Bloombase StoreSafe Security Best Practice



Similar documents
Bloombase Spitfire StoreSafe Storage Security Server. Bloombase Technologies

Securing an IP SAN. Application Brief

Interoperability of Bloombase StoreSafe and Thales e-security keyauthority for Data At- Rest Encryption

Sharpen your document and data security HP Security solutions for imaging and printing

EMC Symmetrix Data at Rest Encryption

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Why cloud backup? Top 10 reasons

Data-at-Rest Encryption Addresses SAN Security Requirements

Veeam Cloud Connect. Version 8.0. Administrator Guide

Security Policy Revision Date: 23 April 2009

EMC ENCRYPTION AS A SERVICE

Securing Enterprise Mobility for Greater Competitive Advantage

365 Cloud Storage. Security Brief

Securing Data at Rest ViSolve IT Security Team

Secure Backup and Recovery Whitepaper. Securing Data in Backup and Disaster Recovery Sites with Decru DataFort Appliances

Virtual Private Networks

HP iscsi storage for small and midsize businesses

ABC of Storage Security. M. Granata NetApp System Engineer

Network Security [2] Plain text Encryption algorithm Public and private key pair Cipher text Decryption algorithm. See next slide

Future Proofing Data Archives with Storage Migration From Legacy to Cloud

EMC VMAX3 DATA AT REST ENCRYPTION

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

Using HP StoreOnce Backup systems for Oracle database backups

Two-Factor Authentication over Mobile: Simplifying Security and Authentication

Proven LANDesk Solutions

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

RSA SecurID Software Token 1.0 for Android Administrator s Guide

QLIKVIEW MOBILE SECURITY

INTERNET SECURITY: FIREWALLS AND BEYOND. Mehernosh H. Amroli

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Securing Sensitive Data

Protect Microsoft Exchange databases, achieve long-term data retention

Protecting Data at Rest with Vormetric Data Security Expert

iphone in Business Security Overview

Case Study for Layer 3 Authentication and Encryption

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Security Considerations for DirectAccess Deployments. Whitepaper

HP Storage Data Migration Service

SAN Conceptual and Design Basics

Choosing the best architecture for data protection in your Storage Area Network

HP StorageWorks MPX200 Simplified Cost-Effective Virtualization Deployment

Secured Enterprise eprivacy Suite

Using HP StoreOnce Backup Systems for NDMP backups with Symantec NetBackup

USB Portable Storage Device: Security Problem Definition Summary

capacity management for StorageWorks NAS servers

Cisco AON Secure File Transfer Extension Module

Key & Data Storage on Mobile Devices

Chapter 17. Transport-Level Security

Deployment Options for Microsoft Hyper-V Server

Whitepaper. NexentaConnect for VMware Virtual SAN. Full Featured File services for Virtual SAN

ENABLING GLOBAL HADOOP WITH EMC ELASTIC CLOUD STORAGE

DATA SECURITY 1/12. Copyright Nokia Corporation All rights reserved. Ver. 1.0

Cloud and Big Data initiatives. Mark O Connell, EMC

bbc Overview Adobe Flash Media Rights Management Server September 2008 Version 1.5

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

USB Portable Storage Device: Security Problem Definition Summary

Building A Secure Microsoft Exchange Continuity Appliance

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Security Overview Enterprise-Class Secure Mobile File Sharing

Using Entrust certificates with VPN

Learn the essentials of virtualization security

2007 Microsoft Office System Document Encryption

Provisioning Server High Availability Considerations

GE Measurement & Control. Cyber Security for NEI 08-09

SAP database backup and restore solutions for HP StorageWorks Enterprise Virtual Array using HP Data Protector 6.1 software

Brochure Achieving security with cloud data protection. Autonomy LiveVault

Enterprise-Wide Storage Security with. Decru DataFort Appliances

Security in Storage Networks A Current Perspective

Complying with PCI Data Security

Securing Cloud Computing by GED-i

DELL POWERVAULT LIBRARY-MANAGED ENCRYPTION FOR TAPE. By Libby McTeer

We look beyond IT. Cloud Offerings

CipherShare Features and Benefits

SSL VPN Technology White Paper

How To Get To A Cloud Storage And Byod System

Secure Enterprise Online File Sharing with Syncplicity Date: November 2014 Author: Tony Palmer, Senior Lab Analyst, Aviv Kaufmann, Lab Analyst

RSA Authentication Manager 7.1 Security Best Practices Guide. Version 2

How To Secure An Rsa Authentication Agent

Common Remote Service Platform (crsp) Security Concept

Decryption. Palo Alto Networks. PAN-OS Administrator s Guide Version 6.0. Copyright Palo Alto Networks

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Chapter 10. Network Security

Introducing. Markus Erlacher Technical Solution Professional Microsoft Switzerland

WHITE PAPER. FortiWeb and the OWASP Top 10 Mitigating the most dangerous application security threats

The Evolving Threat Landscape and New Best Practices for SSL

Customer Education Services Course Overview

Overview. SSL Cryptography Overview CHAPTER 1

Compliance and Security Challenges with Remote Administration

How To Encrypt Data With Encryption

What s New in Juniper Networks Secure Access (SA) SSL VPN Version 6.4

Transcription:

Bloombase StoreSafe Security Best Practice How to Harden Bloombase StoreSafe and Get the Most from Bloombase Next-Generation Data At-Rest Security B E S T P R A C T I C E Bloombase - Next Generation Data Security email info@bloombase.com web http://www.bloombase.com Copyright 2014 Bloombase, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase in United States and/or other jurisdictions. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein. Item No. BLBS-BP-Bloombase-StoreSafe-Security-Best-Practice-USLET-EN-R6

Overview Bloombase StoreSafe provides turnkey, agentless, non-disruptive, application-transparent security of atrest data no matter they are managed at physical data center, virtual data center, or cloud. Unlike traditional encryption tools which aim to work on application level with protection on very fine granularity at the expense of simplicity and performance, Bloombase delivers real-time, high performance, automated encryption and un-encryption of businesssensitive data on storage networking layer. Application-specific data security tools are designed to support proprietary applications on very specific operating platforms. Some of them are even hardwired on very particular editions or versions of an application which make them difficult to extend to other applications. Adding the fact that these tools were built with less of a concern on platform portability, scalability and being future-proof, reason why when it comes to data encryption, customers tend to think it is mission impossible and choose to stay away from it. Bloombase delivers a transformative and unique approach on at-rest data encryption protection that allows customers running any IT infrastructure from application, operating system (OS), storage and datacenter platform, to lock-down their business critical information on storage services with least efforts. More About Bloombase StoreSafe managed in Block-based storage devices File-based network storage services File-systems Sequential mass storage devices Object-based stores Cloud storage Bloombase StoreSafe operates as-if a storage proxy as bump-in-the-wire at the storage path between storage system and host. It presents backend multiprotocol storage targets to hosts as protocolpreserving virtual targets. To backend storage, it works as if it is a host system. Working as a storage proxy, when host applications write data, Bloombase StoreSafe turns plain-text payload contents into cipher-text and stores at backend storage. As host pulls cipher-text data on physical disks of backend storage system, Bloombase StoreSafe un-encrypts the payload and returns the on -demand virtual clear-text to the application. The entire process guarantees no application change, no end user workflow, least impact to the overall IT infrastructure, and wirespeed performance. Bloombase StoreSafe software appliance can be deployed on stand-alone hardware as physical server appliance or on virtual hypervisor as virtual appliance. It can also be deployed as compute instance on the cloud securing off-premise enterprise data enabling low-cost, high availability cloud computing at no expense of data privacy and trust. End result is customers can achieve regulatory compliance and various information confidentiality requirements easily and cost-effectively. Bloombase StoreSafe provides standard-based and security proven encryption protection of at-rest data B E S T P R A C T I C E / 2

Cipher Algorithm Bloombase StoreSafe provides a rich set of cipher algorithms to enable customers from around the globe and any market verticals to meet their data encryption needs. Customers are suggested to only choose cipher algorithms that are regarded advanced and secure as recommended by industry leading data security organizations such as NIST and IEEE. A good cipher algorithm of choice is AES which is purpose designed for massive data encryption needs with varying bit lengths 128, 192 and 256 for high speed encryption protection of stored data. IEEE Storage In Security Working Group 1619 standardizes best practices and technologies for organizational customers who need to deal with data protection for long term storage. Encryption Key As a matter of fact, the strength of encryption increases with key sizes. In scenario where an unauthorized entity gets hold of a piece of ciphertext without knowledge of the encryption key ciphering the plain text, the longer the key bit length, the bigger the key search space, and the more combination of bruteforce attacks by exhaustive key search would be needed before the entity can uncover meaningful information. National Security Agency (NSA) recommends the use of AES-256-bit-key for protection of top secret information whereas AES-128-bit-key for information classified secret. For details of Bloombase StoreSafe virtual storage management, please refer to Bloombase StoreSafe Management Console Administration IEEE 1619 mandates the use of XEX-based Tweaked CodeBook mode (TCB) with ciphertext stealing (CTS) XTS-AES for random access type of block storage resources. For details of Bloombase StoreSafe virtual storage management, please refer to Bloombase StoreSafe Management Console Administration B E S T P R A C T I C E / 3

Fiber Channel Virtual Storage Security storage volumes over Fiber Channel Protocol (FCP) as virtual storage volumes for transparent storage device encryption. Fiber channel protocol was initially designed to provide networked storage fabric capability as the core storage subsystem in computing infrastructure. The design principle has been as a critical component in a trusted environment. In today s standard, the security elements of FCP can be viewed as relatively basic. The security features serve more for ease of management than to defend from unauthorized access or even attacks. Fiber channel protocol relies on both Logical Unit Number (LUN) masking and zoning methods to logically segregate FC storage resources and provide LUN -based access control to trusted hosts installed with trusted Host Bus Adapters (HBA). Customers are recommended to implement need-toknow and least-privilege principles by provisioning proper zoning and masking of StoreSafe FC virtual storages to trusted hosts only. Customers should also review the configuration by cross-checking with their latest design and implementation play book to ensure full compliance. For details of Bloombase StoreSafe Fiber Channel virtual storage management, please refer to Bloombase StoreSafe Management Console Administration B E S T P R A C T I C E / 4

iscsi Virtual Storage Security storage volumes over iscsi as virtual storage volumes for transparent storage device encryption. For details of Bloombase StoreSafe iscsi virtual storage management, please refer to Bloombase StoreSafe Management Console Administration iscsi relies on Challenge Handshake Authentication Protocol (CHAP) for authentication of iscsi clients. The transmission of iscsi data payloads can be secured from network sniffers by use of industry standard Internet Protocol security (IPsec) technology. As a best practice, customers are recommended to choose a strong secret key in form of a passcode for CHAP for Bloombase StoreSafe iscsi virtual storages. The baseline requirement for a secure CHAP secret key should be at least 12 characters long with a combination of upper and lower case letters, numbers and punctuation characters. Customers can also refer to their corporate standard password policy in assignment of CHAP passcode for iscsi type of storage resources in their existing storage infrastructure. Customers are suggested to enable IPsec for StoreSafe iscsi virtual storages to secure transport of iscsi data payload especially in untrusted network environment. IPsec can also be turned on appliance-wide by provisioning embedded IPsec service in Bloombase OS. This ensures all IP-based network storage services be tunneled in IPsec encryption defending network sniffers from capturing plain sensitive data in network channels. Additionally, customers may utilize third party IPsec, SSL or proprietary link encryption hardware to transfer sensitive storage data in cipher-text format. B E S T P R A C T I C E / 5

NFS Virtual Storage Security contents of file-system over NFS as virtual storage network shares for transparent storage share and file encryption. NFS was initially designed as an extension of local file -systems to external storage resources. NFS shares can be mounted as if a local file-system for a complete transparent user experience. As NFS was created to for server-side usage, security elements are relatively basic. NFS supports network level access control which governs the set of host addresses be given the permission to access the NFS share. Bloombase StoreSafe tightens the security policy by disallowing access-by-all. Bloombase StoreSafe extends host access control to subnet level allowing flexibility of defining network security policies. Customers are suggested to narrow network access control down to host level as per need-to-know and least-privilege security principles. For deployment over untrusted networks, customers are suggested to utilize IPsec network encryption feature powered by Bloombase OS, or third party network encryption tools to ensure data at-rest NFS services are delivered securely to client hosts. For details of Bloombase StoreSafe NFS virtual storage configurations, please refer to Bloombase StoreSafe Management Console Administration CIFS Virtual Storage Security contents of file-system over CIFS as virtual storage network shares for transparent storage share and file encryption. CIFS was initially created by Microsoft to provide file sharing service over network to Windows end users. In contrast to NFS, the design principle of CIFS has been largely user-centric. Windows-based network sharing service over CIFS protocol allows anonymous/guest access to the contents. As for user identity access control, standard user name and password authentication has been used. Bloombase StoreSafe hardens the CIFS virtual storage services by disallowing guest access. Bloombase StoreSafe also extends access control from userbased to encapsulate as well network host-based. Customers are recommended to assign CIFS virtual storages to host address and users based on need-toknow and least-privilege security best practice. Customers should enforce the use of strong passwords for CIFS authentication by assigning passphrases of at least 8 characters in length with a combination of upper-case and lower-case letters, numbers and punctuations. Customers are recommended to change their passwords periodically to ensure maximum security for user identity management. In case of deployment of Bloombase CIFS virtual storage resources in untrusted network environment, customers are also suggested to enable IPsec function in B E S T P R A C T I C E / 6

Bloombase OS or utilize third party network encryption tools to ensure end-to-end privacy on transmission of CIFS data payloads. For details of Bloombase StoreSafe CIFS virtual storage configurations, please refer to Bloombase StoreSafe Management Console Administration REST Virtual Storage Security contents of RESTful type of software-defined storage service endpoints as virtual storage network services for transparent storage object encryption. Bloombase StoreSafe supports a range of RESTful protocols in particular AWS S3, EMC Atmos and ViPR, OpenStack Swift, etc. As RESTful storage services are purpose designed for usage over untrusted network environment, the security model design is relatively advanced and complete. Bloombase StoreSafe extends the model by adding network based access control over host addresses and subnets. Customers are recommended to assign strong shared secret for user authentication. Different REST service has its own requirement on the actual contents of shared secret or password. Customers are advised to consult individual service provider for best practice of picking a strong passphrase as shared secret. Bloombase StoreSafe disallows REST virtual storage services to be delivered over plain-text HTTP. Bloombase StoreSafe mandates REST data payloads to be exchanged only by HTTP over SSL to ensure end-toend network secrecy, trust and integrity. For details of Bloombase StoreSafe RESTful virtual storage configurations, please refer to Bloombase StoreSafe Management Console Administration B E S T P R A C T I C E / 7

Additional Bloombase Products and Add-ons Bloombase StoreSafe Bloombase StoreSafe Storage Security Server provides application transparent high-speed encryption protection of storage systems enabling enterprises to meet various information security regulatory compliance requirements easily and cost-effectively. Bloombase StoreSafe integrates seamlessly with Bloombase KeyCastle Key Management Security Server providing on-the-fly at-rest data encryption security for on and off-premises data environments from physical and virtual data centers, through big data, to the cloud, including storage area network (SAN), network attached storage (NAS), direct attached storage (DAS), tape library, virtual tape library (VTL), object store, content addressable storage (CAS), hypervisor data store, RESTful cloud storage service endpoints, etc. Bloombase SOA Bloombase SOA Security Server offers high speed application level cryptographic processing of application data from unstructured to structured XML, further to service oriented webservices and beyond. Bloombase Message Bloombase Message Security Server provides digital signature generation, verification, encryption and decryption for standard based secure email messages, fully transparent for both messaging clients and servers. Bloombase Identity Bloombase Identity Manager brings strong authentication to enterprise end user identity management solving identity thefts and impersonation issues by state-of-the-art one-timepassword, PKI and smart card technologies. Support and Professional Services Bloombase offers global Subscription and Support services to all Bloombase customers. For customers that require additional services, Bloombase also offers professional services engagements on best practices and getting started with your Bloombase deployment, both directly and through an extensive network of authorized professionals. How to Buy To purchase Bloombase Servers, use the online Bloombase Partner Locator to find an authorized Bloombase business partner in your area: www.bloombase.com/go/how_to_buy Learn More To learn more about Bloombase information security solutions, contact your Bloombase product specialist and/or account manager, or visit: www.bloombase.com Bloombase - Next Generation Data Security email info@bloombase.com web http://www.bloombase.com Copyright 2014 Bloombase, Inc. All rights reserved. This product is protected by U.S. and international copyright and intellectual property laws. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase in United States and/or other jurisdictions. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein. Item No. BLBS-BP-Bloombase-StoreSafe-Security-Best-Practice-USLET-EN-R6

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information