365 Cloud Storage. Security Brief



Similar documents
THE FIRST LOCAL ENTERPRISE CLOUD STORAGE FEATURES. Enterprise iscsi (Block) & NFS/ CIFS (File) Storage-as-a-Service

How To Store Data On A Server Or Hard Drive (For A Cloud)

Zadara Storage Cloud A

The Security Behind Sticky Password

Zadara Storage Cloud. VPSA User Guide. February Revision B ZADARA Storage, Inc. All rights reserved.

Enhanced Password Security - Phase I

Enhanced Password Security - Phase I

Zadara Storage Cloud. VPSA User Guide. March Revision C ZADARA Storage, Inc. All rights reserved.

Dashlane Security Whitepaper

Druva Phoenix: Enterprise-Class. Data Security & Privacy in the Cloud

CenturyLink Cloud Configuration

Table of Contents. Open-Xchange Authentication & Session Handling. 1.Introduction...3

SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

Bloombase StoreSafe Security Best Practice

Compatibility and Support Information Nasuni Corporation Natick, MA

Famly ApS: Overview of Security Processes

Ciphermail Gateway PDF Encryption Setup Guide

Security Information & Policies

Salesforce1 Mobile Security Guide

Zadara Storage Cloud. VPSA User Guide

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

How To Set Up A Vns3 Controller On An Ipad Or Ipad (For Ahem) On A Network With A Vlan (For An Ipa) On An Uniden Vns 3 Instance On A Vn3 Instance On

SecureDoc Disk Encryption Cryptographic Engine

StorSimple Appliance Quick Start Guide

ABC of Storage Security. M. Granata NetApp System Engineer

Projectplace: A Secure Project Collaboration Solution

Dionseq Uatummy Odolorem Vel Layered Security Approach

Implementation Guide for EMC for VSPEX Private Cloud Environments. CloudLink Solution Architect Team

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Guidance End User Devices Security Guidance: Apple ios 7

Acronis Storage Gateway

Table of Contents. FME Cloud Architecture Overview. Secure Operations. Application Security. Shared Responsibility.

StarWind iscsi SAN Software: Challenge-Handshake Authentication Protocol (CHAP) for Authentication of Users

Security Guide. BlackBerry Enterprise Service 12. for ios, Android, and Windows Phone. Version 12.0

The Zadara Storage Cloud A Validation of its Use Cases and Economic Benefits

MIGRATIONWIZ SECURITY OVERVIEW

Apteligent White Paper. Security and Information Polices

CrashPlan Security SECURITY CONTEXT TECHNOLOGY

HIPAA Privacy & Security White Paper

Sync Security and Privacy Brief

Secure cloud access system using JAR ABSTRACT:

Guidance End User Devices Security Guidance: Apple OS X 10.9

MS SQL Server Backup - User Guide

Secure Network Communications FIPS Non Proprietary Security Policy

Table of Contents Introduction and System Requirements 9 Installing VMware Server 35

FileCloud Security FAQ

Multi Factor Authentication API

End User Devices Security Guidance: Apple OS X 10.10

Oracle Database Security and Audit

Network-Enabled Devices, AOS v.5.x.x. Content and Purpose of This Guide...1 User Management...2 Types of user accounts2

Data Security using Encryption in SwiftStack

The increasing popularity of mobile devices is rapidly changing how and where we

Complying with PCI Data Security

Stratusphere. Architecture Overview

Introduction to MPIO, MCS, Trunking, and LACP

INTEGRATION GUIDE. DIGIPASS Authentication for Cisco ASA 5505

PRIVACY, SECURITY AND THE VOLLY SERVICE

Cloud Security Best Practices

Acronis Backup & Recovery for Mac. Acronis Backup & Recovery & Acronis ExtremeZ-IP REFERENCE ARCHITECTURE

Sophos UTM. Remote Access via PPTP. Configuring UTM and Client

Network Attached Storage. Jinfeng Yang Oct/19/2015

Enova X-Wall LX Frequently Asked Questions

Wireless VPN White Paper. WIALAN Technologies, Inc.

Configuring Security Features of Session Recording

Installation Guide July 2009

Using EMC Unisphere in a Web Browsing Environment: Browser and Security Settings to Improve the Experience

Alliance Key Manager Solution Brief

1 of 10 1/31/2014 4:08 PM

ipad in Business Security

System Requirements for Netmail Archive

Security Whitepaper. NetTec NSI Philosophy. Best Practices

Mobile Admin Security

SECURITY DOCUMENT. BetterTranslationTechnology

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

Acano solution. Security Considerations. August E

CSE/EE 461 Lecture 23

Security Architecture Whitepaper

Hosted File Backup for business. Keep your data safe with our cloud backup service

Technical Overview Simple, Scalable, Object Storage Software

How To Secure Your Data Center From Hackers

Review On Incremental Encrypted Backup For Cloud

FIPS SECURITY POLICY FOR

Copyright Pivotal Software Inc, of 10

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Security Policy Revision Date: 23 April 2009

How To Encrypt Data With Encryption

Whitepaper Cubby: A secure solution. A technical overview of Cubby s secure, enterprise-grade infrastructure.

Tenrox. Single Sign-On (SSO) Setup Guide. January, Tenrox. All rights reserved.

Optimized And Secure Data Backup Solution For Cloud Using Data Deduplication

MS-55096: Securing Data on Microsoft SQL Server 2012

Security. Contents. S Wireless Personal, Local, Metropolitan, and Wide Area Networks 1

White Paper How Noah Mobile uses Microsoft Azure Core Services

Setup Cisco Call Manager on VMware

Transcription:

365 Cloud Storage Security Brief

Overview Surveys reveal time and again that security and data protection concerns are the top barriers to Cloud adoption. At, we take these concerns seriously and have made security an integral part of our storage offering. Our storage-as-a-service (STaaS) offering is based on Zadara s Virtual Private Storage Array (VPSA) technology. 365 Cloud Storage provides physical security, access, data privacy and data encryption to ensure security and data privacy. With multiple layers of security, our customers can enjoy full, end-to-end data privacy and protection from our physical storage infrastructure all the way to customers physical or virtual servers. Physical security 365 Cloud Storage is physically located in HIPAA and SSAE 16 compliant data centers. Access Control Private network access is provided via a dedicated cross connects, metro Ethernet or metro fiber connectivity. Additionally, the VPSA GUI and RESTful API uses HTTPS and 256-bit SSL-encrypted communication and secure identity management system. Data Privacy The VPSA architecture provides complete data privacy for end users by granting dedicated compute resources (RAM and CPU vcores) and dedicated networking resources (NIC VFs) to partition IO stack data handling per-user as well as dedicated physical drives. The VPSA also requires the usage of Challenge-Handshake Authentication Protocol (CHAP) over iscsi to authenticate a Cloud Server to a VPSA. CHAP requires that both the Cloud Server and VPSA know a shared CHAP Secret. This secret is never sent on the wire. Data Encryption 365 Cloud Storage supports 128-bit Encryption of Data-at-Rest (DAR) and Data-in-Flight (DIF).

Physical security 365 Cloud Storage is physically located in all of 365 s seventeen U.S. data centers. Our data centers feature, at minimum, the following important physical security attributes: 24x7 surveillance Redundant power feeds and generators Robust fire suppression Carefully monitored climate control (to protect the servers that store customer data) HIPAA and SSAE 16 compliance Access Control Private Access Customers access 365 Cloud Storage securely via a cross connect from their colocation cabinet or a dedicated fiber or Ethernet Private Line into our data center. Cross connect options include Single Mode Fiber (1 Gbps or 10 Gbps) or Ethernet Copper (1 Gbps). Network connectivity options include Metro Fiber or Metro Ethernet (requires sub-4 ms RT latency. Secure Communication The 365 Cloud Console and VPSA expose RESTful API calls via the HTTPS protocol. This requires 256-bit SSL-encrypted communication and securely identifies the web server with which the client is communicating. The VPSA GUI client also communicates with the VPSA web server RESTful API via HTTPS to ensure the same level of security.

Identity Management Each end user creates an account within the 365 Cloud Console. The user s Cloud Console Password is not stored as plain text in the Cloud Console DB. Instead, a cryptographic hash value (using a one-way SHA-1 hash function) is stored for further Cloud Console login authentication. When a user creates the first VPSA at, a corresponding tenant is created within the Cloud Storage Identity Management Server (which is based on OpenStack Keystone). The Cloud Console generates a random 128-bit Tenant Password for that tenant and provides the password, in encrypted form, to the Identity Management Server. Thereafter, the Tenant Password is used by the Cloud Console and the VPSA for retrieving a Keystone API Token and establishing a session-based communication for managing the objects (i.e, VPSAs) belonging to that tenant. For accessing the VPSA (via API or GUI), the Cloud Console provides (via email) an initial 5-character temporary access code. This code can be used only once. The user is requested to enter a strong VPSA User Password to replace the 5-character temporary access code. The 365 Cloud Console Password and VPSA User Password can be different. This enables support for different permission levels (roles) within an organization. In the event a user forgets the VPSA password, an email will be sent to the user with a new temporary 5-digit access code. The existing VPSA User Password will protect access to the VPSA until the new access code is used.

A cryptographic hash value (using a one-way SHA-1 hash function) of the VPSA User Password is stored in the VPSA database for further VPSA login authentication. 365 Cloud Storage employs a session-based authentication mechanism as a means to identify a user for every HTTP request to a VPSA. The client initiates a session by logging in with the VPSA User Password. Upon successful authentication, a Secret API Token is sent back to the client application for any subsequent REST API communication with the VPSA to identify the authenticated user and validate the session. A user can generate a new Secret API Token at any time, thus invalidating the previous token and any sessions using it. Data Privacy VPSA Architecture The VPSA architecture provides the basic building blocks for granting complete data privacy for cloud storage Users: Each VPSA Virtual Controller is granted dedicated compute resources (RAM and CPU vcores) and dedicated networking resources (NIC VFs) to partition IO stack data handling per-user. Physical drives are the basic storage allocation unit. As a result, only a single VPSA and hence a single User has access to any given physical drive. Physical drives are exposed as iscsi LUNs to the VPSA Virtual Controllers via a separate back-end network, which is not accessible from outside the Zadara Storage Cloud. IQN-based SCSI LUN Masking is used to ensure that physical disk drives are exposed only to the authorized VPSA.

Each user can look up the physical location (by Storage Node Number) of the drives assigned to that user. VPSA Virtual Volumes are presented as iscsi LUNs and are attached to selected Cloud Servers. Again, SCSI LUN Masking is used to prevent access to those Virtual Volumes from other Cloud Servers. CHAP VPSA requires the usage of Challenge-Handshake Authentication Protocol (CHAP) over iscsi to authenticate a Cloud Server to a VPSA. CHAP requires that both the Cloud Server and VPSA know a shared CHAP Secret. This secret is never sent on the wire. Each VPSA maintains its CHAP credentials. When a VPSA is created, it autogenerates CHAP Username (corresponding to the VPSA name) and a random 12-character CHAP Secret. A VPSA User can modify both CHAP Username and CHAP Secret at any time. Existing iscsi connections will remain valid, but the new credentials will be required for establishing new connections. A VPSA user must enter these values at the Cloud Server (iscsi Initiator) side to be able to establish an iscsi connection with the VPSA. The VPSA uses a 128-bit Secret Key to encrypt the CHAP Secret, using the Advanced Encryption Standard (AES), before storing the CHAP Secret on disk. The Secret Key itself is stored in a separate location in the Zadara Storage Cloud. The VPSA retrieves the Secret Key from the Zadara Storage Cloud at runtime, decrypts the CHAP Secret and stores it in Kernel Space only. This means that core-dumping the user-mode process of the VPSA will not reveal the decrypted CHAP Secret.

Data Encryption 365 Cloud Storage supports Encryption of Data-at-Rest (DAR) and Data-in- Flight (DIF). Because data encryption requires compute overhead, we leave it up to end users to evaluate the trade-off between security and performance. Hence both DAR and DIF encryption are optional features and are disabled by default. Encryption of Data-at-Rest Encryption management of Data-at-Rest is done at the VPSA Virtual Controller and is defined on a Volume-by-Volume basis, i.e. a user can decide that some Volumes are encrypted, while others are not. A VPSA generates a unique random 128-bit Encryption Key per encrypted Volume, and uses the Advanced Encryption Standard (AES) to encrypt and decrypt the Volume data. The Volume Encryption Keys are stored on disk as ciphertext, using AES with a 128-bit Master Encryption Key, which is generated from a usersupplied Master Encryption Password. The Master Encryption Password is not saved on disk. Only its SHA1 hashsum is saved on disk, for verification purposes only. Since it is virtually impossible to restore the Master Encryption Password from the SHA1 hashsum, each user is fully responsible to retain and protect the Master Encryption Password. During VPSA operation, the Master Encryption Password itself is held in kernel memory of the VPSA. Core-dumping any User Mode process within the VPSA will not reveal the Master Encryption Key. The above method ensures that encrypted Data-at-Rest cannot be accessed without explicitly knowing the user-supplied Master Encryption Password, thus providing full protection to end users who opt for Data-at- Rest encryption.

Encryption of Data-in-Flight For advanced security needs, 365 Cloud Storage supports encryption of Data-in-Flight between the User Server and the VPSA using Internet Protocol Security (IPSec). 365 Cloud Storage uses Internet Key Exchange (IKE) protocol to negotiate the IPSec encryption keys with a user s Cloud Server. The encryption keys used to encrypt the Data-in-Flight are stored in kernel memory only (of both the VPSA and Cloud Servers), and are never stored on disk in any form. Periodically, encryption keys are renegotiated by VPSA and Cloud Servers IKE daemons. A user can configure the renegotiation trigger for each Cloud Server. For example, encryption keys can be renegotiated every hour, every 10 Gb of sent/received data, etc. Copyright 2014 Last Updated 9/9/2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information