EMC ENCRYPTION AS A SERVICE

Transcription

1 White Paper EMC ENCRYPTION AS A SERVICE With CloudLink SecureVSA Data security for multitenant clouds Transparent to applications Tenant control of encryption keys EMC Solutions Abstract This White Paper describes EMC EaaS based on an AFORE CloudLink SecureVSA solution. This solution enables Cloud Service Providers to offer EaaS in a multitenant cloud environment and enables their customers to meet regulatory compliance requirements related to data security. April 2014

2 Copyright 2014 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided as is. EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All trademarks used herein are the property of their respective owners. Part Number H

3 Table of contents Executive summary... 5 Business case... 5 Solution overview... 5 Key benefits... 5 Introduction... 7 Purpose... 7 Scope... 7 Audience... 7 Terminology... 8 Technology overview... 9 CloudLink vnode... 9 CloudLink Gateway... 9 CloudLink Center Solution architecture Overview Data-at-rest encryption Secure datastore mode Secure NAS mode System requirements CloudLink vnode requirements CloudLink Gateway requirements Common deployment models Overview Model 1 Full deployment in the cloud Model 1 workflow Model 1 workflow reference Model 2 Key store in the private data center with SecureVSA in the cloud Model 2 workflow Model 2 workflow reference Model 3 Key Store and CloudLink gateway in the private data center with the vnode in the cloud 24 Model 3 workflow Model 3 workflow reference CloudLink management

4 Encryption key management RSA DPM integration Microsoft Active Directory integration Configuring Active Directory as a key store Conclusion References VMware documentation

5 Executive summary This White Paper describes (EaaS) based on an AFORE CloudLink SecureVSA solution. The paper includes business benefits, solution architecture, deployment models, workflows, and encryption key management. This solution enables Cloud Service Providers (CSPs) to offer EaaS in a multitenant cloud environment and enables their customers to meet regulatory compliance requirements related to data security. Business case As organizations realize the benefits of migrating business applications, virtual desktops, storage, back-ups, and disaster recovery solutions into the cloud, security remains a top concern. Organizations tasked with ensuring regulatory compliance (such as HIPAA, PCI, CSA, and NIST) have additional requirements that make the move to the cloud even more challenging. When enterprises adopt cloud services, new data security challenges emerge, including: Enterprise workloads running on an infrastructure managed by cloud service providers Enterprise-sensitive data on shared cloud storage systems Traditional perimeter-based security that is ineffective for preventing data leakage in a cloud environment Data remanence issues and the challenge of data destruction on cloud storage systems shared by multiple live customers Enterprises increasingly expect cloud providers to provide data protection services in addition to the compute infrastructure. Solution overview Service providers can assist enterprises in using EMC EaaS to secure sensitive data in a variety of cloud use cases, including Infrastructure as a Service, Storage as a Service, Disaster Recovery as a Service, and hosted virtual desktops. EaaS is simple to deploy and enables the efficient introduction of new customers, while it is transparent to both the cloud infrastructure and customer workloads. EaaS is the perfect solution to segregate and encrypt customer data in a multitenant cloud while providing control of the encryption keys to the data owner to ensure data is completely unreadable by unauthorized users. Key benefits The business benefits of EMC EaaS for CSPs are as follows: Increases per-subscriber revenues by adding encryption services to the provider s service offerings without having to invest in new infrastructure Expands customer opportunities by hosting workloads subject to regulatory compliance Enables simple deployment and transparency to provider s infrastructure and their customers workloads 5

6 Encrypts only sensitive data at rest and in motion, not the entire storage array Enables enterprises to have full control of encryption keys Mitigates provider s compliance risk by enabling customers to secure sensitive data and maintain key control in the cloud with enterprise-controlled encryption Enables cloud environments that are required to meet regulatory compliance requirements to offer and implement critical data-at-rest encryption 6

7 Introduction This White Paper describes how a cloud service provider can use CloudLink SecureVSA to deliver EaaS as a premium service offering. Purpose Scope This White Paper describes the following key components of this solution: EaaS architecture Data encryption in a multitenant cloud environment. Transparent data encryption with no changes of applications and underlying storage infrastructure Integration with enterprise key management to secure data in a cloud environment Flexible key management options with encryption keys completely controlled by enterprise data owners or managed by the cloud service security administrator as part of a managed cloud service offering This White Paper demonstrates how you can deploy CloudLink SecureVSA in the cloud service provider infrastructure to enable multitenant EaaS. This paper describes three deployment models: All CloudLink SecureVSA components and key management are deployed by the service providers and managed by the service providers. All CloudLink SecureVSA components are deployed and managed by the service providers and the tenants are responsible for the key management. Hybrid deployment model where service providers install the CloudLink SecureVSA component in the cloud and tenants deploy CloudLink SecureVSA on site and manage the encryption key. This paper also includes the general deployment procedures and workflows for this solution. However, for detailed product installation, configuration, and on-going management procedures refer to the CloudLink SecureVSA user documentation listed in References. While this document focuses on installing EaaS on the VMware vcloud Director or vsphere environment, CloudLink SecureVSA also supports encryption on other cloud platforms, such as Microsoft Hyper-V. For information about EaaS outside of VMware cloud environments, contact your EMC Global Service representative or AFORE Solutions at info@aforesolutions.com. Audience This paper is intended for systems engineers, solution architects, product managers, and operation engineers of cloud service providers. You should be knowledgeable about VMware vcloud Director, vsphere, vcenter, EMC storage systems, and networking concepts. You need at least a high-level understanding of CloudLink SecureVSA functionality. 7

8 Terminology This paper includes the following terminology. Table 1. Terminology Term RSA DPM EaaS CloudLink Center CloudLink Gateway CloudLink vnode DAS DRaaS IaaS NAS SAN VDIaaS VPN VSA Definition RSA Data Protection Manager Encryption as a Service Management console for CloudLink that integrates with encryption key stores. CloudLink Center may also be referred to as the CloudLink Gateway when describing the CloudLink node represented. Software virtual appliance that provides encrypted storage and the management interface (see CloudLink Center) Software virtual appliance that provides encrypted storage Direct-attached storage Disaster Recovery as a Service Infrastructure as a Service Network-attached storage Storage Area Network VDI as a Service Virtual Private Network Virtual Storage Appliance 8

9 Technology overview CloudLink SecureVSA is a software-defined storage encryption solution that is designed to secure sensitive data in virtualized and multitenant cloud environments. It is delivered as a virtual storage appliance that can be deployed on a perapplication, per-tenant basis and provides a software encryption layer between virtualized applications and physical storage, as shown in Figure 1. Figure 1. CloudLink SecureVSA To offer EaaS, service providers install CloudLink SecureVSA in the existing VMware vsphere or vcloud Director cloud platform. CloudLink SecureVSA includes three components: CloudLink vnode CloudLink Gateway CloudLink Center CloudLink vnode CloudLink Gateway Service providers deploy this software virtual appliance over a shared storage resource to provide encrypted virtual storage for the tenant s workloads and establish an encrypted tunnel to a CloudLink Gateway for encryption key management. Optionally, this tunnel can also be used as a network extension between customer networks and the network in the tenant s virtual data center in the cloud. Service providers who want to offer self-service CloudLink-based EaaS can offer the CloudLink vnode as a service template in their service catalogs. Service providers deploy this software virtual appliance in the service provider cloud or on-site in the customer private data center. The CloudLink Gateway establishes a secure connection for managing CloudLink vnodes in the cloud. Like CloudLink 9

10 vnode, CloudLink Gateway supports storage encryption. The Gateway generates enterprise-controlled encryption keys, places them in a secure key store, and delivers them through the secure tunnel to the vnodes deployed in the cloud. In addition, the Gateway authenticates vnodes, monitors connectivity, and initiates performance testing. Note: The CloudLink Gateway is not a traditional IT gateway. It is a CloudLink SecureVSA component to which CloudLink vnodes connect. CloudLink Center A web-service application delivered as part of the CloudLink Gateway, CloudLink Center provides a user interface to configure and manage CloudLink SecureVSA. CloudLink Center provides secure storage encryption management, network monitoring and testing, and provides audit trails of actions, alarms, and security events. A representative display from the CloudLink Center is shown in Figure 2. Figure 2. CloudLink Center management interface Note: CloudLink Center is one of two management interfaces. The other is a low-level appliance console that is used to deploy vnodes and the CloudLink Gateway. 10

11 Solution architecture Overview CloudLink SecureVSA is a software-defined storage encryption solution designed to secure sensitive data on a virtualized and multitenant cloud environment. It is delivered as a virtual storage appliance which can be deployed on a per-application, per-tenant basis, and provides a software encryption layer between virtualized applications and physical storage. EaaS uses CloudLink SecureVSA to provide cryptographic protection of sensitive data while enabling the data owner to keep control over security and compliance in a multitenant virtualized cloud environment. Service providers can offer EaaS to customers who need to encrypt their workloads and data in a multitenant cloud environment to meet data security and regulatory compliance requirements. CloudLink EaaS adopts a secure storage overlay approach to encrypt data so that it is transparent to applications and works across various underlying storage systems that service providers use. This premium service enables secure Infrastructure as a Service (IaaS), secure VDI as a service, and secure DRaaS in private, public or hybrid cloud environments. CloudLink SecureVSA provides the following important capabilities: Presents itself as a secure datastore or multiple datastores to the hypervisor and encrypts virtual machine disks transparently without changing applications. Service providers can deploy CloudLink as an encrypted storage overlay over physical storage systems and allocate the encrypted storage resource to respective tenants. Presents itself as a secure software storage appliance to virtual machines directly over Microsoft SMB, NFS, or iscsi. Service providers are able to offer this as part of their service template and tenants can enable this encryption service in a self-service model. Enables the enterprise or tenant to control the encryption key and security policy related to accessing the encrypted storage. Integrates with existing enterprise key management, RSA Data Protection Manager (DPM), to secure data in the cloud environment. Enterprises can benefit from their existing investment and enterprise key management expertise. As an alternative, Microsoft Active Directory server is supported as a CloudLink encryption key store. Supports heterogeneous cloud storage systems providing full protection for the service provider s existing storage system investment. The software encryption layer spans the entire cloud storage infrastructure. Supports all existing data center operations provided by cloud platforms, including virtual machine live migration, storage backup, replication, high availability, and fault tolerance capacity. 11

12 Depending on customer requirements, service providers can offer EaaS in a variety of ways: CloudLink SecureVSA as an encryption service template within a service catalog. Each tenant is able to install SecureVSA in a self-service manner and use it on a pay-as-you-go basis. CloudLink SecureVSA as part of a storage service and encrypted storage as part of a storage resource pool for workload deployment by a particular tenant. Encryption key management options: The service provider assumes full responsibility for encryption key management in a managed cloud service model. The tenant assumes responsibility for key management. A hybrid model, where an enterprise can use CloudLink on site to encrypt the data in its private data center environment, and also to encrypt the data in the service provider environment. Figure 3 represents the solution architecture. Figure 3. EaaS solution architecture Data-at-rest encryption In a multitenant cloud, CloudLink SecureVSA is deployed on a per-tenant basis. In this shared cloud infrastructure environment, storage is connected to the hypervisor either directly or by using standard SAN (FC, FCoE), NAS, or iscsi protocols. Each tenant has its own dedicated CloudLink vnode instance or a dedicated virtual volume on a CloudLink vnode instance on top of this shared infrastructure. Each tenant encrypts the volume and stores the encryption key safely on premises and within its control. By doing this, multiple secure virtual storage volumes are created on top of the shared storage infrastructure. All data in each secure volume are AES-256- encrypted with a unique encryption key controlled by the tenant. Once a secure 12

13 virtual storage volume is created, vnode exposes this volume in either secure datastore mode or secure NAS mode. Secure datastore mode The secure datastore mode for CloudLink SecureVSA provides encrypted storage for use by the hypervisor (VMware vsphere or Microsoft Hyper-V). In this mode, virtual machines associated with the encrypted datastore can be thought of as running in an encrypted container. The entire virtual machine can reside within the encrypted datastore. Alternatively, administrators can choose to associate only the data volumes with the encrypted datastore, using a standard datastore for the operating system and application volume. Administrators can then combine volumes into a single large datastore. Alternatively, each attached volume can be encrypted with unique encryption keys and shared as individual datastores. The benefit of encrypted datastore mode is that it is completely transparent to the virtual machines running with the encrypted datastore, requiring no changes or modifications to virtualized servers and applications (agentless). This mode also offers the benefits of supporting standard VMware features such as Distributed Resource Scheduler (DRS), high availability (HA), fault tolerance (FT), and Storage vmotion. Secure datastore mode is depicted in Figure 4. Figure 4. Secure datastore mode Secure NAS mode The Secure NAS mode of CloudLink SecureVSA provides encrypted storage at the network level for virtual machines using NFS, CIFS/SMB, or iscsi protocols. Similar to encrypted datastore mode, encrypted NAS mode is an agentless data at rest encryption solution, with the encryption completely transparent to the virtual machines and applications attached or mapped to the NAS. Administrators can combine volumes into a single large network share. Alternatively, each attached volume can be encrypted with unique encryption keys and shared individually. Figure 5 represents secure NAS mode. 13

14 Figure 5. Secure NAS mode 14

15 System requirements CloudLink SecureVSA supports any cloud platform based on VMware vsphere 4.1 or later and vcloud Director 5.1. CloudLink vnode requirements CloudLink Gateway requirements Typical system requirements for CloudLink vnode include the following: Two vcpus (recommended) 4 GB vram (recommended) ESX server with CPUs that support Advanced Encryption Standard New Instructions (AES-NI), which is highly recommended for better encryption performance 8 GB storage for deploying vnode Network requirements: One network interface for managing a CloudLink Gateway One IP storage network interface for a vnode to present itself as a virtual storage appliance directly to virtual machines (in secure NAS mode) or to the ESX hypervisor as a datastore An additional network interface for virtual machines to communicate with VPN tunnel, if required Virtual disks from vsphere or from vcloud Director to use as an encrypted storage resource; up to 10 TB can be supported per vnode Typical system requirements for CloudLink Gateway include: One vcpu (recommended) if CloudLink Gateway is used only as a management node (CloudLink Center); two vcpus (recommended) if CloudLink Gateway is used as both a management node and storage encryption node 1 GB vram (recommended) if CloudLink Gateway is used only as a management node (CloudLink Center); 4 GB vram (recommended) if CloudLink Gateway is used as both a management node and storage encryption node 8 GB storage for deploying CloudLink Gateway Network requirements: One network interface for managing CloudLink vnodes An IP storage network interface for CloudLink Gateway to present itself as a virtual storage appliance directly to virtual machines (in Secure NAS mode) or to the ESX hypervisor as a datastore when CloudLink Gateway is used as a storage encryption node An additional network interface for virtual machines to communicate with VPN tunnel if required Virtual disks from vsphere or from vcloud Director for use as an encrypted storage resource up to 10 TB can be supported per CloudLink Gateway CloudLink Center is part of CloudLink Gateway; accessing the CloudLink Center web interface requires a web browser with Adobe Flash plug-in 15

16 Common deployment models Overview CloudLink SecureVSA components can be distributed across the customer s private data center and the service provider s multitenant cloud to meet a variety of EaaS deployment situations. This section describes three common EaaS deployment models, as represented by Tenant 1, Tenant 2, and Tenant 3 in Figure 6. Each customer has a dedicated private data center. The multitenant service provider cloud includes one resource pool for each tenant for CloudLink SecureVSA encrypted storage. Tenant 4 represents a tenant that is hosted in the multitenant cloud but does not use the encryption services of CloudLink SecureVSA. Figure 6. Deployment models The three customers who make use of CloudLink SecureVSA encrypted storage in this example represent the three common deployment models that are described in this White Paper: Model 1 All CloudLink SecureVSA components and the key store are deployed in the Tenant 1 cloud resource pool. The service provider maintains control over the encryption keys and the security policy. From web browsers in the private data center, the customer s users can access the encrypted storage in the service provider s cloud using NAS protocols (CloudLink Secure NAS mode) or indirectly through applications that use the encrypted storage (CloudLink Secure Datastore mode). This model has two submodels: Single CloudLink Gateway in the Tenant 1 resource pool, which supports both CloudLink management and storage encryption Single CloudLink Gateway with one or more CloudLink vnodes. In this model, the storage encryption function is performed by the vnodes, and the CloudLink Gateway manages these vnodes 16

17 Model 2 All CloudLink SecureVSA components are deployed in the Tenant 2 cloud resource pool. The key store is hosted in the private data center, and the customer maintains control over encryption keys and security policy. As in Model 1, the same two submodels exist here: Single CloudLink Gateway Single CloudLink Gateway that manages multiple CloudLink vnodes Model 3 Only CloudLink vnode is deployed in the Tenant 3 resource pool. The CloudLink Gateway and key store are hosted in the private data center, and the customer maintains control over encryption keys and security policy. Model 1 Full deployment in the cloud Many customers prefer the service provider to take responsibility for managing the CloudLink SecureVSA components and the key store. For these customers, service providers can use a deployment model in which the CloudLink Gateway, vnode, and key store are deployed in the appropriate tenant resource pool in the service provider s cloud, as shown in Figure 7. Figure 7. Model 1 deployment 17

18 Model 1 workflow The workflow in Figure 8 represents the tasks for a full CloudLink SecureVSA deployment in the service provider s cloud. In this workflow, the service provider performs all tasks. Workflow Start Deploy Gateway OVF template Add private network interface for Gateway Configure Gateway Deploy vnode OVF template Add SAN network interface and hard disks for vnode, and configure SAN interface properties (optional) Add private network interface for vnode Configure vnode (including VPN) Upload and assign storage license for vnode Merge disks (optional) Configure encryption key store Format secure storage Configure access to secure storage Create secure datastore (optional) End Figure 8. Model 1 workflow 18

19 Model 1 workflow reference Table 2 lists each task shown in Figure 8 for a full CloudLink SecureVSA deployment in the service provider s cloud. Table 2. Model 1 workflow references Task Deploy the CloudLink Gateway OVF template Add the private network interface for the Gateway Configure the Gateway Deploy the vnode OVF template Add SAN and private network interfaces, add hard disks for vnode, and configure SAN interface properties. Configure vnode, including VPN connection Merge disks (optional) Merge disks to present multiple disks as a single encrypted storage volume. Otherwise, each disk is presented as a separate encrypted storage volume. Configure encryption key store Reference/topic Scalable Encrypted Storage Overlay Deploying the CloudLink Gateway OVF Template Adding Components Deploy a Gateway with No Storage Scalable Encrypted Storage Overlay Configuring the CloudLink Gateway Scalable Encrypted Storage Overlay Deploying the vnode OVF Template Scalable Encrypted Storage Overlay Deploying the vnode OVF Template Managing Storage Licenses: Uploading Storage Licenses Assigning Storage Licenses Managing Secure Storage Merging Volumes Managing Secure Storage Encryption Key Store Management 19

20 Task Format secure storage Configure access to secure storage (for Secure NAS mode only) Create secure datastore (for Secure Datastore mode only) Reference/topic Managing Secure Storage Formatting Volumes Managing Secure Storage: Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage Managing Secure Storage Configuring Secure Datastore Model 2 Key store in the private data center with SecureVSA in the cloud Some customers want the service provider to be responsible for managing the CloudLink SecureVSA components but prefer to retain control over encryption keys and security policy. For these customers, service providers can use a deployment model in which the key store is hosted in the customer s private data center, and CloudLink SecureVSA components are hosted in the appropriate tenant resource pool in the service provider s cloud, as shown in Figure 9. Figure 9. Model 2 deployment 20

21 Model 2 workflow The workflow in Figure 100 represents the tasks for a key store in the private data center with all CloudLink SecureVSA components in the service provider s cloud. Resources Workflow Start Deploy Gateway OVF template Add private network interface for Gateway Configure Gateway Deploy vnode OVF template Add SAN network interface and hard disks for vnode, and configure SAN interface properties (optional) Service Provider Add private network interface for vnode Configure vnode to point of VPN setup steps Generate one-time passcode Set up VPN using one-time passcode Provide CloudLink Center credentials and URL, and storage license to customer Upload and assign storage license for vnode Merge disks (optional) Customer Configure encryption key store Format secure storage Configure access to secure storage Service Provider Create secure datastore (optional) End Figure 10. Model 2 workflow 21

22 Model 2 workflow reference Table 3 lists each task shown in the deployment workflow for a key store in the private data center, components in the service provider s cloud. For each task, the table identifies the party responsible for the task and the appropriate topic for more information in the related references. Table 3. Model 2 workflow reference Task Service Provider deploys the Gateway OVF template Service Provider adds the private network interface for the Gateway Service Provider configures the Gateway Service provider deploys the vnode OVF template Service provider adds SAN and private network interfaces, adds hard disks for vnode, and configures SAN interface properties Service provider configures the vnode to the point where the VPN setup steps begin Service provider generates the one-time passcode Reference/topic Scalable Encrypted Storage Overlay Deploying the CloudLink Gateway OVF Template Adding Components Deploy a Gateway with No Storage Scalable Encrypted Storage Overlay Configuring the CloudLink Gateway Scalable Encrypted Storage Overlay Deploying the vnode OVF Template Adding Components Configuring CloudLink for Use as Datastore Storage Process for Configuration Scalable Encrypted Storage Overlay Configuring the vnode Scalable Encrypted Storage Overlay Configuring the vnode Note: The steps to generate the one-time passcode in CloudLink Center on the CloudLink Gateway are provided at the end of the procedure to configure the vnode. 22

23 Task Service provider sets up the VPN connection to connect the vnode to the Gateway using the one-time passcode Service provider provides the CloudLink Center credentials and URL, and storage license to the customer Customer uploads and assigns storage license for vnode Customer merges disks (optional) Merge disks to present multiple disks as a single encrypted storage volume. Otherwise, each disk is presented as a separate encrypted storage volume. Customer configures encryption key store Customer formats secure storage Customer configures access to secure storage (for Secure NAS mode only) Service provider creates secure datastore (for Secure Datastore mode only) Reference/topic Scalable Encrypted Storage Overlay, Configuring the vnode Note: The steps to set up the VPN connection, including entering the one-time passcode are provided at the end of the procedure to configure the vnode. n/a Managing Storage Licenses: Uploading Storage Licenses Assigning Storage Licenses Managing Secure Storage Merging Volumes Managing Secure Storage Encryption Key Store Management Managing Secure Storage Formatting Volumes Managing Secure Storage: Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage Managing Secure Storage Configuring Secure Datastore 23

24 Model 3 Key Store and CloudLink gateway in the private data center with the vnode in the cloud Some customers prefer the service provider to be responsible only for providing CloudLink SecureVSA encrypted storage. These customers prefer to maintain control over the CloudLink Gateway and the encryption keys and security policy in a hybrid cloud environment. For these customers, service providers can use a deployment model in which the CloudLink vnode is deployed in the appropriate tenant resource pool in the service provider s cloud, and the CloudLink Gateway and the key store are hosted in the customer s private data center, as shown in Figure 11. Figure 11. Model 3 deployment 24

25 Model 3 workflow The workflow in Figure 12 represents the tasks for the key store and CloudLink Gateway in the private data center, with the CloudLink vnode in the service provider s cloud. The workflow identifies whether the service provider or customer performs each task. Resources Workflow Start Deploy Gateway OVF template Customer Add private network interface for Gateway Configure Gateway Deploy vnode OVF template Service Provider Add SAN network interface and hard disks for vnode, and configure SAN interface properties (optional) Add private network interface for vnode Configure vnode (including VPN) Upload and assign storage license for vnode Merge disks (optional) Customer Configure encryption key store Format secure storage Configure access to secure storage Create secure datastore (optional) Service Provider End Figure 12. Model 3 workflow 25

26 Model 3 workflow reference Table 4 lists each task for a key store and CloudLink Gateway in the private data center, with the CloudLink vnode in the service provider s cloud. For each task, the table identifies the party responsible for the task and the appropriate topics for more information in the related references. Table 4. Model 3 workflow reference Task Customer deploys the CloudLink Gateway OVF template Customer adds the private network interface for the Gateway Customer configures the Gateway Service provider deploys the vnode OVF template Service provider adds SAN and private network interfaces, adds hard disks for vnode, and configures SAN interface properties Customer configures vnode, including VPN connection Customer uploads and assigns storage license for vnode Reference/topic Scalable Encrypted Storage Overlay Deploying the CloudLink Gateway OVF Template Adding Components Deploy a Gateway with No Storage Scalable Encrypted Storage Overlay Configuring the CloudLink Gateway Scalable Encrypted Storage Overlay Deploying the vnode OVF Template Adding Components Configuring CloudLink for Use as Datastore Storage Process for Configuration Scalable Encrypted Storage Overlay Configuring the vnode Managing Storage Licenses: Uploading Storage Licenses Assigning Storage Licenses 26

27 Task Customer merges disks (optional) Merge disks to present multiple disks as a single encrypted storage volume. Otherwise, each disk is presented as a separate encrypted storage volume. Customer configures encryption key store Customer formats secure storage Customer configures access to secure storage (for Secure NAS mode only) Service provider creates secure datastore (For Secure datastore mode only) Reference/topic Managing Secure Storage Merging Volumes Managing Secure Storage Encryption Key Store Management Managing Secure Storage Formatting Volumes Managing Secure Storage: Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage Managing Secure Storage Configuring Secure Datastore 27

28 CloudLink management CloudLink Center provides web-based management of encryption services, including: Key management Configuration of key stores and key changing scheduling policies. Encrypted storage management Merging disks, resizing the storage, and locking or unlocking encrypted storage volumes. Secure communication management between CloudLink Gateway and CloudLink vnodes Key delivery, VPN traffic, and authentication status of CloudLink vnodes. Performance monitoring Monitoring of storage and network performance. The performance data for the past 24 hours is reported and can be exported as a spreadsheet file. Security event and log management All security events and logs are displayed on CloudLink Center. They can be sent to an external application using SNMP or consolidated on a central syslog server. CloudLink Center supports role-based administration, which separates security management from infrastructure administration. There are three pre-defined roles in CloudLink: security administrator (secadmin), regular IT administrator (admin), and observer for monitoring. Each role has its own unique privilege set as defined in Table 5. Table 5. In a Model 1 deployment, the service providers assume the roles of secadmin and admin while the tenants assume the role of observer. In Model 2 and Model 3 deployments where the tenants control the data security and encryption keys, the tenants assume the role of secadmin and the service providers assume the admin role. The observer role can be assigned to both tenants and service providers, as required. Role-based administration Operation SEC admin Admin Observer Control of keys for encrypted storage VPN configuration and control Network performance and SLA monitoring View VM security audit status View security events View actions View alarms and events Syslog/SNMP configuration 28

29 Encryption key management Each CloudLink SecureVSA encrypted virtual storage volume has two associated encryption keys: The data encryption key (DEK) is generated by the CloudLink vnode on a pervolume basis to encrypt data at block level using AES-256. The DEK is then encrypted with a key encryption key (KEK) and stored on the disk with the data. Data security administrators have full control of the encryption keys and the KEKs can be updated regularly by the security administrators using CloudLink Center. Special care must be taken to ensure that enterprise-owned data are never stored or transferred in clear text and can be promptly withdrawn by the enterprise at any time. Cloud administrators do not have access to DEKs and KEKs; therefore, neither cloud administrators, nor other tenants or intruders can access enterprise data in the cloud. KEKs are generated and managed by the CloudLink Gateway. They must be changed regularly according to key management policies and kept in a safe place to ensure the safety of encrypted data. CloudLink supports three key stores: RSA Data Protection Manager (DPM) provides a key store that is tamper proof and supports high availability. The RSA DPM client is integrated into CloudLink Gateway. Microsoft Active Directory provides an alternate secure encryption key store. This option allows an enterprise to use its existing Active Directory deployment and securely store cloud encryption keys. KEKs may also be stored within the CloudLink Gateway. This option is suitable for trials and testing but is not recommended for production deployment. Figure 13. Key store configuration CloudLink Center is the entry point for CloudLink SecureVSA key management. Depending on the deployment models discussed above, the key management can be performed by the service provider security administrators or by enterprise data security administrators. Through the CloudLink Center interface, the security 29

30 administrator can monitor and control the availability of encrypted volumes by choosing whether KEKs are made available to the CloudLink SecureVSA cipher. CloudLink Center s lock operation withdraws the KEK for an encrypted volume from the CloudLink SecureVSA, preventing it from decrypting the volume s DEK and rendering the data stored on the volume unavailable. Conversely, the unlock operation provides the KEK for an encrypted volume to CloudLink which then uses it to decrypt the volume s DEK and uses the DEK to decrypt and make the data available. Using CloudLink Center, the security administrator can also perform key change operations, either on demand or on a scheduled policy basis. Figure 14 shows the options for locking and unlocking encrypted storage. Figure 14. Locking and unlocking encrypted storage RSA DPM integration CloudLink SecureVSA provides out-of-box integration with RSA DPM. All storage KEKs created and managed by CloudLink can be stored securely in DPM. DPM provides centralized key vaulting, protection and recoverability of the keys. The keys are generated by CloudLink and provided to DPM for safe storage. They are then retrieved by CloudLink and provided to CloudLink vnodes that must provide access to their encrypted storage volumes (that is, to unlock the volumes). At any time, a security administrator using CloudLink Center can instruct CloudLink to lock one or all of a node s encrypted volumes. CloudLink then issues a lock command to the node and the node destroys its cached version of the storage KEKs. RSA DPM is available in the following form factors: Hardware appliance Virtual appliance Software server deployable in customer software infrastructure. 30

31 Both the hardware and virtual appliances come with a prepackaged software stack that includes a web application server, enterprise-class database, and access management. Client applications authenticate with the server using mutual SSL. A client application using a DPM client for encryption and key management can operate with a local protected cache for keys. Figure 15 shows a typical deployment architecture for key management that contains at least two load-balanced nodes within the primary site for high availability and more nodes in remote sites for scalability or disaster recovery purposes, all clustered together. All nodes in a cluster are active. DPM appliances come with built-in replication to keep all the nodes in sync. RSA DPM virtual and hardware appliances can be deployed in the same way. Client Apps/Systems Distributed load balancing Local load balancing Local load balancing Key Replication Key Replication Key Replication Primary Datacenter Secondary Datacenter Figure 15. Typical RSA DPM deployment architecture To use RSA DPM to store CloudLink KEKs, ensure that an RSA DPM host version 3.1 or later is accessible by the CloudLink Gateway though its private LAN network. The and the CloudLink SecureVSA v2.2 VMware vsphere provide more information on deploying, configuring, and using CloudLink. To prepare RSA DPM for storage of CloudLink KEKs: 1. Log on to the RSA Data Protection Manager console. 2. Create an identity that belongs to a particular RSA DPM identity group, as shown in Figure

32 Figure 16. Creating an RSA DPM identity 3. Create a security class object with infinite duration that belongs to the same RSA DPM identity group, as shown in Figure 17. Figure 17. Creating a security class object To configure CloudLink to use RSA Data Protection Manager as its key store: 1. Open CloudLink Center on the Gateway using the secadmin user account. 2. Under the topology tree, select the gateway. 3. Click Security > Key Store. 4. To configure CloudLink to use RSA Data Protection Manager for KEK storage, under Location, click RSA DPM. 5. Under RSA DPM Configuration, shown in Figure 18, specify the RSA DPM parameters: Host RSA DPM host IP address 32

33 Port TCP port number configured on the RSA DPM host (default port is 443) Security Class Name Name of the security class configured on the RSA DPM host for the RSA DPM client Trust Certificate RSA DPM server certificate Client Certificate RSA DPM client certificate Password Password used during creation of the RSA DPM client certificate 6. Click Apply. Figure 18. RSA DPM Configuration panel in CloudLink Center CloudLink Gateway displays the RSA DPM status as Accessible. It creates a new entry in the CloudLink Center Actions log, as shown in Figure 18, and records a Key store change security event, as shown in Figure 19. Figure 19. Key store change security event recorded by CloudLink Microsoft Active Directory integration As an alternative to using RSA DPM as a key store, you can configure Microsoft Active Directory as a CloudLink key store. It is very important that the Active Directory server is properly backed up to ensure the safety of the encryption key. Losing the encryption key will cause data loss. For high availability and disaster recovery, Active Directory servers acting as CloudLink key stores are deployed on both the product site and the DR site. 33

34 Configuring Active Directory as a key store To use Active Directory to store CloudLink encryption keys, deploy a Windows Server to be accessible by CloudLink Center from its private LAN network. During this procedure, you must provide the host name of the Windows Server, which means you must have already set up the DNS server. To configure the Active Directory for the CloudLink encryption key store on a Windows 2003 or 2008 Server that is configured as a domain controller, the following highlevel steps are required. 1. Set up an organization unit on Windows Server. 2. Create a bind user. 3. Add the bind user to the security group. 4. Record the DN of CloudLink. 5. Apply the domain controller in CloudLink. For detailed configuration instructions, refer to the CloudLink SecureVSA v2.2 VMware vsphere. 34

35 Conclusion EMC EaaS powered by CloudLink SecureVSA enables cloud service providers to address the compliance and data security requirements of their customers. It eases concerns of cloud service customers about their data security in a multitenant environment by providing them with a tool to manage the encryption keys and security policy. It generates additional service revenue associated with a premium encryption service, which requires data encryption in the cloud, and additional workloads moving into the cloud. CloudLink SecureVSA is very easy to deploy, and is transparent to business applications and underlying infrastructure. It is a granular encryption solution that is workload driven and can be deployed on a per-tenant basis. It encrypts only the data for which tenants and applications require encryption. Other workloads in the cloud environment can continue to use regular cloud storage. The three deployment models described in this White Paper demonstrate the ease with which CloudLink SecureVSA can be deployed and configured by service providers and their customers. With flexible key management options, customers always have a choice to entrust cloud service providers to manage the key on their behalf or to use existing enterprise key management to secure their data in the service provider environment. The enterprise key management investment is fully protected. CloudLink EaaS secures the cloud and ultimately helps enterprises to trust the cloud. References VMware documentation For additional information, see the documents listed below. CloudLink SecureVSA v2.2 VMware vcloud Director Supplementary Deployment Guide 35