The Nasuni Security Model

Transcription

1 Nasuni Security Model Nasuni s security architecture protects off-premises data, allowing enterprises to safely leverage cloud storage Executive Summary Storing data off-premises in cloud or as-a-service settings offers new and exciting capabilities for organizations, but unfortunately introduces new and different risks. Nasuni securely leverages cloud storage resources as the scalable and redundant backend storage in our solution. In order to use this storage effectively, Nasuni has developed robust security that combines superior encryption and datadisguising technology with top-tier cloud storage providers, to ensure the security of your data and give you peace of mind. With Nasuni, organizations can securely protect and manage their data for multiple global locations from a single centralized location. Managing the Security of Off-Premises Data Managing and protecting the security of shared critical data is a time-consuming headache. A recent ESG Research Brief indicates that user authentication and access, combined with data security in transit and at rest, are some of the biggest information security challenges for ROBO locations. 1 This already-diffi cult security problem is exacerbated by the necessity of supporting multiple satellite and branch offi ces around the world. Today, even small organizations often maintain a presence in multiple countries on several continents. Companies must securely provide critical data for such sites and do so from afar while still ensuring rapid access to the most up-to-date data at every location. This challenge compounds the near-exponential growth of the data itself with the additional complexity of secure offi ce-to-offi ce communication. Cloud storage offers attractive benefi ts, such as global access to shared data with unlimited storage capacity. Nasuni leverages cloud storage as part of our consolidated storage solution that delivers primary storage, backup, and offsite data protection, all in a single offering. Nasuni s deep security expertise and experience with off-premises storage enables us to implement security technologies and practices that guarantee your data remains safe even when stored in the cloud.

2 Your organization s off-premises data is vulnerable to a number of potential risks, especially: Exposure to unauthorized parties, the press, and even your competitors. One of the major risks posed by off-premises or cloud storage is the risk that, in a multi-tenant environment, your data might be exposed to unauthorized personnel, including employees of the cloud storage provider itself. Whether this occurs deliberately and maliciously or through sheer accident doesn t matter critical data cannot leave an organization s security perimeter. Cloud storage, by its very nature, is a multi-tenant environment, with shared storage and processing resources controlled by an outside party with the potential to access customer s data. Placing your data in the hands of an outside party on shared hardware is risky, as any resulting data leakage would be a major violation of both security and business trust. After all, no one should be able to read your data except you. Consequences of data leakage range from public embarrassment, to the loss of intellectual property, to the failure of an entire business. Deletion, corruption, or loss of critical business intellectual property. Cloud storage is managed by a third party, with its own security, redundancy, and backup practices practices that you do not control. These practices might render your data vulnerable to deletion, corruption, or loss. Off-premises storage infrastructure should be highly redundant and offer true assurances for both data availability and accessibility. While such data threats might not result in public embarrassment or business loss, as exposure might, the impact could still be severe. Such data issues can impede or halt both special projects and routine collaboration. Furthermore, the IT problems resulting from loss of data all too often lead to loss of jobs.

3 Nasuni s Security Technology Nasuni addresses the risks associated with both on-premises storage as well as off-premises cloud storage. For example, we protect your on-premises data with features such as role-based access control, proxy support, and firewalls to limit access. This technology brief specifically addresses Nasuni s superior security for off-premises data, which incorporates: Military-grade encryption Complete data camouflage Best-of-breed cloud storage datacenters Military-grade encryption From the onset of the Internet, security experts understood that a public network would require serious rethinking of previous security models in order to thrive as a commercial entity. For decades, the security community has been working on the solid and trustworthy encryption technology that is used today. As a result, for example, billions of bank transactions occur daily with rock-solid security, and the commercial Internet can function in the trustworthy way that we have come to expect. This same technology forms the basis for Nasuni s bulletproof data security beginning with a solid foundation of unbreakable encryption. This starts with our customers utilizing their own encryption keys within the Nasuni Filer. Encryption with your keys ensures that your data can never be viewed or used, except by your organization not even by Nasuni. Each Nasuni Filer storage controller performs encryption on your premises before sending any information off-premises, so information is always encrypted both in transit and at rest.

4 Nasuni employs the non-proprietary OpenPGP protocol for public-key-based encryption and decryption. OpenPGP establishes a framework for how to combine widely available security algorithms into a secure system. OpenPGP s open standard and source code support an extensive and thorough review process. In addition, OpenPGP s open standard also means that data encrypted with one implementation of the standard can be decrypted with another implementation, thereby guaranteeing access to data in the future. OpenPGP combines symmetric and asymmetric encryption technologies that not only protect the data, but do so without compromising performance. Using fast symmetric encryption to encrypt data and slower asymmetric encryption to encrypt the keys allows data to be encrypted efficiently and at a high level of granularity. OpenPGP also specifies several important details, including proper salting (inputting random bits to a one-way cryptographic hash function) and cipher modes. OpenPGP s cipher feedback (CFB) mode also avoids the drawbacks of less secure techniques, such as Electronic Codebook (ECB). Along with OpenPGP, Nasuni employs the AES-256 standard for encryption. AES is the first publicly accessible and open encryption standard approved by the US National Security Agency (NSA) for topsecret information. AES-256 is a 256-bit symmetric cipher, far faster and more powerful than other common types of encryption. In addition to encrypting the data itself, the Nasuni Filer also encrypts metadata, both in transit and at rest. This means that no identifiable information not even file names or timestamps is decipherable once it leaves your premises. Encrypted file metadata includes the file name, file size, timestamps, access control information and location within the directory tree. Nasuni s advanced encryption technology also incorporates: Random session keys that eliminate the possibility of hackers detecting patterns and then reverseengineering the encryption keys. Secure Sockets Layer (SSL) that provides end-to-end confirmation of data transmission, revealing any attempt at deletion, corruption, or exposure. Built-in tamper alarms based on OpenPGP s Modification Detection Code (MDC), to detect any attempted tampering with data. Complete data camouflage The risk of data exposure is not just limited to the files themselves. A significant amount of information about a business can be determined simply by knowing a file name. Imagine if your competitors knew you had a file named: Acquisition_of_ACME_-_overlapping_overhead_-_potential_reduction_in_force.ppt Simply knowing the name of that file exposes your organization and a potential opportunity to inordinate risk. Metadata such as file names, file sizes and timestamps contain clues to your business and how you use your data. Rendering your data completely opaque to anyone outside your organization is essential to protect your data from exploits and exposure.

5 Nasuni s security further safeguards your data by disguising details about file names, file sizes and other metadata. This type of data camouflage is referred to as data obfuscation. Nasuni s data obfuscation strategies include: Sub-file chunking and compression disguises the size of each file, and foils attempts by malicious hackers to target large files. Chunking breaks large files into smaller optimally-sized pieces before sending each piece off-premises. This not only disguises the actual sizes of files, but also improves performance. Compression further changes the sizes of even small files, obscuring their true size even more. Fictitious quasi-random file names hide the actual, often revealing, file names. As discussed above, even a file name can reveal valuable information. For this reason, Nasuni generates fictitious, quasi-random file names that are unrelated to the actual file names. This further disguises the identity of the files while they are at rest off-premises. The result is that, even if someone were able to hack into the cloud storage, all they would see would be a huge number of indistinguishable files with long, incomprehensible file names, and no other revealing metadata. Best-of-breed cloud storage datacenters Encryption and data disguise eliminate the risk of exposure of your critical information, but cannot prevent data loss or deletion in off-premises cloud storage. For this, Nasuni relies on best-of-breed cloud storage providers that guarantee service levels and redundancy. Because Nasuni deals with all the major cloud storage providers, we continually monitor them for reliability, performance, available, and accessibility. Furthermore, we have developed proprietary cloud-testing methodologies that we use to determine the viability of any given cloud provider to survive a catastrophic failure or loss, so that your data remains safe in any contingency. The result of Nasuni s testing and work is contained in our State of Cloud Storage Providers report, which details how the major cloud storage companies compare to each other, and how we choose the best to work with. Our cloud storage partners deliver redundant storage that survives even under the most extreme failures. For this reason, Nasuni backs its storage solution with a Service Level Agreement (SLA) that guarantees that your data is 100-percent available, accessible, secure, and immutable. In addition to high levels of availability and redundancy, the best-of-breed cloud storage providers that Nasuni uses for off-premises storage have earned the highest level of industry-wide security certifications and accreditations, such as: PCI DSS (Payment Card Industry Data Security Standard) Level 1 compliance, required for handling credit cardholder personal information. HIPAA compliant applications involving health-related and other personally identifiable information (PII). ISO certification for standardized management of information security. FIPS (Federal Information Processing Standard) Publication standard for non-military government agencies and government contractors.

6 Conclusion Nasuni safeguards your data with industry-leading security technology and practices that include: Military-grade encryption: Nasuni encrypts off-premises data and metadata with unbreakable industry-standard OpenPGP and AES-256 encryption. Only you hold your encryption keys, so only you can read and utilize your data. Complete data camouflage: Concealing off-premises data and metadata from third parties. Best-of-breed cloud storage datacenters: Demonstrating exemplary security technology and procedures with industry-leading certifications and accreditations. Using the Nasuni solution, global organizations can securely leverage the convenient access and unlimited capacity of cloud storage to provide a storage system with centralized control and shared access to data at multiple locations. 1 Lundell, Bill and Kao, Kristine, Research Brief: Remote/Branch Office Trends, Enterprise Strategy Group, September 2011