AFORE CLOUDLINK ON VBLOCK SYSTEMS

Transcription

1 Table of Contents About this document... 3 Audiences... 3 Introduction... 3 Business Case... 3 Solution Overview... 4 Technology Overview... 5 AFORE CloudLink Secure VSA... 5 The CloudLink Architecture... 6 VCE Vblock Systems... 7 RSA Data Protection Manager... 9 Solution Architecture Overview... 9 System Configuration... 9 Encryption Data Flow Hardware and Software Integration with RSA Data Protection Manager Design Considerations Performance Sizing High Availability Key Management Storage Network Solution Validation Test Cases and Objectives AFORE Solutions Inc. All rights reserved. The Copyright in this document belongs to AFORE Solutions Inc. and no part of this document 1

2 Test Case 1 - CloudLink Installation on Vblock Systems Test Case 2 - Data Encryption: Simulated Application Profile Tests Test Case 3 - Data Encryption: Functional Evaluation of Select CloudLink Encryption Features Test Case 4 RSA Data Protection Manager Integration Conclusion For More Information

3 About this document This document describes the AFORE CloudLink Secure Virtual Storage Appliance (VSA) solution certified on VCE Vblock Systems and discusses business requirements, technology components, architecture, and use cases tested during the Vblock Ready certification of CloudLink Secure VSA. For more information about this paper or about this solution, please contact AFORE Solutions at Audiences This document is intended for IT and security administrators, managers, and directors deploying AFORE CloudLink Secure VSA solutions on Vblock Systems. Introduction Business Case Traditional data centers have experienced a paradigm shift in recent years. Silos of disparate physical computing systems are being consolidated and migrated to cloud-based and virtualized infrastructure, bringing the benefits of flexible on-demand deployment, optimal capacity utilization, and substantial cost savings to enterprises and service providers alike. With this transformation has come new challenges in IT security, particularly related to managing the confidentiality, integrity, and privacy of sensitive data. In a shared, cloud-based environment, data security cannot be an afterthought. Data encryption is an essential mechanism for ensuring data confidentiality, isolation, and protection. In many cases, virtualized environments host multiple tenants in a single converged infrastructure like the VCE Vblock System. Tenants typically include one or more of the following: - Departmental data stores that need to be isolated, with one or multiple data stores requiring encryption with separate keys (e.g., human resources, manufacturing, research and development and other sensitive file storage such as company executive file folders, etc.) - Multiple applications hosted on the same physical server and disk array, such as a single Vblock System. To ensure data protection, one or more of the application data stores (e.g., those for SAP, Oracle, Exchange, etc.) might require separate encryption keys. - Different customers hosted on the same physical server and disk array, such as a service provider environment using a converged infrastructure. Some or all of this customer data might require separate, pertenant encryption keys. Industries such as financial services, healthcare, manufacturing, and government often have stringent regulatory security requirements that mandate data isolation and encryption. Service providers in particular see data encryption as a key security feature that allows them to appeal more broadly to customers. Traditional solutions include self-encrypting disks, storage controller-based encryption, and the encryption of SAN switches or in-line encryption appliances. Each of these has one big drawback a lack of multitenant capability. A single key is used to encrypt all data that passes through the cipher. Customers therefore have to dedicate the entire physical resource (disk, array or entire SAN) to a single tenant. The lack of flexibility and associated cost of this 3

4 approach goes against the trend towards virtualization and cloud computing and the goal of achieving a softwaredefined data center. One of the traditional objections to software-based encryption has been that it degrades performance. This misperception has been countered by the fact that the Advanced Encryption Standard (AES) has now become the algorithm of choice for hardware acceleration for cryptographic operations in a majority of enterprise-class servers. As a result, the overhead of software encryption is less significant with the help of the built-in hardware acceleration. This has created an opportunity for software-based encryption appliances such as AFORE s CloudLink Secure VSA to challenge traditional encryption approaches with superior performance. As a software appliance, the resources consumed by encrypting software can be scaled up and down as the demand for encryption workloads change. When AFORE CloudLink Secure VSA runs on a Vblock System, resource consumption can be tuned to keep up with busy file server, web server or database server applications and minimized when performance requirements are modest. Compared to a hardware appliance, the AFORE CloudLink Secure VSA not only reduces costs, power consumption and footprint, it also complements the converged infrastructure s key benefits of flexibility, agility and simplicity. Key tenets of effective data security management include ease of deployment and administration. Many existing software encryption solutions require agents to be deployed on each virtual machine (VM) containing sensitive data. This approach places an unnecessary burden on IT administrators who must deploy and maintain the agents and ensure compatibility with the applications and operating systems running on their VMs. Furthermore, the complexity in configuring numerous agents makes it challenging to develop and maintain an effective security policy. In addition, when tenants and data owners require oversight and control of their own data separate from IT infrastructure administrators, deployment and ongoing operational management become even more complex and daunting. CloudLink s multi-tenant, agent-less approach to data encryption eliminates these challenges. Encrypting software appliances must be easy to deploy and maintain while empowering tenant administrators to have the control they desire. This is especially true for virtualized environments. The software architectural design must encompass these concepts from the start to leverage these key benefits of converged infrastructure: simplicity of deployment and management. Solution Overview AFORE has partnered with industry-leading converged infrastructure provider VCE to provide a Vblock Ready certified encryption solution to meet today s challenges. The AFORE CloudLink Secure VSA provides the ability to encrypt data at rest and in motion from CloudLink Gateway to vnode in virtualized and multitenant environments. In addition, CloudLink enables flexible security administration control, performance monitoring, and integrated key management with RSA Data Protection Management (DPM). CloudLink is certified for Vblock Systems 100, 200, 300 and 700, spanning the needs of small and medium-sized businesses to large enterprises and service providers. The Vblock Ready certification provides customers with peace of mind, letting them know that the solution components are compatible and perform as designed. Key features and differentiators of the CloudLink encryption solution include: - Native support for virtualized cloud environments - CloudLink understands the virtual environment topology and resource elements in multitenant environments. It automates deployment of encryption in VMware vcloud Director environments and is integrated with vcenter for efficient management and advanced security monitoring. It provides end-to-end encryption of VM storage and WAN traffic in virtualized environments. VMs can be migrated between enterprise data centers or between an enterprise data center and a service provider cloud while ensuring that data remain persistently protected. 4

5 - Secure Virtual Private Network (VPN) - CloudLink establishes a secure VPN tunnel between a data center inside the enterprise and a customer virtual data center inside the cloud. All communications between the enterprise and the cloud is encrypted using AES-256 encryption technology. - Secure Ethernet Overlay - CloudLink s Layer 2 Ethernet extension functionality allows enterprises to easily migrate their workloads between enterprise data centers and cloud data centers without changing existing applications and VMs network configuration. CloudLink s secure Ethernet overlay is WAN agnostic, working over Internet, IP VPN, and Carrier Ethernet WANs. - Encryption of Data at Rest - CloudLink provides enterprises with the option to encrypt data at rest using AES- 256 encryption technology. In a dynamic and multitenant cloud environment, CloudLink guards against threats posed by persistent data artifacts, such as snapshots and suspension images and storage layer side attacks. Encryption of data at rest enables enterprises to meet storage data deletion compliance requirements when workloads are moved out of the cloud while malicious or misbehaving co-tenants are remediated. - Pre-Integration with RSA Data Protection Manager (DPM) Key Management Solution As a Secured by RSA Certified Partner, AFORE has certified interoperability between CloudLink and RSA DPM. The integration of these technologies is intended to enable enterprises and cloud service providers to securely encrypt data at rest in cloud infrastructures while leveraging robust, enterprise-wide key management. - Manageability and Control Given the perceived complexity of implementing and managing encryption on a day-to-day basis, CloudLink has been designed with simplicity, flexibility, and manageability in mind from the start. o o o CloudLink Center is a web-based interface that provides comprehensive management tools, including a topology map, performance monitoring, dashboards, and threshold alarms. It can also be configured as a VMware vcenter plug-in. CloudLink is agentless and storage and network agnostic. This makes CloudLink extremely simple to deploy in large enterprise data centers and service provider environments. In a virtualized cloud environment, there are potentially hundreds of VMs being provisioned, deployed, and decommissioned at any given time. Therefore, encryption solution simplicity is essential. CloudLink possesses the unique ability to offer tenants (different enterprises, separate departmental IT administrators, or application administrators) independent control of data security by maintaining their own separate encryption key stores. This provides an extremely flexible way to implement multitenancy. For companies that utilize service provider offerings, this means that the implementation of encryption is not dependent upon an external service provider s policy, permission, or pricing structure. For enterprises, this feature adds flexibility, helping IT to consolidate departmental assets to a more centralized cloud infrastructure, regardless of current organizational structure. Technology Overview AFORE CloudLink Secure VSA Installed as a virtual appliance, AFORE CloudLink Secure VSA provides encryption to secure virtual resource pools in VMs, networks, and data stores in multitenant environments. This multitenant environment could include different enterprises hosted in the same converged infrastructure, departmental data stores, or application data stores within the same enterprise. These different data stores might require separate data encryption control and policies. CloudLink seamlessly integrates with virtualized cloud infrastructures, leveraging cloud platform APIs for automatic virtual storage appliance deployment and monitoring of virtual data centers. For ease of implementation, the CloudLink solution can be set up as a service template, making it easy to order and self-provision. CloudLink s management interface, CloudLink Center, offers role-based access control, facilitating access by cloud IT administrators 5

6 while allowing tenants to maintain complete and sole control of encryption keys. Furthermore, CloudLink is preintegrated with RSA DPM for the lifecycle management of encryption keys, enabling robust, enterprise-scale operational management in which hundreds or thousands of encryption keys can be provisioned, deployed or expired and decommissioned with ease. The CloudLink Architecture Figure 1 depicts the CloudLink architecture within an enterprise, with departmental data requiring separate encryption data stores. This architecture is equally applicable to a cloud service provider environment or a hybrid environment. Figure 1: CloudLink Solution: High-level Architecture CloudLink vnode is a software virtual appliance deployed in the cloud where data stores need to be encrypted. The vnode acts as the communications endpoint between VMs in the virtual data center (VDC) and the enterprise network. The vnode encrypts data, collects logs and events, and sends monitoring data to CloudLink Center via the CloudLink Gateway. CloudLink Gateway is a software virtual appliance deployed inside the enterprise data center. The CloudLink Gateway communicates with CloudLink vnodes to create a secure Ethernet overlay to the enterprise specific VDCs. The CloudLink Gateway authenticates vnodes, monitors connectivity, initiates performance testing, and pushes the enterprise controlled encryption keys via the secure tunnel to the vnodes deployed in the cloud. CloudLink Center is a management application that can be accessed as a web-based application or as a VMware vcenter plug-in, Figure 2. It manages the CloudLink Gateway and vnode, administers trust policies, configures encrypted storage volumes, monitors end-to-end network performance, reports events, logs and alarms, and presents the enterprise network topology by visually depicting VMs connected to CloudLink. 6

7 Figure 2: CloudLink Center Accessed via vcenter Plug-in In the context of VCE Vblock Systems, a CloudLink Gateway with CloudLink Center can be paired with one or multiple vnodes to represent a tenant implementation within the same Vblock System. Multiple sets can then be deployed in a multitenant implementation within a single Vblock System, representing separate enterprise, departmental user, or application data stores. Further extending the architecture, multiple Gateways may share a common RSA DPM or can each point to a separate instance, providing the utmost flexibility in key management. VCE Vblock Systems Vblock Systems, Figure 3, are pre-integrated technology components that include Cisco Unified Computing System (Cisco UCS ) blade servers and networking, EMC storage arrays, and VMware vsphere and management tools, all supported by and with warranty services from VCE. The current Vblock Systems include Vblock Systems 100, 200, 300 and 700. Each Vblock System has a base configuration, which is a minimum set of compute and storage components as well as fixed network resources. Within the base configuration, certain hardware features can be customized. Together, the components offer balanced CPU, I/O bandwidth, and storage capacity relative to the compute and storage arrays in the system. By combining best-of-breed software and hardware solutions in one converged infrastructure, Vblock Systems deliver a cloud-computing experience that is optimized, secure, and faster and easier to deploy and maintain than competitive converged infrastructure solutions. 7

8 Figure 3: A VCE Vblock System Based on the following IDC research, VCE s Vblock System has definite advantages in providing tangible customer results: Figure 4: IDC research on Vblock customer benefits By partnering with AFORE Solutions and certifying its CloudLink encryption appliance on Vblock Systems, VCE offers enhanced security encryption technology that helps customers meet today s compliance challenges in virtualized environments. 8

9 RSA Data Protection Manager RSA DPM offers industry-leading application encryption, tokenization, and enterprise-wide key management. DPM enables centralized key management and transparent and automated policy enforcement for encrypting data at-rest across the information lifecycle. Keys used to protect the virtual disks can be vaulted in the customer s enterprise within DPM for an extra layer of protection. Enterprise key management with RSA DPM features: Interoperability The Key Management Interoperability Protocol (KMIP)-enabled DPM server enables a single key management infrastructure and integrates with applications and devices at every layer. Simple operations A simple user interface allows policies and keys to be managed from a central location, simplifying operations and contributing to lower operational expenditures (OpEx). Key control High availability, security, automated replication, and disaster recovery of the key vault can be provided so that keys are always available. Separation of duties can be ensured to control who has access to keys. Easier compliance Audits are simplified by logging the encryption functions necessary to meet compliance. Solution Architecture Overview This section describes the solution architecture tested and verified during the Vblock Ready certification. System Configuration The test environment assumed a single enterprise deployment environment with encryption needs for separate data stores. Figure 5 shows the CloudLink deployment architecture. 9

10 Figure 5: CloudLink Certification Test Environment Configuration A single CloudLink Gateway in the enterprise environment managed the overall encryption infrastructure. The CloudLink Gateway was deployed on a VM situated on Blade Server ESXi 01. CloudLink Center, the operational management interface, ran on the Gateway. Below the Gateway are the encryption workhorses, the vnodes, each of which was deployed within a separate VDC and was responsible for encrypting its assigned data stores. In terms of the multitenant data center most common in VCE customer environments, each of these VDCs potentially represents a departmental computing environment or a separate application installation environment that needed encryption protection. Each of the VDCs hosted multiple VMs. These vnodes were installed on Blade Servers ESXi 02 and ESXi 03. Installing the Gateway and vnodes on separate blades mimicked typical enterprise environments. The Gateway, performing key control and system monitoring and management, is located within the enterprise data center. The vnodes, which provide encrypted storage, might be located in a separate location along with the application workloads or in the cloud service provider s data center. Tests were performed using the IOmeter test tool suite consisting of an IOmeter instance, providing a management interface for test configuration, and two Dynamo workers. The IOmeter interface was run on ESXi 01, and the Dynamo workers were run on ESXi 02 and ESXi 03, respectively. Connected to ESXi 02 and ESXi 03 was the ESX data store shared by the two simulated tenants. Each tenant had its own encrypted disk shown in Figure 5 in red (Dynamo1 Disk2 and Dynamo2 Disk2 respectively for tenant 1 and tenant 10

11 2) and a cleartext disk shown in green (Dynamo1 Disk3 and Dynamo2 Disk3). Encrypted disks were placed into the protected data stores, allocated inside of the big shared data store. These protected data stores were assigned to their respective vnodes and are shown in orange (vnode1 Data store and vnode2 Data store). Each Dynamo VM that represents tenant workloads has two virtual disks: one for encrypted data and one for cleartext data. One of the objectives of the tests was to compare the native performance of user workloads on a Vblock System with the performance of the same workloads using CloudLink for storage encryption. Data in cleartext (green) virtual disks was accessed bypassing the CloudLink, and data in encrypted disks (red) was accessed through CloudLink. This configuration allowed for a direct performance comparison of the vnodes encrypted storage with native VMAX storage. Encryption Data Flow Once provisioned and started, vnodes established their encrypted connections to the Gateway and requested the encryption keys for unlocking their secure data stores. The Gateway verified the vnodes credentials and Global Unique IDs (GUIDs) of the data store to make sure that legitimate instances of vnodes and data stores were being used. It then issued the Key Encryption Keys (KEKs) which are used to unlock the Data Encryption Keys (DEKs) stored encrypted in the metadata of the data store. Once the vnode ciphers had the keys, the virtual disks stored on their data stores became available to user VMs for performing IO operations. These user VMs are the Dynamo machines (Dynamo1 and Dynamo2) under the control of IOmeter. The Dynamo VMs were instructed to execute a test script against CloudLink. It consists of IO profile characteristics for three typical customer applications: file server, web server, and database server. That mix of IO transactions was executed in two series of tests. In the first, testing was performed using the encrypted virtual disks located in the vnode data stores. In the second, testing was performed using the cleartext virtual disks located in the VMAX storage array, bypassing the vnodes. This allowed for a comparison of CloudLink performance and native performance, measuring the effect of IO traffic being encrypted and decrypted by vnodes on the way to and from the VMAX array. Hardware and Software AFORE: CloudLink Secure Virtual Storage Appliance (VSA) version 2.0 VCE: Vblock System 700MX, RCM version There are four Cisco UCS B200 M2 Blade Servers, each with 96GB memory, and two sockets of 6-core 3.46GHz AES-enabled CPUs, VMAX storage array with 40 disk spindles, and two Cisco MDS 9148 SAN switches. VMware vsphere version 5. Figure 6 contains details of the Vblock System 700MX used for this certification test. 11

12 Figure 6: Vblock System 700MX Component Details Integration with RSA Data Protection Manager Each CloudLink vnode encrypts the storage allocated to it using a DEK which it generates during the installation and initialization process. The CloudLink Gateway generates a KEK for each vnode that is used to encrypt the DEK. In order to unlock a vnode storage and make it accessible to user VMs, the Gateway retrieves the corresponding KEK and provides it to the vnode upon the vnode s request. The vnode then decrypts the DEK and uses it to provide access to the encrypted data. To lock the storage, the Gateway removes the KEK from the vnode, preventing the vnode from being able to access the DEK and providing access to the storage. By incorporating the RSA DPM Java client, each CloudLink Gateway instance can entrust its storage KEKs to RSA DPM. CloudLink uses the key archival resources of RSA DPM to store them securely. The KEKs correspond to the AES-256 with CBC encryption algorithm and are archived in a security class created specifically for this purpose. All communication between the CloudLink Gateway and RSA DPM occurs via a certificate-based mutuallyauthenticated secure session. 12

13 Design Considerations Performance Sizing On a converged infrastructure such as a Vblock System, workloads from multiple tenants may coexist on the same physical infrastructure. It is therefore essential to take the aggregate characteristics of multiple workloads (e.g., percentage of reads versus writes, data transfer size, sequential versus random data access) into consideration when sizing a system. In the case of CloudLink Secure VSA, the vnode encryption process tends to be I/O-bound compared to native, un-encrypted workloads. The overhead for a single CloudLink vnode encryption, as demonstrated in our profile tests, is about 5%. In other words, a single vnode can achieve about 95% of the performance of equivalent unencrypted workloads. For two tenants using two CloudLink vnode instances, this rises to about 98%. Our estimates show that three tenant vnodes would be able to fully utilize the available Vblock System storage bandwidth in the same configuration used in our certification tests. A lighter workload than what is defined in our test profiles will therefore be able to accommodate a larger number of encrypted tenants. As always in the case of sizing, it is recommended that customers perform a proof-of-concept test using realistic workload inputs in order to understand the sizing characteristics of their specific use cases. High Availability Part of CloudLink s efficiency lies in the fact that it is designed from the ground up as a solution for virtualized environments. It relies on the high availability (HA) features of the underlying virtualization platform to maintain the resiliency and fault tolerance necessary for maintaining the consistency of the data. It is recommended that users with mission-critical workloads utilize the HA features of the vsphere platform to the fullest extent possible. Key Management Special care must be taken when dealing with encryption keys. If the key is lost, the data encrypted with this key will become unrecoverable. On the other hand, if the backed-up key falls into the wrong hands, sensitive data may be at risk. For that reason, we strongly recommend using a purpose-built key management solution such as RSA DPM for key storage. Customers may prefer to use other key store options supported by CloudLink, such as Microsoft Active Directory. Use extreme caution to avoid the loss or unintended disclosure of encryption keys. Storage CloudLink vnode can be configured as either a SAN-based data store or network-based storage server and target. As a SAN-based data store, the workloads placed in the vnode s data store require no changes. The encryption of the workload s disks is completely transparent to their guest OSs. The administrator simply maps the appropriate VMDK files into the encrypted data store in order to encrypt the associated virtual disks, Figure 7. 13

14 Figure 7: CloudLink Secure Data Store Mode CloudLink vnode can also be configured as either a Common Internet File System (CIFS) and Network File System (NFS) server or as an Internet Small Computer System Interface (iscsi) target. This is useful in environments where an encrypted network file share is required and/or where a SAN-based data store configuration is undesirable or impossible, such as with vcloud Director. In order to take advantage of CloudLink under this scenario, user VMs need to have either CIFS/NFS clients or an iscsi initiator. All of these are readily available in most popular OSs. 14

15 Figure 8: CloudLink Secure Network Storage Mode Network While many encryption and VPN solutions on the market require the vswitch to be put in promiscuous mode in order to connect the encryption virtual appliance with the VMs requiring its services, with CloudLink this is not a requirement. In order to increase network security and prevent hostile eavesdropping on vswitch traffic, when connecting a vnode to a vswitch, ensure that the vswitch is configured with non-promiscuous mode. There is a variant of CloudLink deployment where no tunnel is configured. This is useful when the owner or administrator of the Vblock System is also the owner of the data in need of encryption. In such a case, there is no distinction between the provider and the consumer of the service and, to simplify deployment, only the Gateway is deployed and it serves as both the management center for CloudLink and the storage encryptor. When two virtualized data infrastructures are at different physical locations, as in the case of an enterprise data center and a service provider data center, the two parties can be connected using the encrypted tunnel. CloudLink allows two options for configuring the connection between the Gateway and vnode: Layer 2 and Layer 3 modes. In Layer 2 mode, as shown in Figure 9, the tunnel creates a seamless network extension between the two networks. When configured in this mode, no user network configuration change is necessary. This mode is useful when users have control over a private IP subnet configuration in the provider data center, typically within the same enterprise infrastructure. vcloud Director allows users the choice of an IP subnet in their virtual data center configuration on the provider side as well. 15

16 Figure 9: CloudLink Layer 2 Networking Layer 3 mode is useful when users do not have control over an IP subnet configuration in the provider data center, as when a enterprise establishes a connection to a cloud service provider that automatically allocates IP subnets to users. Figure 10: CloudLink Layer 3 Networking 16

17 Solution Validation The test environment was as described in the Solution Architecture Overview section, with testing performed using: Vblock System element manager clients Common web browsers IOmeter and Dynamo clients Test Cases and Objectives The following test cases were designed to validate and demonstrate the features of CloudLink and validate its interoperability with Vblock Systems. Performance statistics were collected to understand the characteristics of encryption behavior of CloudLink under various conditions. Test cases 1 and 2 were performed in a lab environment as described in the Solution Architecture Overview section. Test cases 3 and 4 validated the CloudLink features as well as its ease of integration with RSA DPM. These two tests were performed in a separate lab where the RSA DPM platform was readily available. Table 1. Test Cases Demonstrating the Features of CloudLink on Vblock Systems Test Case # Test Case Name Objectives 1 CloudLink installation on Vblock Systems To walk through installation steps and validate the successful installation of CloudLink on Vblock Systems 2 Data encryption: Simulated application profile tests 3 Data encryption: Selected functional evaluation of the encryption features To observe the effect of encryption on simulated application loads generated by the IOmeters test tool To validate selected features of the CloudLink encryption software 4 Interoperability test with RSA DPM To demonstrate the interoperability and manageability between CloudLink and RSA DPM in an enterprise environment Test Case 1 - CloudLink Installation on Vblock Systems Procedure 1. Make sure that the installation environment adheres to the minimum requirements listed in the Installation Requirements section of the CloudLink Secure VSA for VMware vsphere Deployment Guide (November 2012 Version 1.1) 2. Install and configure the CloudLink Gateway Appliance 3. Deploy and configure CloudLink vnode in vsphere a. Configure all interfaces b. Allocate virtual storage to the vnode 17

18 c. Provision the vnode in vcenter as an NFS data store Results The initial setup took less than one hour for the initial setup of one Gateway and one vnode, with the first time user (tester) following the installation manual. As a result of the successful installation, the link between the Gateway and vnodes was depicted as a green line on the CloudLink Center topology map. The storage was unlocked and available. Test Case 2 - Data Encryption: Simulated Application Profile Tests Procedure Using the IOmeter application profiles, data traffic was generated simulating the characteristics of the following three types of applications: Database File server Web server Figure 14 includes a list of the profile test patterns generated by the IOmeter test tool. % of Access Specification Transfer Size Request % Reads % Random File Server Access Pattern (as defined by Intel) 10% 0.5 KB 80% 100% 5% 1 KB 80% 100% 5% 2 KB 80% 100% 60% 4 KB 80% 100% 2% 8 KB 80% 100% 4% 16 KB 80% 100% 4% 32 KB 80% 100% 10% 64 KB 80% 100% Database Access Pattern (as defined by Intel/StorageReview.com) 100% 8 KB 67% 100% Web Server Access Pattern (as defined by Tom's Hardware.com) 22%.5 KB 100% 100% 15% 1 KB 100% 100% 8% 2 KB 100% 100% 23% 4 KB 100% 100% 15% 8 KB 100% 100% 2% 16 KB 100% 100% 6% 32 KB 100% 100% 7% 64 KB 100% 100% 1% 128 KB 100% 100% 1% 512 KB 100% 100% Figure 14: IOmeter Generated Test Profiles 18

19 The simulated traffic was tested against one and two vnode instances. Each vnode represented a separate encryption data store. First, the native performance of Vblock Systems was measured by directing the storage traffic directly to the Vblock System s physical storage, bypassing CloudLink. The associated measured performance is referred to as Native results. Then the same traffic was passed through vnode, which performs encryption and decryption of the storage data. These results are referred to as CloudLink results. Native and CloudLink tests were performed with one workload and two workloads, respectively, called 1x and 2x results. For comparison, the ratio of CloudLink results to native results for both sets of tests was then calculated. Results As illustrated in Figure 15, the encrypted throughput was 95% or better than that of unencrypted native throughput in terms of I/O per second (IOPS) database profile file server profile web server profile Figure 35: CloudLink relative storage performance results 1xCloudLink/1xNative 2xCloudLink/2xNative Test Case 3 - Data Encryption: Functional Evaluation of Select CloudLink Encryption Features The encryption of storage and the effect of operations on the encryption keys and their effect on the storage availability were tested. This test, and the following ones, was conducted in a separate environment from the first two tests due to availability of the DPM software in a different Vblock System. Procedure 1. Perform a Lock operation on storage that effectively removes and destroys the encryption key and verify that the storage is inaccessible. 2. Perform Unlock operation to test availability of the key and the match of the key to the cipher and encrypted storage. 3. Perform Change Key operation to test the key rotation procedure. Results After locking the storage, CloudLink Center displayed the storage as locked and logged the corresponding event. User VMs lost access to the encrypted storage. 19

20 Figure11: Locked CloudLink Storage Unlocking the storage was also successfully accomplished. Figure12: Unlocked CloudLink Storage A change key operation was also accomplished successfully. The key name was changed and the operation was properly logged. 20

21 Figure13: Successful Key Rotation Test Case 4 RSA Data Protection Manager Integration The ease of integration with RSA DPM with CloudLink for enterprise key management was tested. Procedure To configure RSA DPM as the CloudLink key store location: 1. Open the CloudLink Center on the Gateway using the secadmin user account. Note: Refer to the CloudLink 2.0 SecureVSA User Guide for details on accessing the CloudLink Center console. 2. On the left side of the window, at the top of the VMs list in the Topology Tree, select the Gateway. 3. Click Security tab and then the Key Store tab. 4. To configure the CloudLink to use RSA DPM for encryption key storage, click the RSA DPM link in the Location panel. 5. In the RSA DPM Configuration panel specify the RSA DPM parameters Host The RSA DPM host IP address. Port The TCP port number configured on the RSA DPM host (default 443). Security Class Name Trust Certificate The name of the security class configured on the RSA DPM host for the RSA DPM client. The RSA DPM server certificate. 21

22 Client Certificate Password The RSA DPM client certificate. The password used during the RSA DPM client certificate creation. Important: Ensure that RSA DPM server and client certificates are created and saved on the RSA DPM host. Figure 16: RSA DPM Configuration Panel in CloudLink Center 6. Click Apply to save the parameters. Results The CloudLink Gateway was configured properly and connected successfully to RSA DPM. CloudLink confirmed the event by logging an entry in the CloudLink Center action log. 22

23 Figure 17: Action Log Confirming Successful Configuration of RSA DPM as key store In the RSA DPM management console, AFORE CloudLink was listed as one of its managed clients, Figure

24 Figure 18: CloudLink Listed as Managed Client in RSA DPM Management Console 24

25 AFORE key information was available in RSA DPM, Figure 19. Figure 19: CloudLink Key Information Displayed in RSA DPM Management Console Conclusion Data encryption provides a high degree of data security, confidentiality, and privacy protection and is mandated for many industries. There are a myriad of industry-specific security standards which require encryption by IT management. These include standards for federal governments such as Federal Information Security Management Act (FISMA) Certification and Accreditation (C&A) and FedRAMP, Basel III, Federal Financial Institutions Examination Council (FFIEC) and Office of the Comptroller for the Currency (OCC) for banking, Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) for healthcare, and Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) for select critical infrastructure. Some requirements, such as Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), and the European Union Privacy Directive, affect a broad range of organizations. Furthermore, the shift from the traditional silo-based enterprise data center to the cloud-based converged infrastructure environment necessitates new requirements for data encryption software. Encryption software needs to be able to natively support virtualized environments. It needs to understand virtualization abstractions and to navigate the virtualized components. More importantly, it also needs to support multitenant deployments where multiple user data stores or application entities are hosted within a single converged infrastructure. Data isolation and encryption are of paramount importance. AFORE CloudLink Secure VSA, combined with RSA DPM and VCE Vblock Systems provides a well-integrated and pretested solution to ensure that these requirements are met with ease. The solution offers enterprises and service providers the following advantages: 25

26 Native support of virtualized cloud environments. Data at-rest encryption throughout data centers and cloud environments Agentless implementation supporting all guest operating systems and applications, eliminating deployment, upgrade and administration challenges associated with security software installed in VMs Network extension into cloud environments via a secure VPN vcenter plug-in providing seamless a flow of management Interoperation with RSA DPM, simplifying enterprise-scale key management The CloudLink Secure VSA solution on Vblock Systems reduces complexity and alleviates concerns when implementing data encryption in a virtualized converged infrastructure so that enterprises and service providers can focus on their core business, making managing Vblock Systems cloud infrastructure easier and simpler, with a lower cost of ownership. For More Information For more information about CloudLink, go to For more information on Vblock Systems, go to For more information on EMC RSA Data Protection Manager, go to For more information on Intel AES instructions, go to 26