Protected Cloud Secuirty

Protected Cloud™ Security

File security is the number one concern of IT managers with regard to the Cloud, and it’s no wonder, since using a Public Cloud such as Amazon’s AWS S3 to store your company files demands the assurance of high security. BridgeSTOR’s Coronado NAS Gateway with ProtectedCloud™ Security fills this need with a whole family of features that work together for the protection of your data – including Authentication, Encryption and User and Group Access Control. The features of the ProtectedCloud Security are made possible by BridgeSTOR’s own Cloud Storage File System (CSFS™), the product of many years of development.

Properly securing enterprise data storage also requires unique character strings called keys. The Coronado NAS Gateway requires Access Keys created by the Cloud Provider or Private Cloud Object Storage for authentication called the Access Key and Secret Key. The Access Key and Secret Key provide authentication for use of the Cloud Storage service. When files are sent over the wire, CSFS will add these keys in a special algorithm which will be validated at the Cloud Storage Provider, or at the Private Cloud. If for some reason the administrator needs to change these keys, BridgeSTOR, or the cloud provider can generate a new set keys while destroying the previous set. If, for example, a critical employee leaves the company or the local caching technology used by a Coronado NAS Gateway has been stolen, new keys can be immediately generated while destroying the previous Access Keys.

The most common standard for encryption today is AES-256 (256-bit Advanced Encryption Standard), a highly secure standard chosen by the National Institute of Standards. ProtectedCloud Security utilizes AES-256 and adds a second XTS Encryption Key for data that is in-flight or while stored at the Cloud. The first Key, the “Encryption Key”, is created by the storage administrator before any file is written to a the Cloud Storage bucket and once data has been written, it cannot be changed. The Coronado NAS Gateway store this key locally and only use this key for encryption of a specific storage bucket. The key is never copied to any other location especially the Cloud Storage Provider. Files are encrypted in-line by the Coronado NAS Gateway before sent to the cloud, thus protecting files both in transit and in when stored in the Cloud Storage bucket. During the in-line process, BridgeSTOR creates a second key, the “XTS Encryption Key” and is never stored but is calculated by an internal BridgeSTOR algorithm. The algoritym for calculating the “XTS Encryption Key” is BridgeSTOR proprietary and will never be released.

Why XTS Encryption? Without this extra added ProtectedCloud Security it’s possible for a hacker to attack your organization’s encrypted data by observing the contents of two identical blocks of data, such as two zeroed blocks. The hacker can use that information to reverse engineer the data and determine your key. With ProtectedCloud Security using XTS, two blocks of the same data will look different. The hacker in this case would not be able to determine the key, and your files remains safe. Since the “Encryption Key” must be maintained locally, BridgeSTOR’s near-term roadmap for CSFS includes the ability to be integrated into enterprise Key Management systems.

In addition to the authentication performed by the Cloud Provider via Access Keys, encryption enterprises need the ability to control access to files by individual users and groups within the company. The most common method for this type of authentication today is Microsoft’s Active Directory (AD). BridgeSTOR’s Coronado NAS Gateway easily integrated with Microsoft AD. This means that the same access control policies for users and groups that are already in place in an organization can now be applied to cloud storage files.