This guide provides an overview of commonly asked questions about the technology and security associated with AT&T Synaptic Storage as a Service SM.

Transcription

1 AT&T Synaptic Storage as a Service sm Security Overview This guide provides an overview of commonly asked questions about the technology and security associated with AT&T Synaptic Storage as a Service SM. Here are the topics that will be covered in the document. Data Center Location... 4 Data Location... 5 Network Security... 5 Distributed Denial of Service (DDOS) Defense... 5 Intrusion Detection and Prevention... 5 Multi Firewall Layer Approach... 6 Man in the Middle Mitigation (MIM)... 6 Platform Security... 6 Data Encryption in Transit... 6 Data Encryption at Rest... 7 User Access... 7 Investigative Support... 8 Compliance AT&T Intellectual Property. All rights reserved. AT&T, the AT&T logo and all other AT&T marks contained herein are trademarks of AT&T Intellectual Property and/or AT&T affiliated companies. All other marks contained herein are the property of their respective owners. AT&T products and services are provided or offered by subsidiaries and affiliates of AT&T Inc. under the AT&T brand and not by AT&T Inc. This document is not an offer, commitment, representation or warranty by AT&T and is subject to change.

2 Overview AT&T Synaptic Storage as a Service SM is a virtualized storehouse that provides elastic data storage capacity on demand. The service easily scales up and down to any size, allows customers to pay only for the storage used, requires no financial commitments or minimums, and can be accessed by authorized users using a web interface anytime and from any network IP-based device connected to the Internet or to AT&T s Global IP Network. The service includes: Enterprise-grade network security features Protection against distributed denial of service (DDoS) attacks Monitoring and management An integrated service level agreement that covers availability time for the service, up to 99.9% Customer portal for access to detailed information on the service, 24x7x365 AT&T Synaptic Storage as a Service is designed to store customer data ranging from terabytes up to petabytes. Unlike other forms of electronic data storage, AT&T Synaptic Storage as a Service does not use logical unit numbers (LUNs), volumes or partitions, and it does not operate at either the block level or file system level. Information is stored as objects inside the AT&T Synaptic Storage as a Service repository. Policies can be selected to act on those objects, allowing different functionality and service levels to be applied to different types of users and their data. AT&T Synaptic Storage as a Service uses a unified namespace. In other words, it operates not on individual information silos but as a single repository, no matter how many petabytes of data containing how many billions of objects are spread across locations available to any number of authorized users. The service employs a single management console regardless of how many locations across which the object repository is distributed. AT&T Synaptic Storage as a Service automatically reacts to environmental and workload changes as well as failures, thus providing reliable global availability. AT&T Synaptic Storage as a Service can be used by customers to back up or archive data that resides elsewhere, but it does not include managed data backup as part of the service. The base policy stores one original and one replicated clone copy of your data in data center. You have the option to asynchronously replicate your data to a separate geographically diverse data center. AT&T Synaptic Storage as a Service benefits customers by allowing them to: Avoid upfront capital expenditures Sidestep planning challenges by tapping elastic storage capacity Save time and hassles by undergoing a one-time procurement and setup process Meet peak demand without over provisioning and shrink storage as needed without paying penalties Supplement their other storage systems cost-effectively Adapt to changing business needs simply and flexibly For all its services, including AT&T Synaptic Storage as a Service, AT&T consistently follows rigorous security standards to help customers protect against the risks and challenges that confront businesses and their data. AT&T s policy is to protect its network, managed systems and applications from unauthorized or improper use, theft, accidental or 07/14/10 Page 2 of 8

3 unauthorized modification, disclosure, transfer or destruction, and to implement protective measures commensurate with their sensitivity, value and criticality. Explanation of Terms An Application Programming Interface (or API)is used to access AT&T Synaptic Storage as a Service. Users, both developers and non-developers alike, use a common framework of data elements to use the API and access the service. These include: Data Depot- The physical location where customer data are stored. AT&T Synaptic Storage as Service Data Depots currently are in two geographically separated AT&T Internet Data Centers located in the United States. Site ID A unique identifier that AT&T uses to associate your company to our ordering, billing and support systems for Hosting & Cloud Services. The Site ID is only applicable to customers who order the service through their AT&T account team; it won t apply to those who order the service online. An example Site ID is: Subtenant ID A 32-character, randomly generated alphanumeric code that is associated with each Site ID. This code uniquely identifies your company to the EMC Atmos TM platform that underlies AT&T Synaptic Storage as a Service. An example Subtenant ID is: 5f8442b515ec402fb4f39ffab8c8179a UID A unique identifier that you can assign for separate applications, organizations or individual users. When your account is first created, you will have one UID by default. Through the portal you have the option to create additional UIDs, allowing you to use separate credentials for authentication and access, as well as to itemize usage for internal charge-back purposes. Default UIDs are typically a derivation of your address, such as: nameatdomaindotcom Token ID A unique combination of your Subtenant ID and UID that consists of combining the two codes together, separated by a slash (/). Using the example Subtenant ID and UID from above, the Token ID would be: 5f8442b515ec402fb4f39ffab8c8179a/nameATdomainDOTcom Shared Secret A random string of 27 characters (base 64) that is uniquely associated with each UID. The shared secret is a 160-bit key that is used to produce a unique, encrypted digital signature for each API request. The signature is a Hash Message Authentication Code (HMAC) that combines various pieces of the message including the Token ID, type of request, date, address and other header information. An example Shared Secret is: MBqhzSzhZJCQHE9U4RBK9ze3K7U= 07/14/10 Page 3 of 8

4 Security Methodology With one of the largest global IP networks and 38 Internet Data Center (IDC) locations operated around the world, AT&T applies broad expertise developed over years as a preeminent provider of network, security and hosting services to protect its hosting facilities and data storage infrastructures. Every day we thwart real-world threats to our own assets and the network and other facilities used to provide our services to multinational entities globally. The expertise behind our security services stems from our engineers in AT&T Labs, who have made significant contributions to the security field, as well as our experienced, highly certified security operations teams. Our security consultants continually stay abreast of current issues by participating in industry conferences and security forums, taking part in continuous education and resolving actual client security issues. The AT&T Security Policy establishes the security standards for protecting AT&T computing and networking infrastructure, and AT&T Hosting & Application Services (H&AS) has an established methodology to provide end-to-end security services to all AT&T managed devices, including AT&T Synaptic Storage as a Service. AT&T implements a layered security model, which provides for multi-level protection to the physical assets upon which data are stored, including AT&T data center environments. In this model, security does not depend on a single countermeasure. Rather, layers of security provide a reinforced system of countermeasures so that a single point of attack should not compromise the entire system. This layered security approach protects AT&T hosted solutions from both physical and logical security threats. Data Depot Location AT&T s Synaptic Storage as a Service Data Depots currently are at two geographically separated, hardened AT&T Internet Data Centers (IDCs) located in the United States. These IDCs, like all of AT&T s IDCs, are audited in annual SAS 70, Type II examinations, encompassing physical security. The locations also adhere to the standards of redundancy and resiliency applicable to all AT&T IDCs. AT&T provides complete physical security for AT&T locations, with a special emphasis on security of the data center and other sensitive areas. Our stringent physical security controls include: Access Policies and Procedures Multi-layer/Multi-factor Access Control Systems Employee Access Procedures Visitor Procedures Contractor Access Procedures Building Security Data Center Security Global Client Support Center Security Background Checks Monitoring Systems 24x7 Guards The automated access control system controls and monitors access to AT&T data centers and our Global Client Support Centers through the use of electronic badge readers, biometric scanners and PIN keypads. The system logs access and sends alerts if entrances are left ajar. Security guards patrol the facilities and maintain a 24X7 physical presence at 07/14/10 Page 4 of 8

5 each data center. As an additional measure, strategically located video cameras record and monitor activity. Physical Data Location at Rest AT&T views the cloud as being specific to an area or region of the world rather than one cloud engulfing the world. This view is based upon the need for companies in certain instances to restrict the movement of data in order to comply with local and federal laws. In the model of the AT&T Synaptic Storage as a Service environment, the user is responsible for its data and any laws or governance that may apply to such data. Today data are restricted to storage at the Data Depots located in the United States. AT&T plans to expand to Data Depots located in the EU and AsiaPac regions. When the service is introduced using additional IDC locations globally, AT&T will implement policies called data fencing, which enables clients to enforce policies cordoning off specific data. Data fencing enables clients to restrict the movement of data according to the company s requirements and/or restrictions while still having the ability to audit and track it. Network Security We protect our network in depth. Around the clock, highly trained security and network personnel manage packet filters at the network borders of AT&T Synaptic Storage as a Service, which mitigates unauthorized traffic. The best network security design and implementation must be continuously managed. Therefore, the packet filters are tightly integrated into the management framework, so that we can adjust them with the latest security protocols in real-time, closely monitoring and automatically updating the filters to mitigate immediate security threats. Network security is a process, driven by management and supported by expert skills and advanced technology. AT&T provides a world-class security posture through its consistent coverage worldwide, its depth of execution in each region and the guidance and support of the global security team, which administers and coordinates security initiatives. Distributed Denial of Service (DDOS) Defense Our DDoS identification and mitigation takes place within the AT&T IP Network, providing increased protection from malicious traffic before it reaches the AT&T Synaptic Storage as a Service Data Depot. DDoS defense consists of a detection device that examines the net flow data. If a denial of service attack is detected, the traffic will be routed to a network mitigation farm, where the malicious DDoS attack packets are identified and dropped while the valid traffic is allowed to pass to the AT&T Synaptic Storage as a Service Data Depot. Intrusion Detection and Prevention Our intrusion detection system, deployed at multiple points throughout our network, recognizes suspicious activities and immediately alerts our information assurance team. AT&T has deployed packet-based intrusion detection systems on the network perimeter of each data center and the hosting infrastructure to capture all traffic going in and out of our network and identify network attacks, web attacks, probing attacks, denial of service attacks, remote procedure attacks, service exploits, FTP exploits and unauthorized network traffic. The intrusion detection system sensors relay observations back to a database that aggregates and correlates the events, so that even distributed attacks are detected. The 07/14/10 Page 5 of 8

6 system also reassembles data streams and makes sense of hacker attack patterns that have been chopped up expressly to avoid recognition. The result is a very sensitive, intelligent network alarm system that, when combined with the efforts of our highly trained security engineers, gives us the ability to pinpoint security events and react immediately and purposefully. Multi Firewall Layer Approach AT&T Synaptic Storage as a Service is used by multiple client companies, which may have different security requirements. For this reason, AT&T has protected the environments (Data Depots) with a dual firewall approach; packet inspection firewall and application inspection firewall. Man in the Middle Mitigation (MIM) AT&T Synaptic Storage as a Service detects replay and buffer-overflows and also acts as a proxy maintaining a state table. An attempt to get through the state table by spoofing, (examining packets (in the middle)) to hijack an existing session will be blocked. SSL encryption through the firewall (straight through the Load Balance where SSL is off-loaded) acts to prevent illegitimate attempts to examine sniffing Transmission Control Protocol sequence numbers. Platform Security AT&T Synaptic Storage as a Service uses the EMC Atmos platform to deliver an enterprise-grade global storage and distribution system. This system uses state-of-the-art methods to manage data stored at a Data Depot. AT&T is considered a tenant of the Atmos system. Subscribers to AT&T Synaptic Storage as a Service (that is, AT&T s customers) are sub-tenants. Each sub-tenant receives a 32-character alphanumeric code called the sub-tenant ID, which AT&T randomly generates. For a fictitious client we ll call Joe s Pizza, here is a sample sub-tenant ID: 5f8442b515ec402fb4f39ffab8c8179a Each sub-tenant also receives a unique shared secret that AT&T generates. Here is the shared secret for Joe s Pizza: MBqhzSzhZJCQHE9U4RBK9ze3K7U= And for each of their web-based applications, sub-tenants receive a unique ID (UID) made up of a portion of the customer name and a randomly generated string. The UID for Joe s Pizza would be: JoesPizza03GF52E8D8E Data Encryption in Transit Encryption is combined with the inherent password security to support encryption while data are in transit. In addition to the secure SSL tunnel (which encapsulates traffic in transit) created when a request for data is made by the user, each Sub-tenant also receives a Token ID that consists of the sub-tenant ID and the UID, separated by a slash (/). For example, for Joe s Pizza, the Token ID would be: 5f8442b515ec402fb4f39ffab8c8179a/JoesPizza03GF52E8D8E 07/14/10 Page 6 of 8

7 When making a request over port 443, the application will first compose the request itself. Then, the shared secret is used as a key to produce a hash message authentication code (HMAC) by combining various pieces of the message including the Token ID, type of request, date, address and other header information. The algorithm to generate this signature uses the SHA-1 hash function, a U.S. federal government approved cryptographic standard developed by the NSA. The resulting digital signature is a 160-bit encrypted digest of the request, which is sent along with the request over the network. Upon receipt, the AT&T Synaptic Storage as a Service platform retrieves the UID from the request. It also retrieves the shared secret associated with the UID that is stored in the platform. The platform then regenerates the signature using the same algorithm and compares it to the one received with the request. If the two signatures match, the platform processes the request and returns the response payload. Encrypted digital signatures are used in this manner for any type of request, whether to create, read, update or delete an object or its associated metadata. This approach provides the necessary assurances at an individual transaction level to validate the identity of the sender, the integrity of the message, and non-repudiation of the action. Private AT&T Network Connection An AT&T private network connection, such as a Network VPN service, can provide a bridge between a company s existing IT infrastructure and AT&T Synaptic Storage as a Service. An AT&T private network connection enables enterprises to connect their existing infrastructure to AT&T Synaptic Storage as a Service via the AT&T IP (MPLS) Network, and to extend their existing management capabilities such as security services, to include their AT&T resources. Data Encryption at Rest Encryption at rest is nearly always a standard requirement to protect data when it is moved to an off-site storage location. AT&T Synaptic Storage as a Service platform allows data to be encrypted at rest without impacting the storing or the retrieval of the object (although it must be recognized that the overhead associated with encryption at rest can be a drawback). AT&T does not provide encryption at rest with AT&T Synaptic Storage as a Service however due the fact that it would require AT&T to have access to or manage customer encryption keys, which is normally not acceptable under customer security policies. AT&T strongly recommends that clients encrypt its data before it leaves the customer network, in addition to being sole owner of the encryption key for any data encrypted while at rest at the Data Depot. Key Management AT&T s approach is that a client should maintain its own encryption keys, which therefore prevents AT&T (or any third party) from having intelligible access to stored data. This approach should assist customers in their compliance and audit reviews. User Access 07/14/10 Page 7 of 8

8 When providing AT&T Synaptic Storage as a Service, AT&T uses a REST API method to connect the storage platform to the customer environment. The REST API in its native form or an enabler form (GUI) is attached to a specific application (Media server, database, etc.) in the customer environment. The customer application already resides in the client s LDAP or AD structure, which dictates and enforces user access to the data stored on the AT&T Synaptic Storage as a Service platform. Investigative Support Customers are ultimately responsible for disclosing or making available data stored on the AT&T Synaptic Storage as a Service platform in response to a discovery request or government/judicial subpoena. AT&T Synaptic Storage as a Service does not incorporate e-discovery capabilities, context-based searching or indexing of data. Should the need arise to respond to discovery requests or if information is the subject of a government subpoena, AT&T has processes available to assist customers in responding to such requests in a manner that mitigates impact to the overall operation of the platform. For example, the meta data associated with customer objects are classified and categorized through an automated tool that may help to reduce the time needed to isolate and inventory information assets subject to discovery or examination. Compliance Customers are ultimately responsible for the security and integrity of their data, even when it is held by a service provider. Nevertheless, as described previously, AT&T provides a highly secure environment surrounded by multiple layers of physical and logical security to protect against attacks. To confirm the effectiveness of these actions, AT&T proactively undertakes external audits and security certifications such as SAS 70 Type II. Additionally, AT&T actively applies its technical expertise and management resources to support public, voluntary standards processes around the globe. Standards directly affect market success, and customers require standards compliance for the communications products and services they purchase. AT&T has an entire department, known as the Chief Security Office, that directly participates in technical standards development groups and in industry bodies concerned with administering the voluntary process itself, such as the Cloud Security Alliance ( 07/14/10 Page 8 of 8