Bloombase Spitfire StoreSafe Storage Security Server Bloombase Technologies
Bloombase Spitfire StoreSafe Storage Security Server Bloombase Spitfire SOA Security Server Bloombase Spitfire Message Security Server Bloombase Keyparc Bloombase Spitfire KeyCastle Key Management Server Bloombase Spitfire Edge Security Suite Bloombase Spitfire Identity Security Server
Overview
Enterprise Data At-Rest In Risk Sensitive data are stored in clear-text in storage systems with minimal access control vulnerable to core attacks Hosts and applications require data access in plain
How StoreSafe Protects Your Data On-the-fly nondisruptive application transparent encryption and unencryption Proxy Bump-in-thewire
Why Traditional Methods Are Inadequate File encryption utilities mcrypt, ccrypt, zip Only for static files, not for dynamic files, e.g. database Database encryption tools Oracle crypto package Tremendous 2 nd development efforts at database tier Huge performance impact, not for business intelligence Crypto tools openssl, JCE, Microsoft capicom, HSM Very steep learning curve Tremendous 2 nd development efforts at application tier Not for business intelligence applications Security = High cost + SkillN +Slow + Instability + Insecure
StoreSafe Benefits Secures operational data in databases Protect backup/offsite/remote data from electronic and hardware theft Meet IT governance compliance requirements Assure digital corporate assets integrity Protects websites from deface and assure data integrity Enforce effective change management High ROI lawsuits and worst, bankruptcy Low TCO - One solution for all applications
StoreSafe Benefits Management Immediate regulatory compliance Hardware and software independent Application transparent On-the-fly encryption/decryption No programming required No application changes No user behavior changes OS independent Hardware independent
Functions and Features
Transparent Encryption and Unencryption Fully automated data encryption and unencryption for authorized clients On-premises: SAN, NAS, DAS, CAS, Object Store, etc Cloud: RESTful
Features StoreSafe virtualizes physical storage systems Virtual storage sub-system created providing trusted/decrypted/verified replica of physical storage Supports SAN, DAS, NAS, CAS and cloud storage Data protection Access control Privacy Integrity
Features Level of protection Disk / Block File Object Hardware and software independent Application transparent On-the-fly encryption/decryption/watermark verification
Features No programming required No application changes No user behavior changes File-system independent Works with all file-system types supported by the OS Entensive OS support Application independent Works with virtually all applications
Features Plug-in architecture for future cipher upgrades Web-based management console NIST FIPS 140-2 validated cryptographic module PKCS#11 hardware security module support Chinese National OSCCA crypto module support
Industry Proven Security Industry standard cipher algorithm support Regional and special cipher support IEEE 1619 compliant OASIS KMIP support NIST FIPS 140-2 validated
Security Accreditations Security NIST FIPS 140-2 validated (NIST Certificate #1241) Algorithms NIST FIPS-197 AES encryption and decryption (NIST Certificate #1041) RSA and DSA public key cryptography (NIST Certificate #496) SHA hash generation (NIST Certificate #991) Hash Message Authentication Code HMAC (NIST Certificate #583) Random Number Generator (NIST Certificate #591)
Security Accreditations Algorithms NIST FIPS-46-3 3DES encryption and decryption NTT/Mitsubishi Electric Camellia encryption/decryption DES, RC4, RC2, CAST5 encryption and decryption 512, 1024 and 2048 bit public key cryptography MD5 hash generation Standards IEEE 1619 storage in security
Unified Storage Support Block storage based, file based, object based FCP, FCoE, iscsi NFS, CIFS HTTP, WEBDAV RESTful cloud
Unified Storage Support Fiber Channel Protocol (FCP) Small Computer System Interface (SCSI) Internet SCSI (iscsi) Network File System (NFS) Common Internet File System (CIFS) File Transfer Protocol (FTP) Hyper Text Transfer Protocol (HTTP) Representational State Transfer (REST)
Storage System Support Storage Area Network (SAN) Network Attached Storage (NAS) Direct Attached Storage (DAS) Just a Bunch Of Disk (JBOD) SCSI-based local disk arrays Content Addressable Storage (CAS) Cloud storage Object storage, etc
Proprietary Object and Cloud Storage Support EMC Atmos EMC Centera Microsoft Windows Azure Amazon Elastic Block Store (EBS) IBM Cloud Caring CAStor / Dell DX Object Storage, etc
File System Support File system independent Raw / Uncooked Solaris UFS Symantec Veritas VxFS IBM JFS HPFS Red Hat GFS XFS Linux Ext3 Windows NTFS, FAT32 and FAT CDFS, etc
Database Support Supports all database systems Oracle IBM DB2 IBM Informix Sybase Microsoft SQLServer MySQL Hadoop, etc
Application Support Native Java client library Native C client library Java RMI connectivity Web Services connectivity Socket connectivity, etc
Appliance Platform Support Hardware architecture Intel x86-based Intel Itanium-2 AMD64 based IBM PowerPC based Appliance operating platform Bloombase SpitfireOS
Operating Platform Support IBM AIX IBM z/os IBM i5/os HP-UX Oracle Sun Solaris Linux Windows Mac OS X, etc
Virtual Platform Support VMware ESX, ESXi, Server Red Hat KVM Citrix XenServer Oracle VirtualBox Microsoft Hyper-V IBM PowerVM, etc
Compute Cloud Platform Support EMC Atmos Windows Azure Amazon Elastic Compute Cloud (EC2), etc
Key Management Stored separately from encrypted information Key vault protected by AES-256 strong encryption Supports 3 rd party PKCS#11 HSMs and KMIP-compliant key managers
Host Security and Access Control User-based authentication: LDAP, MSAD, Kerberos, CHAP Host-based authentication: network address, LUN mask
High Availability Spitfire High Availability Module to provide Automated failover of nodes or load-balancing Cluster monitoring Cluster management Configuration synchronization Spitfire Quorum Server to strengthen robustness of Spitfire cluster and avoid potential split-brain scenario
Management Web-based and CLI management consoles Privilege-based administrator access control Separation of duties (SoD) Recovery quorum Operator smart tokens
Network Management SNMP (v1, v2, v3) Email Syslog Windows Event Monitor Audit trail Log viewer and export Dashboard
Audit Trail and Logging Customizable system log Full storage access audit trail Web-based management console accessible Log export and digital signing 2005-02-20 20:23:47,798 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,801 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,804 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,807 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,810 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,812 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,815 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:23:47,875 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:24:56,751 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/, from : /192.168.1.30, by : demo1 2005-02-20 20:24:58,263 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:28:32,729 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:30:20,340 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/, from : /192.168.1.30, by : demo1 2005-02-20 20:30:21,621 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:30:38,467 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/movie_0001.wmv, from : /192.168.1.30, by : demo1 2005-02-20 20:30:57,152 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/movie_0001.wmv, from : /192.168.1.30, by : demo1
Product Editions StoreSafe appliance with built-in SpitfireOS StoreSafe QEMU OVF-compliant virtual appliance StoreSafe for Windows StoreSafe for Linux StoreSafe for IBM AIX StoreSafe for HPUX StoreSafe for Solaris
Specifications Maximum number of CIFS servers/shares: no definite limit Maximum number of NFS servers/shares: no definite limit Maximum number of iscsi targets: no definite limit Maximum number of SAN LUNs: no definite limit Maximum number of RESTful service endpoints: no definite limit
Technology In Depth
Inside StoreSafe Application, server and storage transparent Automated encryption Turnkey and immediate regulatory compliance Scale-up and scale-out Cost-effective High availability ready for mission critical applications
Storage Cryptography Transparency Extract payload from storage commands (SCSI, NFS, REST, etc) Encrypt/decrypt/verify storage contents on-the-fly and recompose cryptoprocessed commands
Why Now Not Earlier? Advancement in solid state and network technologies Network speed far excels storage speed Multi-core processors Multi-processor systems High-performance computing systems
Ready For Giga/Tera/Petabyte Data? Storage network access protocols Block based rather than file based Random access rather than sequencial On-demand encryption/decryption Not giga/tera/peta-byte but kilo/byte!!!
Modular Pluggable Cipher Architecture Pluggable cipher architecture for future cipher upgrade User-Customed cipher support Out of the box ciphers - AES, 3DES, DES, Twofish, Blowfish, RC2, RC4, RC5, RC6, Camellia, SEED, ARIA, etc
Adaptive Block-based Encryption Random accessible On-demand block-based data encryption/decryption User-defined block size for I/O optimization Enterprise applications access storage block-by-block to reduce I/O overheads and latency Some applications (e.g. Oracle) allow user to configure data unit size to boost application performance User customizable unit of encryption size
Round Trip Reduction Encryption block size smaller than application unit of access I/O round trips Cipher re-initialization
Payload Reduction Encryption block size larger than application unit of access Encrypt and un-encrypt more than needed
Use Cases
Share/File-based Encryption StoreSafe appliance with network interface cards (NIC) Transparent file encryption for NFS, CIFS, WebDAV, FTP, etc Protocol conversion
iscsi Block-based Encryption StoreSafe appliance with iscsi host-bus adapters (HBA), converged network adapters (CNA) or simply NIC Transparent block storage encryption for iscsi targets StoreSafe virtual storage presented as iscsi targets
Fiber Channel SAN Block-based Encryption StoreSafe appliance with fiber channel (FC) host-bus adapters (HBA) Transparent block storage encryption for LUNs of SAN targets StoreSafe virtual storage presented as FC targets
Object-based Encryption StoreSafe appliance with network interface cards (NIC) Transparent object encryption for RESTful object store, cloud storage and content addressable storage (CAS) Protocol proprietary object store including EMC Atmos, Dell DX, etc
Product Roadmap
StoreSafe Product Roadmap
Questions? Comments?
Conclusion Protect Your Corporate Data Protect your customers Corporate governance Implement Data Protection Access Control Digital Asset Encryption
Your Action Items Review your corporate perimeter security measures Identify your enterprise data Classify your enterprise data into levels of security Devise an encryption strategy based on the classification Evaluate impact to users and applications Implement hassle free transparent protection to your corporate storage and message systems