliVity OmniStack with the HyTrust Platform
Size: px
Start display at page:

Download "SimpliVity OmniStack with the HyTrust Platform"

Transcription

1 SimpliVity OmniStack with the HyTrust Platform Page 1 of 12

2 Table of Contents Executive Summary... 3 Purpose... 3 Audience... 3 Solution Overview... 3 Simplivity Introduction... 3 Why Simplivity For Virtualization?... 5 Hytrust Overview... 6 Hytrust Datacontrol (Htdc)... 6 Solution Overview... 7 Customer Benefits... 7 Solution Architecture... 8 Topology... 8 Testing Infrastructure... 9 Technical Details... 9 Testing Methodology Vdbench Test Significance Simplivity Operations And Feature Test Significance Hytrust Operations Significance Test Results Vdbench Simplivity Operations Hytrust Operations Best Practices Conclusion Page 2 of 12

3 Executive Summary This paper documents securing application data through encryption on SimpliVity OmniStack using the HyTrust Platform. Purpose The purpose of this document is to familiarize the reader with SimpliVity OmniStack technology and to introduce HyTrust This document provides technical details of testing executed by SimpliVity to validate the interoperability of OmniStack systems and the HyTrust Platform in terms of functionality and performance. Recommendations and guidelines to optimize performance are also provided. Audience The intended audience for this document is IT professionals who are looking to protect data through encryption on SimpliVity s OmniStack systems. Solution Overview SimpliVity Introduction SimpliVity s hyperconverged infrastructure solution transforms the data center by virtualizing data and incorporating all IT infrastructure and services below the hypervisor into commodity x86 building blocks. With 3X total cost of ownership (TCO) reduction, SimpliVity OmniStack software-defined hyperconverged infrastructure delivers the best of both worlds: the enterprise-class performance, protection and resiliency that today s organizations require, with the cloud economics businesses demand. Designed to work with any hypervisor or industry-standard x86 server platform, the SimpliVity solution provides a single, shared resource pool across the entire IT stack, eliminating point products and inefficient siloed IT architectures. The solution is distinguished from other converged infrastructure solutions by three unique attributes: accelerated data efficiency, built-in data protection functionality and global unified management capabilities. Accelerated Data Efficiency: OmniStack performs inline data deduplication, compression and optimization on all data at inception across all phases of the data lifecycle, all handled with fine data granularity of just 4KB-8KB. On average, SimpliVity customers achieve 40:1 data efficiency while simultaneously increasing application performance. Built-In Data Protection: OmniStack includes native data protection functionality, enabling business continuity and disaster recovery for critical applications and data, while eliminating the need for special-purpose backup and recovery hardware or software. OmniStack s inherent data efficiencies minimize I/O and WAN traffic, reducing backup and restore times from hours to minutes. Global Unified Management: OmniStack s VM-centric approach to management eliminates manually intensive, errorprone administrative tasks. System administrators are no longer required to manage LUNs and volumes; instead, they can manage all resources and workloads centrally, using familiar interfaces such as VMware vcenter and VMware vrealize Automation. SimpliVity packages OmniStack on popular x86 platforms either on 2U servers marketed as OmniCube, or with partner systems from Cisco or Lenovo, marketed as OmniStack Integrated with Cisco UCS and OmniStack Solution with Lenovo System x, respectively. Page 3 of 12

4 An individual OmniStack node includes: A compact hardware platform - a 2U industry-standard virtualized x86 platform containing compute, memory, performance-optimized SSDs and capacity-optimized HDDs protected in hardware RAID configurations, and 10GbE network interfaces A hypervisor such as VMware vsphere/esxi OmniStack virtual controller software running on the hypervisor An OmniStack Accelerator Card a special-purpose PCIe card with an FPGA, flash, and DRAM, protected with super capacitors; the accelerator card offloads CPU-intensive functions such as data compression, deduplication and optimization from the x86 processors. (4) Servers + VMware Storage Switch (2) HA Shared Storage Backup & Dedupe WAN Optimization Cloud Gateway SSD Array One Building Block 3x TCO Savings Global Unified Management Operational Efficiency Storage Caching Data Protection Apps Enterprise Capabilities Cloud Simplicity & Economics Figure 1 Legacy Comparison Page 4 of 12

5 Why SimpliVity for Virtualization? OmniStack was specifically designed to meet the stringent price-performance, scalability, agility and resiliency demands of today s data-intensive, highly virtualized IT environments. Key benefits and advantages include: Simplicity and superior Economics: OmniStack eliminates infrastructure cost and complexity by consolidating a variety of IT functions (compute, storage, network switching, replication, backup, etc.) onto commodity virtualized x86 hardware, with global unified management. The solution contains CAPEX by eliminating IT silos, converging technology stacks, and optimizing storage capacity; and it reduces OPEX by containing power, cooling, rack space and system administration expenses. Linear scalability: The SimpliVity solution features a scale-out architecture that minimizes upfront investments and provides a high degree of flexibility and extensibility. OmniStack nodes are installed in an incremental fashion to accommodate growth, enable new applications or extend system availability. Two or more OmniStack nodes can be federated to create a massively scalable pool of shared resources that is administered as a cohesive system, with a single administrative interface. VM-centric design: OmniStack was designed from the ground up with virtualization in mind. The solution abstracts data from the underlying hardware; virtual machine files are mapped directly to blocks on storage. All data storage, management, and protection functions are inherently optimized for virtualization. And all administrative tasks including managing data protection policies, analyzing performance and troubleshooting problems are all performed at the VM level. From an administrative perspective, a datastore is simply a logical construct, decoupled from the underlying physical infrastructure. Concepts like LUNs, volumes, shares, and disk groups simply don t apply with SimpliVity. Accelerated IT service agility: OmniStack s inherent data efficiencies and VM-centric management capabilities dramatically simplify operations and boost IT service agility. With OmniStack, system administrators can spin up IT services and clone VMs in just seconds with two or three mouse clicks. High resiliency: The SimpliVity solution is designed to be highly resilient, with no single point of failure. The solution supports both RAID (redundant array of independent disks) for disk-level resiliency and RAIN (redundant array of independent nodes) for node-level resiliency. In a high availability RAIN implementation, the complete set of data associated with a VM is simultaneously written to two distinct nodes, protecting data in the event of disk or node failures. Public Cloud Figure 2 An OmniStack Federation Page 5 of 12

6 HyTrust Overview HyTrust provides a security and compliance platform for virtualized data centers. Its platform provides the essential foundation for cloud control, visibility, data security, management and compliance. The HyTrust Platform eliminates or mitigates the risk of catastrophic failure from insider threats, external data breaches, or even hardware failure especially in light of the concentration of risk that occurs within virtualization and cloud environments. Organizations can now confidently take full advantage of the cloud, and even broaden deployment to mission-critical applications. A key element of the HyTrust Platform, called HyTrust DataControl ensures organizations avoid becoming the next cyber data breach headline by securing virtual infrastructure throughout the virtual system and data lifecycle. The solution ensures deep security and automates both security and compliance; ensures scalability to be as elastic as the virtual environment it is protecting; and finally, HyTrust DataControl simple operation reduces administrative burden and errors. HyTrust DataControl (HTDC) HyTrust KeyControl Nodes and clusters supporting an active-active cluster, the HyTrust KeyControl (a component of the HyTrust DataControl solution) cluster stores keys, policies and configuration data related to the cluster, or any number of virtual machines where the HyTrust DataControl policy agent is installed. Administration of the system is through a webbrowser-based GUI or through a set of REST-based APIs. Communication between the browser and the HyTrust KeyControl cluster takes place over HTTPS. Since this is a full active-active cluster, the browser can point to any HyTrust KeyControl node in the cluster. Any changes made are immediately reflected on all cluster nodes. VM KeyControl PA VM VM PA PA Private Cloud / Data Center Public Cloud Figure 3. Page 6 of 12

7 Solution Overview The combined solution helps IT administrators protect data on SimpliVity OmniStack systems by using HyTrust Data Control security and encryption capabilities. Feature and performance tests were verified out to ensure that SimpliVity OmniStack systems and HyTrust DataControl operate optimally with each other retaining the benefits of individual products and providing a robust technology solution. Customer Benefits SimpliVity is simplifying IT by providing a virtual computing infrastructure solution that seamlessly combines all data center infrastructure and services below the hypervisor on x86 building blocks to deliver one shared resource pool for compute, primary storage, and backup storage that expands by adding nodes within or across data centers. This solution provides enterprise performance, supporting business critical applications while ensuring security across the data life cycle. Data security is of extreme concern today. Data is always moving (backups, private to public clouds) and needs to be protected. HyTrust DataControl provides data and VM encryption and centralized management that simplifies data protection. This solution addresses a wide range of use cases, including the following: Simplified, secure operations: SimpliVity provides the ability to efficiently and quickly move VMs across datacenters within the SimpliVity federation. With HyTrust DataControl you can rekey a VM with a new key for the new datacenter and instruct the system to shred the old key for the old datacenter. All data associated with the old key, including clones and backups are rendered useless. This is applicable for VMs even if they are moving between different service providers. Rekeying is the process of using a new encryption key. HyTrust DataControl can do a rekey without shutting down VMs for Windows systems. This zero downtime approach allows for more frequent rekeying, which increases security and compliance with various regulations and security best practices. This capability is unique and one key reason Simplivity has chosen HyTrust. Industry-specific compliance: Some industries have specific standards for protecting data. For example, credit card users want their information to be secure and not compromised. Hence the Payment Card Industry (PCI) mandates encryption of data. Other regulations like HIPAA and HITECH require protection of healthcare information. The HyTrust Platform provides an array of compliance monitoring and enforcement tools to simplify this process across a range of regulated industries, including Federal government customers. Page 7 of 12

8 Protected backups: SimpliVity eliminates the need for discrete backup hardware/software to deliver operational and disaster recovery. Backup policies dictate backup frequency, destination and retention all managed at the VM level and from vcenter. Using HyTrust DataControl encryption with SimpliVity backups secures the backed up data as well. Without access to encryption keys, data protected using HyTrust DataControl and it s NIST-approved strong-encryption cannot be decrypted. Secure ROBO: SimpliVity eliminates the complexity of ROBO with hyperconvergence and through its fast and efficient backup technology. Remote offices, by nature are not very secure as they should be due to lack of resources and experienced IT staff. With the centralized key management capabilities of HyTrust DataControl, your IT staff can be confident that data at remote sites is protected and no one in the remote offices can control access to encryption keys. Service provider applications: Service providers can benefit from encryption by assuring customers that their data is protected. This provides them with competitive advantage and differentiation as well as satisfies data residency and privacy requirements. More advanced capability in the HyTrust Platform includes HyTrust BoundaryControl which ensures data does not leave a specific logical or physical regional boundary (e.g. European Union). Solution Architecture This section provides a high-level architecture diagram of the SimpliVity OmniStack System and HyTrust on SimpliVity OmniStack. Topology The following diagram shows the topology of the test environment that was used in the lab. Encrypted VM s VM-1... VM-15 VM VM-50 Key Control1 Key Control2 AD/DC/ DNS SQL Server vcenter Server Production VM-1_Clone VM-26_Restored Infrastructure 1Gbe Test & Dev 10Gbe Page 8 of 12

9 Testing Infrastructure Hardware Model OmniStack Version Hypervisor Vdbench Guest Operating System OmniStack CN-2200 OmniStack vsphere Windows Server 2012 R2 HyTrust DataControl Version Technical Details The test environment included three distinct pods, as shown in the diagram above. Infrastructure: All resources needed to support operations within the testbed, including DataControl components, were hosted here. These components are: DC/Active Directory/DNS: Windows components used to manage servers running Windows operating systems, assign IP s etc. KeyControl1: Primary KeyControl node of the DataControl Software KeyControl2: HA KeyControl node of the DataControl Software SQL Server: Database for the vcenter Server vcenter Server: Management server for Virtual Machines Production: This pod hosted all the virtual machines that were tested in this solution. The test consisted of running a sustained load on the virtual machines and validation of SimpliVity operations as well as HyTrust DataControl features. Test & Dev.: This pod was used to validate that VMs remained encrypted when HA functionality of SimpliVity OmniStack systems is used. Page 9 of 12

10 Testing Methodology This section describes the tests that were run to validate the solution and their significance. Vdbench Test Vdbench is a command line utility tool that is used to measure application and storage performance. A sustained load was run on 50 virtual machines and the baseline performance was measured. After, 20% of the VMs were encrypted and the same sustained load was run and performance was measured. The following profiles were used for Vdbench testing. VM Profile --2vCPU --2GB RAM --100GB Storage (50GB data drive) Load Profile --70:30 Read/Write --8K Random IO --40 IOPS per VM Significance This test was run to measure the impact of encryption on the performance of the virtual machines under sustained load that resembled a production environment closely. SimpliVity Operations and Feature Test The following SimpliVity operations were tested. VM Clone VM Backups VM Restore VM Move Deduplication Compression Significance These tests are intended to validate that SimpliVity OmniStack VM-centric data protection operates normally when encrypted using HyTrust DataControl. Page 10 of 12

11 HyTrust Operations HyTrust DataControl software allows administrators to dynamically rekey the encrypted data without any downtime and on major operating systems (see technical brief for specifics) with continued access to the VM. We tested this feature by running a load against the VM while the rekey operation was occurring. Significance These tests were run to validate that HyTrust DataControl features operate normally and as expected on SimpliVity OmniStack systems, as some organizations periodically change encryption keys for tighter security measures against breaches. Test Results Vdbench The following graph shows the results from Vdbench testing. In the graph, looking at the baseline latency of 50 VMs and latency when 20% (10 VMs) are encrypted, applying a constant load of 2000 IOPS on average across both tests, we can infer that encryption adds some overhead to performance. This overhead is expected with all encryption technologies, as the data has to be decrypted when accessed. Page 11 of 12

12 SimpliVity Operations All SimpliVity operations including VM clone, backup, restore and move worked the same on encrypted VMs as they did on non-encrypted VMs. Access to the encrypted drive on the cloned VM and the VM restored from a backup was denied until the protected VM was re-authenticated or registered again by cloning the certificate. Data efficiency features like deduplication and compression do not provide additional benefits on encrypted VMs, which is expected as encryption inhibits the ability to perform deduplication and compression in general. HyTrust Operations Vdbench load was run on a VM while it was being rekeyed. The test ran successfully while the rekey was in progress. Best Practices SimpliVity recommends customers consider the following guidelines when implementing/running the combined solution: 1. Install the policy agent on the virtual machine and encrypt the volume before populating data on the drive. 2. Encryption may add overhead to performance. Therefore, it is recommended to encrypt only the VMs that need to be encrypted. Data within a VM that needs to be encrypted can be placed on a separate virtual disk. 3. In a virtual environment, ensure that there is more than one KeyControl node and place each node on a separate Omni- Stack system for high availability. 4. Protect the HyTrust KeyControl cluster with regular backups backups can be taken from within the cluster in which the keystore is backed up to a remote host. The VM can be protected and recovered up using SimpliVity backup and restore operations as well. 5. Deploy HyTrust KeyControl Clusters on separate OmniCubes that the VMs that are being encrypted. Conclusion The above validation testing has successfully demonstrated that SimpliVity OmniStack interoperates with HyTrust Platform as a proven technology solution. HyTrust DataControl, along with SimpliVity OmniStack, delivers the essential levels of data protection needed to ensure regulatory compliance and safeguard against risk, all with a minimal impact on performance. For more information, visit: , SimpliVity Corporation. All rights reserved. Information described herein is furnished for informational use only, and is subject to change without notice. SimpliVity, the SimpliVity logo, OmniCube, OmniStack, and Data Virtualization Platform are trademarks or registered trademarks of SimpliVity Corporation in the United States and certain other countries. All other trademarks are the property of their respective owners. J0495_HyTrust_WP Page 12 of 12

Similar documents
2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback | Do Not Sell My Personal Information