How To Get To A Cloud Storage And Byod System



Similar documents
A Virtual Filer for VMware s Virtual SAN A Maginatics and VMware Joint Partner Brief

Maginatics Cloud Storage Platform A primer

Amazon Web Services and Maginatics Solution Brief

Security Architecture Whitepaper

BlackBerry Enterprise Service 10. Secure Work Space for ios and Android Version: Security Note

MagFS: The File System for the Cloud

Complying with PCI Data Security

SENSE Security overview 2014

Oracle WebCenter Content

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

Data Security using Encryption in SwiftStack

High Security Online Backup. A Cyphertite White Paper February, Cloud-Based Backup Storage Threat Models

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

Security Considerations for DirectAccess Deployments. Whitepaper

Analyzing HTTP/HTTPS Traffic Logs

Develop HIPAA-Compliant Mobile Apps with Verivo Akula

Maginatics Cloud Storage Platform Feature Primer

How To Secure Your Data Center From Hackers

Secure VidyoConferencing SM TECHNICAL NOTE. Protecting your communications VIDYO

F5 and Microsoft Exchange Security Solutions

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Chapter 10. Cloud Security Mechanisms

Information Supplement: Requirement 6.6 Code Reviews and Application Firewalls Clarified

The Nasuni Security Model

How To Protect A Web Application From Attack From A Trusted Environment

Sync Security and Privacy Brief

FileCloud Security FAQ

The Security Behind Sticky Password

SECUR IN MIRTH CONNECT. Best Practices and Vulnerabilities of Mirth Connect. Author: Jeff Campbell Technical Consultant, Galen Healthcare Solutions

Securing an IP SAN. Application Brief

ForeScout CounterACT. Device Host and Detection Methods. Technology Brief

Active Directory Compatibility with ExtremeZ-IP. A Technical Best Practices Whitepaper

PRIVACY, SECURITY AND THE VOLLY SERVICE

Three Ways to Integrate Active Directory with Your SaaS Applications OKTA WHITE PAPER. Okta Inc. 301 Brannan Street, Suite 300 San Francisco CA, 94107

Improve your mobile application security with IBM Worklight

SOLUTION BRIEF CA TECHNOLOGIES IDENTITY-CENTRIC SECURITY. How Can I Both Enable and Protect My Organization in the New Application Economy?

The increasing popularity of mobile devices is rapidly changing how and where we

Ensuring the security of your mobile business intelligence

Citrix ShareFile Enterprise: a technical overview citrix.com

Key Management Interoperability Protocol (KMIP)

CyberSource Payment Security. with PCI DSS Tokenization Guidelines

WHITE PAPER NEXSAN TRANSPORTER PRODUCT SECURITY AN IN-DEPTH REVIEW

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

White paper Contents

Case Study for Layer 3 Authentication and Encryption

Symantec Enterprise Firewalls. From the Internet Thomas Jerry Scott

Deploying Firewalls Throughout Your Organization

Where every interaction matters.

Xerox Mobile Print Cloud

Maginatics Cloud Storage Platform Version 3.0 Feature Brief

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Secure remote access to your applications and data. Secure Application Access

Our Key Security Features Are:

MANAGED FILE TRANSFER: 10 STEPS TO SOX COMPLIANCE

The governance IT needs Easy user adoption Trusted Managed File Transfer solutions

Implementation Guide SAP NetWeaver Identity Management Identity Provider

Policy Management: The Avenda Approach To An Essential Network Service

SharePoint 2013 Business Connectivity Services Hybrid Overview

When enterprise mobility strategies are discussed, security is usually one of the first topics

BANKING SECURITY and COMPLIANCE

Effective End-to-End Cloud Security

Egnyte Local Cloud Architecture. White Paper

Configuring Security Features of Session Recording

DarkFS - An Encrypted File System

Citrix ShareFile Enterprise technical overview

STRATEGIC WHITE PAPER. Securing cloud environments with Nuage Networks VSP: Policy-based security automation and microsegmentation overview

ShareFile Enterprise technical overview

Deploying secure wireless network services The Avaya Identity Engines portfolio offers flexible, auditable management for secure wireless networks.

THE LINK OFFLINE DATA ARCHITECTURE

WHITE PAPER Usher Mobile Identity Platform

Securing the Intelligent Network

Client Server Registration Protocol

bbc Overview Adobe Flash Media Rights Management Server September 2008 Version 1.5

Web Application Hosting Cloud Architecture

WHITE PAPER Cloud-Based, Automated Breach Detection. The Seculert Platform

Aspera Direct-to-Cloud Storage WHITE PAPER

Ensuring the security of your mobile business intelligence

Data Sheet: Endpoint Security Symantec Network Access Control Comprehensive Endpoint Enforcement

MANAGED FILE TRANSFER: 10 STEPS TO PCI DSS COMPLIANCE

Achieve Deeper Network Security

Integrating Single Sign-on Across the Cloud By David Strom

Market Application Delivery Networking. Products ADC, WAN Optimization, Secure Access

Table of Contents. 1 Overview 1-1 Introduction 1-1 Product Design 1-1 Appearance 1-2

Top Ten Questions. to Ask Your Primary Storage Provider About Their Data Efficiency. May Copyright 2014 Permabit Technology Corporation

ADAPTIVE AUTHENTICATION ADAPTER FOR JUNIPER SSL VPNS. Adaptive Authentication in Juniper SSL VPN Environments. Solution Brief

Securing Corporate on Personal Mobile Devices

TOP SECRETS OF CLOUD SECURITY

SonicWALL Clean VPN. Protect applications with granular access control based on user identity and device identity/integrity

Security Policy Revision Date: 23 April 2009

Overview. SSL Cryptography Overview CHAPTER 1

We look beyond IT. Cloud Offerings

BlackRidge Technology Transport Access Control: Overview

Keywords Cloud Storage, Error Identification, Partitioning, Cloud Storage Integrity Checking, Digital Signature Extraction, Encryption, Decryption

White Paper. Protecting Mobile Apps with Citrix XenMobile and MDX. citrix.com

Transcription:

Maginatics Security Architecture What is the Maginatics Cloud Storage Platform? Enterprise IT organizations are constantly looking for ways to reduce costs and increase operational efficiency. Although cloud storage offers a means to achieve these objectives, many enterprises are still reluctant to fully embrace the cloud because of security concerns. In addition, enterprises are also looking for ways to boost productivity by giving their mobile workforce anywhere, any-device access to business-critical data through corporate BYOD (bring your own device) policies. However, rolling-out a BYOD strategy raises security and management challenges of its own for the enterprise. First, in the absence of an acceptable ITapproved alternative, workers often select a cloud-based personal file sharing service such as Dropbox, Box or an equivalent. Not only do these services place responsibility for data security in the hands of a thirdparty entity, they enable former workers to retain access to proprietary information even after leaving the company. In short, cloud storage and BYOD promise major benefits to enterprises in the form of decreased costs, increased efficiency and enhanced workforce productivity; but getting to these benefits requires overcoming the friction that exists among the IT security team (tasked with enforcing data security and integrity best practices, even on user-controlled endpoint devices), the infrastructure team and CIO (tasked with cost reduction) and the internal user (tasked with meeting productivity goals that demand efficient access to sensitive data on the go). This friction has never been more pronounced. The Maginatics Cloud Storage Platform (MCSP) is the only solution in the market today that addresses all aspects of this friction and ensures alignment among all constituencies, enabling enterprises to capture the benefits of both cloud and mobility without sacrificing data security or availability.

Data Protection from End to End Enterprise security spans multiple components, including: Physical security: Controlled data center access, surveillance, guards. Data encryption: At rest and in transit. Access control: Network policies and systems, identity management policies and systems. Data integrity: Ensuring data accuracy, consistency and reliability. The Maginatics security architecture fits this model perfectly, allowing enterprises to seamlessly leverage their existing systems, polices and tools for data protection while augmenting the traditional enterprise environment with features and capabilities that ensure end-to-end security in an era of cloud computing and unfettered mobility. Four pillars support this architecture: Physical and network security Unlike any competing solution, MCSP allows IT to persistently store all encryption keys, metadata and user database information exclusively within the confines of the enterprise s own physical data centers. Fine-grained encryption Upon entry into the system, every file is broken into many small, variable sized chunks, each of which is individually encrypted with its own independent AES-256 key. In addition, all data and metadata transfers take place over HTTPS. Access control native to the enterprise MCSP integrates natively with existing enterprise identity management systems such as Active Directory, enabling IT administrators to control access to data stored in the cloud with MCSP exactly as they would with data stored in a traditional filer. Connectivity between endpoints and the identity management system is secured using either VPN or a reverse proxy, while

cryptographically signed, time-limited tokens ensure that only authorized clients can access data stored in the system. (Note: a reverse proxy option provides an equivalent level of security as VPN without the need for VPN.) Data integrity A robust data verification process protects against malicious clients or network failures (e.g., HTTP proxy errors) causing data corruption. Chunks written to the object store are quarantined prior to being verified, so a misbehaving client cannot affect common data. What are the components of Maginatics Cloud Storage Platform? There are three foundational components that comprise MCSP (see figure 1). Figure 1: Key Components of Maginatics Cloud Storage Platform

1. The Maginatics Virtual Filer (MVF) The point of control for the MCSP is the Maginatics Virtual Filer (MVF), which is deployed as a virtual appliance and hosted where the customer wishes: (1) in its own data center; (2) by a trusted service provider or; (3) in the cloud. MVF provides, among other things, the control plane for the MCSP. It is responsible for mediating all data operations, as well as for access control (via the customer s existing Active Directory or another identity management system), data integrity, cache consistency and management of de-duplication maps. The MVF does not host data and therefore does not present a dataflow bottleneck as seen with legacy technologies. Instead, the Maginatics Virtual Filer hosts metadata (including all encryption keys) and acts as a gatekeeper to the data, which is hosted in the cloud. 2. The MagFS Agent The MagFS Agent is a native agent that resides on endpoint devices and communicates over the secure control plane with the MVF for permission to execute data operations. The agent then executes these operations by communicating directly with the object store over the secure data plane. Taking full advantage of the power and functionality of modern devices, the MagFS Agent does much of the heavy lifting in the system (in concert with the Maginatics Virtual Filer), including WAN optimization, fine-grained end-toend encryption and file segmentation and re-assembly. The use of endpoint agents allows MCSP to deliver security, scalability and control throughout the entire system: in the cloud, on the endpoint devices, and in-flight. 3. The Object Store The Object Store is any public, private or hybrid object store chosen by the customer.

Physical Data Center Protection The Maginatics security architecture renders data anywhere in the system in the cloud, on an endpoint device or in transit completely opaque to anyone who should acquire it without the ability to authenticate through the native enterprise identity management system. This is accomplished by persisting sensitive data elements that could compromise data security uniquely behind the enterprise firewall. That is, regardless of whether data is stored on-premises or in the cloud, the following elements are persistently stored only in the customer s data center (unless the customer chooses to store them elsewhere): Encryption keys Metadata (which can be more sensitive than its associated data) User database Fine-Grained Encryption As shown below, MCSP encryption/decryption is performed by the MagFS Agent entirely on the endpoint device, taking full advantage of the power, capabilities and hardware acceleration of modern computing devices. The encryption process is best illustrated using the following example; i.e., that of a user who wishes to save a file located on an endpoint device to the cloud. The steps are as follows: 1. File Segmentation The file is segmented into many small pieces or chunks of variable size. Besides enhancing performance by enabling granular inline deduplication and allowing threaded transfers of files between the endpoint and object store, file chunking improves security by forcing an attacker to compromise not just a single key, but many keys, in order to decrypt a single file. Chunk sizes are determined algorithmically to optimize deduplication efficiency.

Figure 2: MCSP Encryption 2. Encryption With MCSP, there is no master key that can compromise all data in the system in the event of a theft or loss. Instead, each plaintext chunk is individually encrypted with its own independent AES-256 key. This key is applied to the raw chunk using the AES/CBC-256 cipher, generating the encrypted chunks. The one-way cryptographic hash function is then applied again, this time to the encrypted chunk, to generate the chunk reference. 3. Key management The unique encryption key for the chunk is sent over HTTPS to the Figure 3: Recovery Modes

MVF, where it is persistently stored in an integrated key management system. The key is then deleted from memory on the endpoint device. 4. Data storage Each <chunk-reference, encrypted chunk> tuple represents a <key, value> pair which is stored in the local encrypted cache of the endpoint device to enable deduplication and to enhance performance (if the same key-value pair is already resident in the cache, this new copy is ignored). The chunk-reference is also transmitted along with other metadata (e.g., the associated file name) over HTTPS to the MVF, which persists the information and uses it to create a chunk map that maps file names to their constituent encrypted chunks. Upon receipt of the chunk-reference, the MVF computes a location in the cloud to which the associated encrypted chunk will be stored and generates a pointer to that location in the form of a cryptographically signed, time-limited URI which is sent over HTTPS to the MagFS Agent. Communicating over its own secure channel with the object store using the latter s native REST interface, the MagFS Agent transfers the encrypted chunk to the cloud with a simple PUT command. The object store validates the URI by checking the signature and expiration time before storing the encrypted chunk. If the time limit is exceeded, the MagFS Agent must request a new URI from the MVF. When retrieving files from the object store, the process is essentially reversed: 1. The MagFS Agent requests a file by name. Using its chunk map, the MVF identifies the constituent chunks, retrieves the associated chunk-references, URIs and keys and sends these elements over HTTPS to the MagFS Agent, where the chunk-references and keys are stored in memory. 2. The MagFS Agent checks its local encrypted cache for any of the chunk-references it has just received and decrypts the encrypted chunks associated with those it finds using the keys provided by the

MVF. On cache misses, the MagFS Agent uses the <URI, encryption key> pair to retrieve the missing chunks, decrypts them, reassembles the file (using chunk map data provided by the MVF) and presents the file to the user, ending the operation. All keys are deleted from memory once the application accessing the file closes or the active user session ends. Access Control As illustrated below, MCSP enables enterprise IT to control access to data using existing enterprise tools and workflows. Figure 3: Access Control The MVF integrates natively with existing enterprise identity management (IDM) systems such as Active Directory, allowing IT administrators to control access to data stored with MCSP exactly as they would with any traditional data center asset. There is no need to configure a new IDM system or to create new user profiles MCSP leverages existing systems, profiles and workflows.

Authentication Users authenticate against an internal Active Directory server by passing credentials over an HTTPS connection. The MVF validates the user credentials against Active Directory using the Kerberos protocol and retrieves the user s security identifier (SID) and group memberships via LDAP queries to Active Directory. The SID and group membership information is retained to perform access control as described below; user credentials are deleted after authentication. Access Control The file system objects in an MCSP deployment are individually protected by access control lists (ACLs) analogous to those used in a NTFS file system. When a file is accessed by a MagFS Agent, the MVF checks the ACL on the file and compares it with the SID and groups in the current user session. Access control can also be enforced at the share level. MCSP allows enterprise IT to choose VPN or a reverse proxy with custom third-party certificates as the means by which users (MagFS Agents) gain access to the MVF. Either option safeguards the perimeter with deep packet inspection, IP blocking, etc. Regardless of the method chosen, MCSP supports the use of single sign-on systems as illustrated in the figure above. Additionally, all data transfers (Agent-to-object store and Agent-to-MVF as well as asynchronous MVF-to-object store communication for encrypted chunk creation, verification and garbage collection) take place over HTTPS. As noted earlier, access control is further enhanced with the use of cryptographically signed, time-limited URIs.

Data Integrity A cardinal requirement for any storage architecture, data integrity is especially challenging in today s distributed enterprise, where untrusted endpoint devices outside the control of central IT must be able to safely write to the system, and do so over the public Internet. MCSP ensures that all data entering the system is stored accurately, reliably and consistently. In this environment, a misbehaving client may mark a failed write as successful due to a bug that manifests only under certain conditions (e.g., a buggy library), while a misbehaving HTTP proxy may give even a sound client incorrect information about an operation. More ominously, a virus-infected or otherwise malicious client may provide incorrect or simply random hash values (chunk-references) that bear no connection to the uploaded encrypted chunks. Without appropriate protection, any of these conditions may lead to data corruption issues. MCSP guards against these and all related risks with a robust, out-ofband data verification process. With this mechanism, Maginatics guarantees the reliability and consistency of all data written to the system and ensures that buggy, misbehaving or malicious clients cannot affect data integrity. Summary Enterprises have never before stored as much data as they do today, and access has never been so distributed and dispersed. Moving from legacy architectures to more cost-effective software-defined and cloudbacked architectures can help enterprises address these challenges. However, most existing solutions address only some aspects of security, mainly around data encryption. By deploying a cloud storage solution that makes security and data authentication top priorities, enterprises can alleviate these security and data integrity concerns that often inhibit their transition to the cloud.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information