Data security is the number one concern of IT managers with regard to the Cloud, and it’s no wonder, since using a Public Cloud such as Amazon’s AWS S3 to store your company files demands the assurance of high security. BridgeSTOR’s Coronado V-NAS Access Point with ProtectedCloud™ Security fills this need with a whole family of features that work together for the protection of your data – including Authentication, Encryption and User and Group Access Control.
The features of the ProtectedCloud Security are made possible by BridgeSTOR’s own Cloud Storage File System (CSFS™), the product of four years of development. CSFS itself enhances security by creating unique data structures as it processes files at the sub-file (block) level. Therefore reading the information contained in a CSFS file requires all the blocks to be reassembled into their original sequence when a file is retrieved. Thus, each data block transmitted or stored via CSFS, even if it is simply clear text, will not typically contain any meaningful information content.
Properly securing enterprise data storage also requires unique character strings called keys. Coronado V-NAS Global Access Points and the Coronado V-NAS Global View Manager use Access Keys created by the Cloud Provider or Private Cloud Object Storage for authentication called the Access Key and Secret Key.
The Access Key and Secret Key provide authentication for use of the Cloud Storage service. When data is sent over the wire, CSFS will add these keys in a special algorithm which will be validated at the Cloud Storage Provider, or at the Private Cloud. If for some reason the administrator needs to change these keys, BridgeSTOR, or our partner can generate a new set while destroying the previous set. If, for example, a critical employee leaves the company or the local caching technology used by a Coronado V-NAS Global Access Point has been stolen, new keys can be immediately generated while destroying the previous Access Keys.
The most common standard for encryption today is AES-256 (256-bit Advanced Encryption Standard), a highly secure standard chosen by the National Institute of Standards. ProtectedCloud Security utilizes AES-256 and adds a second XTS Encryption Key for data that is in-flight or while stored at the Cloud.
The first Key, the “Encryption Key”, is created by the storage administrator before any data is written to a new Cloud Storage bucket, and it cannot be changed. Coronado V-NAS Global Access Points and the Coronado V-NAS Global View Manager store this key locally and only use this key for encryption of a specific storage bucket. The key is never copied to any other location especially the Cloud Storage Provider. Data is encrypted in-line at the Coronado V-NAS Global Access Point as it is written, thus protecting data both in transit and in Cloud Storage.
BridgeSTOR’s CSFS creates a second key, the “XTS Encryption Key”. This key is never stored and is calculated on demand when encryption is turned on and new data is written. The formula for calculating the “XTS Encryption Key” is BridgeSTOR proprietary and will never be released.
Why XTS Encryption? Without this extra added ProtectedCloud Security it’s possible for a hacker to attack your organization’s encrypted data by observing the contents of two identical blocks of data, such as two zeroed blocks. The hacker can use that information to reverse engineer the data and determine your key. With ProtectedCloud Security using XTS, two blocks of the same data will look different. The hacker in this case would not be able to determine the key, and your data remains safe.
Since the “Encryption Key” must be maintained locally, BridgeSTOR’s near-term roadmap for CSFS includes the ability to be integrated into enterprise Key Management systems.
In addition to the authentication performed by the Cloud Provider via Access Keys, encryption enterprises need the ability to control access to files by individual users and groups within the company. The most common method for this type of authentication today is Microsoft’s Active Directory (AD). BridgeSTOR’s Coronado V-NAS Global Access Point and Coronado V-NAS Global View Manager are easily integrated with AD. This means that the same access control policies for users and groups that are already in place in an organization can now be applied to the storage resources that are accessed through Coronado V-NAS Global Access Points.