How To Get To A Cloud Storage And Byod System

Transcription

1 Maginatics Security Architecture What is the Maginatics Cloud Storage Platform? Enterprise IT organizations are constantly looking for ways to reduce costs and increase operational efficiency. Although cloud storage offers a means to achieve these objectives, many enterprises are still reluctant to fully embrace the cloud because of security concerns. In addition, enterprises are also looking for ways to boost productivity by giving their mobile workforce anywhere, any-device access to business-critical data through corporate BYOD (bring your own device) policies. However, rolling-out a BYOD strategy raises security and management challenges of its own for the enterprise. First, in the absence of an acceptable ITapproved alternative, workers often select a cloud-based personal file sharing service such as Dropbox, Box or an equivalent. Not only do these services place responsibility for data security in the hands of a thirdparty entity, they enable former workers to retain access to proprietary information even after leaving the company. In short, cloud storage and BYOD promise major benefits to enterprises in the form of decreased costs, increased efficiency and enhanced workforce productivity; but getting to these benefits requires overcoming the friction that exists among the IT security team (tasked with enforcing data security and integrity best practices, even on user-controlled endpoint devices), the infrastructure team and CIO (tasked with cost reduction) and the internal user (tasked with meeting productivity goals that demand efficient access to sensitive data on the go). This friction has never been more pronounced. The Maginatics Cloud Storage Platform (MCSP) is the only solution in the market today that addresses all aspects of this friction and ensures alignment among all constituencies, enabling enterprises to capture the benefits of both cloud and mobility without sacrificing data security or availability.

2 Data Protection from End to End Enterprise security spans multiple components, including: Physical security: Controlled data center access, surveillance, guards. Data encryption: At rest and in transit. Access control: Network policies and systems, identity management policies and systems. Data integrity: Ensuring data accuracy, consistency and reliability. The Maginatics security architecture fits this model perfectly, allowing enterprises to seamlessly leverage their existing systems, polices and tools for data protection while augmenting the traditional enterprise environment with features and capabilities that ensure end-to-end security in an era of cloud computing and unfettered mobility. Four pillars support this architecture: Physical and network security Unlike any competing solution, MCSP allows IT to persistently store all encryption keys, metadata and user database information exclusively within the confines of the enterprise s own physical data centers. Fine-grained encryption Upon entry into the system, every file is broken into many small, variable sized chunks, each of which is individually encrypted with its own independent AES-256 key. In addition, all data and metadata transfers take place over HTTPS. Access control native to the enterprise MCSP integrates natively with existing enterprise identity management systems such as Active Directory, enabling IT administrators to control access to data stored in the cloud with MCSP exactly as they would with data stored in a traditional filer. Connectivity between endpoints and the identity management system is secured using either VPN or a reverse proxy, while

3 cryptographically signed, time-limited tokens ensure that only authorized clients can access data stored in the system. (Note: a reverse proxy option provides an equivalent level of security as VPN without the need for VPN.) Data integrity A robust data verification process protects against malicious clients or network failures (e.g., HTTP proxy errors) causing data corruption. Chunks written to the object store are quarantined prior to being verified, so a misbehaving client cannot affect common data. What are the components of Maginatics Cloud Storage Platform? There are three foundational components that comprise MCSP (see figure 1). Figure 1: Key Components of Maginatics Cloud Storage Platform

4 1. The Maginatics Virtual Filer (MVF) The point of control for the MCSP is the Maginatics Virtual Filer (MVF), which is deployed as a virtual appliance and hosted where the customer wishes: (1) in its own data center; (2) by a trusted service provider or; (3) in the cloud. MVF provides, among other things, the control plane for the MCSP. It is responsible for mediating all data operations, as well as for access control (via the customer s existing Active Directory or another identity management system), data integrity, cache consistency and management of de-duplication maps. The MVF does not host data and therefore does not present a dataflow bottleneck as seen with legacy technologies. Instead, the Maginatics Virtual Filer hosts metadata (including all encryption keys) and acts as a gatekeeper to the data, which is hosted in the cloud. 2. The MagFS Agent The MagFS Agent is a native agent that resides on endpoint devices and communicates over the secure control plane with the MVF for permission to execute data operations. The agent then executes these operations by communicating directly with the object store over the secure data plane. Taking full advantage of the power and functionality of modern devices, the MagFS Agent does much of the heavy lifting in the system (in concert with the Maginatics Virtual Filer), including WAN optimization, fine-grained end-toend encryption and file segmentation and re-assembly. The use of endpoint agents allows MCSP to deliver security, scalability and control throughout the entire system: in the cloud, on the endpoint devices, and in-flight. 3. The Object Store The Object Store is any public, private or hybrid object store chosen by the customer.

5 Physical Data Center Protection The Maginatics security architecture renders data anywhere in the system in the cloud, on an endpoint device or in transit completely opaque to anyone who should acquire it without the ability to authenticate through the native enterprise identity management system. This is accomplished by persisting sensitive data elements that could compromise data security uniquely behind the enterprise firewall. That is, regardless of whether data is stored on-premises or in the cloud, the following elements are persistently stored only in the customer s data center (unless the customer chooses to store them elsewhere): Encryption keys Metadata (which can be more sensitive than its associated data) User database Fine-Grained Encryption As shown below, MCSP encryption/decryption is performed by the MagFS Agent entirely on the endpoint device, taking full advantage of the power, capabilities and hardware acceleration of modern computing devices. The encryption process is best illustrated using the following example; i.e., that of a user who wishes to save a file located on an endpoint device to the cloud. The steps are as follows: 1. File Segmentation The file is segmented into many small pieces or chunks of variable size. Besides enhancing performance by enabling granular inline deduplication and allowing threaded transfers of files between the endpoint and object store, file chunking improves security by forcing an attacker to compromise not just a single key, but many keys, in order to decrypt a single file. Chunk sizes are determined algorithmically to optimize deduplication efficiency.

6 Figure 2: MCSP Encryption 2. Encryption With MCSP, there is no master key that can compromise all data in the system in the event of a theft or loss. Instead, each plaintext chunk is individually encrypted with its own independent AES-256 key. This key is applied to the raw chunk using the AES/CBC-256 cipher, generating the encrypted chunks. The one-way cryptographic hash function is then applied again, this time to the encrypted chunk, to generate the chunk reference. 3. Key management The unique encryption key for the chunk is sent over HTTPS to the Figure 3: Recovery Modes

7 MVF, where it is persistently stored in an integrated key management system. The key is then deleted from memory on the endpoint device. 4. Data storage Each <chunk-reference, encrypted chunk> tuple represents a <key, value> pair which is stored in the local encrypted cache of the endpoint device to enable deduplication and to enhance performance (if the same key-value pair is already resident in the cache, this new copy is ignored). The chunk-reference is also transmitted along with other metadata (e.g., the associated file name) over HTTPS to the MVF, which persists the information and uses it to create a chunk map that maps file names to their constituent encrypted chunks. Upon receipt of the chunk-reference, the MVF computes a location in the cloud to which the associated encrypted chunk will be stored and generates a pointer to that location in the form of a cryptographically signed, time-limited URI which is sent over HTTPS to the MagFS Agent. Communicating over its own secure channel with the object store using the latter s native REST interface, the MagFS Agent transfers the encrypted chunk to the cloud with a simple PUT command. The object store validates the URI by checking the signature and expiration time before storing the encrypted chunk. If the time limit is exceeded, the MagFS Agent must request a new URI from the MVF. When retrieving files from the object store, the process is essentially reversed: 1. The MagFS Agent requests a file by name. Using its chunk map, the MVF identifies the constituent chunks, retrieves the associated chunk-references, URIs and keys and sends these elements over HTTPS to the MagFS Agent, where the chunk-references and keys are stored in memory. 2. The MagFS Agent checks its local encrypted cache for any of the chunk-references it has just received and decrypts the encrypted chunks associated with those it finds using the keys provided by the

8 MVF. On cache misses, the MagFS Agent uses the <URI, encryption key> pair to retrieve the missing chunks, decrypts them, reassembles the file (using chunk map data provided by the MVF) and presents the file to the user, ending the operation. All keys are deleted from memory once the application accessing the file closes or the active user session ends. Access Control As illustrated below, MCSP enables enterprise IT to control access to data using existing enterprise tools and workflows. Figure 3: Access Control The MVF integrates natively with existing enterprise identity management (IDM) systems such as Active Directory, allowing IT administrators to control access to data stored with MCSP exactly as they would with any traditional data center asset. There is no need to configure a new IDM system or to create new user profiles MCSP leverages existing systems, profiles and workflows.

9 Authentication Users authenticate against an internal Active Directory server by passing credentials over an HTTPS connection. The MVF validates the user credentials against Active Directory using the Kerberos protocol and retrieves the user s security identifier (SID) and group memberships via LDAP queries to Active Directory. The SID and group membership information is retained to perform access control as described below; user credentials are deleted after authentication. Access Control The file system objects in an MCSP deployment are individually protected by access control lists (ACLs) analogous to those used in a NTFS file system. When a file is accessed by a MagFS Agent, the MVF checks the ACL on the file and compares it with the SID and groups in the current user session. Access control can also be enforced at the share level. MCSP allows enterprise IT to choose VPN or a reverse proxy with custom third-party certificates as the means by which users (MagFS Agents) gain access to the MVF. Either option safeguards the perimeter with deep packet inspection, IP blocking, etc. Regardless of the method chosen, MCSP supports the use of single sign-on systems as illustrated in the figure above. Additionally, all data transfers (Agent-to-object store and Agent-to-MVF as well as asynchronous MVF-to-object store communication for encrypted chunk creation, verification and garbage collection) take place over HTTPS. As noted earlier, access control is further enhanced with the use of cryptographically signed, time-limited URIs.

10 Data Integrity A cardinal requirement for any storage architecture, data integrity is especially challenging in today s distributed enterprise, where untrusted endpoint devices outside the control of central IT must be able to safely write to the system, and do so over the public Internet. MCSP ensures that all data entering the system is stored accurately, reliably and consistently. In this environment, a misbehaving client may mark a failed write as successful due to a bug that manifests only under certain conditions (e.g., a buggy library), while a misbehaving HTTP proxy may give even a sound client incorrect information about an operation. More ominously, a virus-infected or otherwise malicious client may provide incorrect or simply random hash values (chunk-references) that bear no connection to the uploaded encrypted chunks. Without appropriate protection, any of these conditions may lead to data corruption issues. MCSP guards against these and all related risks with a robust, out-ofband data verification process. With this mechanism, Maginatics guarantees the reliability and consistency of all data written to the system and ensures that buggy, misbehaving or malicious clients cannot affect data integrity. Summary Enterprises have never before stored as much data as they do today, and access has never been so distributed and dispersed. Moving from legacy architectures to more cost-effective software-defined and cloudbacked architectures can help enterprises address these challenges. However, most existing solutions address only some aspects of security, mainly around data encryption. By deploying a cloud storage solution that makes security and data authentication top priorities, enterprises can alleviate these security and data integrity concerns that often inhibit their transition to the cloud.