Bloombase StoreSafe Security Best Practice

Transcription

1 Bloombase StoreSafe Security Best Practice How to Harden Bloombase StoreSafe and Get the Most from Bloombase Next-Generation Data At-Rest Security B E S T P R A C T I C E Bloombase - Next Generation Data Security info@bloombase.com web Copyright 2014 Bloombase, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase in United States and/or other jurisdictions. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein. Item No. BLBS-BP-Bloombase-StoreSafe-Security-Best-Practice-USLET-EN-R6

2 Overview Bloombase StoreSafe provides turnkey, agentless, non-disruptive, application-transparent security of atrest data no matter they are managed at physical data center, virtual data center, or cloud. Unlike traditional encryption tools which aim to work on application level with protection on very fine granularity at the expense of simplicity and performance, Bloombase delivers real-time, high performance, automated encryption and un-encryption of businesssensitive data on storage networking layer. Application-specific data security tools are designed to support proprietary applications on very specific operating platforms. Some of them are even hardwired on very particular editions or versions of an application which make them difficult to extend to other applications. Adding the fact that these tools were built with less of a concern on platform portability, scalability and being future-proof, reason why when it comes to data encryption, customers tend to think it is mission impossible and choose to stay away from it. Bloombase delivers a transformative and unique approach on at-rest data encryption protection that allows customers running any IT infrastructure from application, operating system (OS), storage and datacenter platform, to lock-down their business critical information on storage services with least efforts. More About Bloombase StoreSafe managed in Block-based storage devices File-based network storage services File-systems Sequential mass storage devices Object-based stores Cloud storage Bloombase StoreSafe operates as-if a storage proxy as bump-in-the-wire at the storage path between storage system and host. It presents backend multiprotocol storage targets to hosts as protocolpreserving virtual targets. To backend storage, it works as if it is a host system. Working as a storage proxy, when host applications write data, Bloombase StoreSafe turns plain-text payload contents into cipher-text and stores at backend storage. As host pulls cipher-text data on physical disks of backend storage system, Bloombase StoreSafe un-encrypts the payload and returns the on -demand virtual clear-text to the application. The entire process guarantees no application change, no end user workflow, least impact to the overall IT infrastructure, and wirespeed performance. Bloombase StoreSafe software appliance can be deployed on stand-alone hardware as physical server appliance or on virtual hypervisor as virtual appliance. It can also be deployed as compute instance on the cloud securing off-premise enterprise data enabling low-cost, high availability cloud computing at no expense of data privacy and trust. End result is customers can achieve regulatory compliance and various information confidentiality requirements easily and cost-effectively. Bloombase StoreSafe provides standard-based and security proven encryption protection of at-rest data B E S T P R A C T I C E / 2

3 Cipher Algorithm Bloombase StoreSafe provides a rich set of cipher algorithms to enable customers from around the globe and any market verticals to meet their data encryption needs. Customers are suggested to only choose cipher algorithms that are regarded advanced and secure as recommended by industry leading data security organizations such as NIST and IEEE. A good cipher algorithm of choice is AES which is purpose designed for massive data encryption needs with varying bit lengths 128, 192 and 256 for high speed encryption protection of stored data. IEEE Storage In Security Working Group 1619 standardizes best practices and technologies for organizational customers who need to deal with data protection for long term storage. Encryption Key As a matter of fact, the strength of encryption increases with key sizes. In scenario where an unauthorized entity gets hold of a piece of ciphertext without knowledge of the encryption key ciphering the plain text, the longer the key bit length, the bigger the key search space, and the more combination of bruteforce attacks by exhaustive key search would be needed before the entity can uncover meaningful information. National Security Agency (NSA) recommends the use of AES-256-bit-key for protection of top secret information whereas AES-128-bit-key for information classified secret. For details of Bloombase StoreSafe virtual storage management, please refer to Bloombase StoreSafe Management Console Administration IEEE 1619 mandates the use of XEX-based Tweaked CodeBook mode (TCB) with ciphertext stealing (CTS) XTS-AES for random access type of block storage resources. For details of Bloombase StoreSafe virtual storage management, please refer to Bloombase StoreSafe Management Console Administration B E S T P R A C T I C E / 3

4 Fiber Channel Virtual Storage Security storage volumes over Fiber Channel Protocol (FCP) as virtual storage volumes for transparent storage device encryption. Fiber channel protocol was initially designed to provide networked storage fabric capability as the core storage subsystem in computing infrastructure. The design principle has been as a critical component in a trusted environment. In today s standard, the security elements of FCP can be viewed as relatively basic. The security features serve more for ease of management than to defend from unauthorized access or even attacks. Fiber channel protocol relies on both Logical Unit Number (LUN) masking and zoning methods to logically segregate FC storage resources and provide LUN -based access control to trusted hosts installed with trusted Host Bus Adapters (HBA). Customers are recommended to implement need-toknow and least-privilege principles by provisioning proper zoning and masking of StoreSafe FC virtual storages to trusted hosts only. Customers should also review the configuration by cross-checking with their latest design and implementation play book to ensure full compliance. For details of Bloombase StoreSafe Fiber Channel virtual storage management, please refer to Bloombase StoreSafe Management Console Administration B E S T P R A C T I C E / 4

5 iscsi Virtual Storage Security storage volumes over iscsi as virtual storage volumes for transparent storage device encryption. For details of Bloombase StoreSafe iscsi virtual storage management, please refer to Bloombase StoreSafe Management Console Administration iscsi relies on Challenge Handshake Authentication Protocol (CHAP) for authentication of iscsi clients. The transmission of iscsi data payloads can be secured from network sniffers by use of industry standard Internet Protocol security (IPsec) technology. As a best practice, customers are recommended to choose a strong secret key in form of a passcode for CHAP for Bloombase StoreSafe iscsi virtual storages. The baseline requirement for a secure CHAP secret key should be at least 12 characters long with a combination of upper and lower case letters, numbers and punctuation characters. Customers can also refer to their corporate standard password policy in assignment of CHAP passcode for iscsi type of storage resources in their existing storage infrastructure. Customers are suggested to enable IPsec for StoreSafe iscsi virtual storages to secure transport of iscsi data payload especially in untrusted network environment. IPsec can also be turned on appliance-wide by provisioning embedded IPsec service in Bloombase OS. This ensures all IP-based network storage services be tunneled in IPsec encryption defending network sniffers from capturing plain sensitive data in network channels. Additionally, customers may utilize third party IPsec, SSL or proprietary link encryption hardware to transfer sensitive storage data in cipher-text format. B E S T P R A C T I C E / 5

6 NFS Virtual Storage Security contents of file-system over NFS as virtual storage network shares for transparent storage share and file encryption. NFS was initially designed as an extension of local file -systems to external storage resources. NFS shares can be mounted as if a local file-system for a complete transparent user experience. As NFS was created to for server-side usage, security elements are relatively basic. NFS supports network level access control which governs the set of host addresses be given the permission to access the NFS share. Bloombase StoreSafe tightens the security policy by disallowing access-by-all. Bloombase StoreSafe extends host access control to subnet level allowing flexibility of defining network security policies. Customers are suggested to narrow network access control down to host level as per need-to-know and least-privilege security principles. For deployment over untrusted networks, customers are suggested to utilize IPsec network encryption feature powered by Bloombase OS, or third party network encryption tools to ensure data at-rest NFS services are delivered securely to client hosts. For details of Bloombase StoreSafe NFS virtual storage configurations, please refer to Bloombase StoreSafe Management Console Administration CIFS Virtual Storage Security contents of file-system over CIFS as virtual storage network shares for transparent storage share and file encryption. CIFS was initially created by Microsoft to provide file sharing service over network to Windows end users. In contrast to NFS, the design principle of CIFS has been largely user-centric. Windows-based network sharing service over CIFS protocol allows anonymous/guest access to the contents. As for user identity access control, standard user name and password authentication has been used. Bloombase StoreSafe hardens the CIFS virtual storage services by disallowing guest access. Bloombase StoreSafe also extends access control from userbased to encapsulate as well network host-based. Customers are recommended to assign CIFS virtual storages to host address and users based on need-toknow and least-privilege security best practice. Customers should enforce the use of strong passwords for CIFS authentication by assigning passphrases of at least 8 characters in length with a combination of upper-case and lower-case letters, numbers and punctuations. Customers are recommended to change their passwords periodically to ensure maximum security for user identity management. In case of deployment of Bloombase CIFS virtual storage resources in untrusted network environment, customers are also suggested to enable IPsec function in B E S T P R A C T I C E / 6

7 Bloombase OS or utilize third party network encryption tools to ensure end-to-end privacy on transmission of CIFS data payloads. For details of Bloombase StoreSafe CIFS virtual storage configurations, please refer to Bloombase StoreSafe Management Console Administration REST Virtual Storage Security contents of RESTful type of software-defined storage service endpoints as virtual storage network services for transparent storage object encryption. Bloombase StoreSafe supports a range of RESTful protocols in particular AWS S3, EMC Atmos and ViPR, OpenStack Swift, etc. As RESTful storage services are purpose designed for usage over untrusted network environment, the security model design is relatively advanced and complete. Bloombase StoreSafe extends the model by adding network based access control over host addresses and subnets. Customers are recommended to assign strong shared secret for user authentication. Different REST service has its own requirement on the actual contents of shared secret or password. Customers are advised to consult individual service provider for best practice of picking a strong passphrase as shared secret. Bloombase StoreSafe disallows REST virtual storage services to be delivered over plain-text HTTP. Bloombase StoreSafe mandates REST data payloads to be exchanged only by HTTP over SSL to ensure end-toend network secrecy, trust and integrity. For details of Bloombase StoreSafe RESTful virtual storage configurations, please refer to Bloombase StoreSafe Management Console Administration B E S T P R A C T I C E / 7

8 Additional Bloombase Products and Add-ons Bloombase StoreSafe Bloombase StoreSafe Storage Security Server provides application transparent high-speed encryption protection of storage systems enabling enterprises to meet various information security regulatory compliance requirements easily and cost-effectively. Bloombase StoreSafe integrates seamlessly with Bloombase KeyCastle Key Management Security Server providing on-the-fly at-rest data encryption security for on and off-premises data environments from physical and virtual data centers, through big data, to the cloud, including storage area network (SAN), network attached storage (NAS), direct attached storage (DAS), tape library, virtual tape library (VTL), object store, content addressable storage (CAS), hypervisor data store, RESTful cloud storage service endpoints, etc. Bloombase SOA Bloombase SOA Security Server offers high speed application level cryptographic processing of application data from unstructured to structured XML, further to service oriented webservices and beyond. Bloombase Message Bloombase Message Security Server provides digital signature generation, verification, encryption and decryption for standard based secure messages, fully transparent for both messaging clients and servers. Bloombase Identity Bloombase Identity Manager brings strong authentication to enterprise end user identity management solving identity thefts and impersonation issues by state-of-the-art one-timepassword, PKI and smart card technologies. Support and Professional Services Bloombase offers global Subscription and Support services to all Bloombase customers. For customers that require additional services, Bloombase also offers professional services engagements on best practices and getting started with your Bloombase deployment, both directly and through an extensive network of authorized professionals. How to Buy To purchase Bloombase Servers, use the online Bloombase Partner Locator to find an authorized Bloombase business partner in your area: Learn More To learn more about Bloombase information security solutions, contact your Bloombase product specialist and/or account manager, or visit: Bloombase - Next Generation Data Security info@bloombase.com web Copyright 2014 Bloombase, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase in United States and/or other jurisdictions. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein. Item No. BLBS-BP-Bloombase-StoreSafe-Security-Best-Practice-USLET-EN-R6