cloudlink securevsa on vblock systems white · pdf filewhite paper cloudlink® securevsa...

WHITE PAPER

CLOUDLINK® SECUREVSA ON VBLOCK SYSTEMS

Table of Contents About this document .......................................................................................................................................... 3

Audiences ............................................................................................................................................................ 3

Introduction ........................................................................................................................................................ 3

Business Case .................................................................................................................................................. 3

Solution Overview ........................................................................................................................................... 4

Technology Overview .......................................................................................................................................... 5

CloudLink SecureVSA ....................................................................................................................................... 5

The SecureVSA Architecture ....................................................................................................................... 6

VCE Vblock™ Systems ...................................................................................................................................... 7

RSA Data Protection Manager......................................................................................................................... 9

Solution Architecture Overview .......................................................................................................................... 9

System Configuration ...................................................................................................................................... 9

Encryption Data Flow .................................................................................................................................... 11

Hardware and Software ................................................................................................................................ 11

Integration with RSA Data Protection Manager ........................................................................................... 12

Design Considerations ....................................................................................................................................... 13

Performance Sizing ........................................................................................................................................ 13

High Availability ............................................................................................................................................. 13

Key Management .......................................................................................................................................... 13

Storage .......................................................................................................................................................... 13

Network ......................................................................................................................................................... 14

Solution Validation ............................................................................................................................................ 16

Test Cases and Objectives ............................................................................................................................. 16

Test Case 1 - SecureVSA Installation on Vblock Systems .......................................................................... 16

WHITE PAPER


2 Copyright © 2014 All Rights Reserved. CloudLink is a registered trademark of CloudLink Technologies (formerly AFORE Solutions, Inc.). All other trademarks, trade names, service marks and logos referenced herein belong to their respective companies.

Test Case 2 - Data Encryption: Simulated Application Profile Tests ......................................................... 17

Test Case 3 - Data Encryption: Functional Evaluation of Select CloudLink Encryption Features .............. 18

Test Case 4 – RSA Data Protection Manager Integration .......................................................................... 20

Conclusion ......................................................................................................................................................... 24

For More Information ....................................................................................................................................... 25

WHITE PAPER



About this document This document describes CloudLink® SecureVSA certified on VCE Vblock™ Systems and discusses business requirements, technology components, architecture, and use cases tested during the Vblock Ready certification of SecureVSA. For more information about this paper or about this solution, please contact CloudLink at [email protected].

Audiences This document is intended for IT professionals, compliance officers, security administrators, and managers responsible for deploying data security solutions on vBlock Systems.

Introduction

Business Case Traditional data centers have experienced a paradigm shift in recent years. Silos of disparate physical computing systems are being consolidated and migrated to cloud-based and virtualized infrastructure, bringing the benefits of flexible on-demand deployment, optimal capacity utilization, and substantial cost savings to enterprises and service providers alike. With this transformation have come new challenges in IT security, particularly related to managing the confidentiality, integrity, and privacy of sensitive data. In a shared, cloud-based, IT as a Service (ITaaS) environment, data security can’t be an afterthought. Data encryption is an essential mechanism for ensuring data confidentiality, isolation, and protection. In many cases, virtualized environments host multiple “tenants” in a single converged infrastructure like the VCE Vblock System. Tenants typically include one or more of the following:

- Departmental datastores that need to be isolated, with one or multiple datastores requiring encryption with separate keys; for example, human resources, manufacturing, research and development and other sensitive file storage such as company executive file folders, and so on.

- Multiple applications hosted on the same physical server and disk array, such as a single Vblock System. To ensure data protection, one or more of the application datastores; for example, those for SAP, Oracle, Exchange, etc.) might require separate encryption keys.

- Different customers hosted on the same physical server and disk array, such as a service provider environment using a converged infrastructure. Some or all of this customer data might require separate, per-tenant encryption keys.

Industries such as financial services, healthcare, manufacturing, and government often have stringent regulatory security requirements that mandate data isolation and encryption. Service providers in particular see data encryption as a key security feature that allows them to appeal more broadly to customers. Traditional solutions include self-encrypting disks, storage controller-based encryption, and the encryption of SAN switches or in-line encryption appliances. Each of these has one big drawback – a lack of multi-tenant capability. A single key is used to encrypt all data that passes through the cipher. Customers therefore have to dedicate the entire physical resource (disk, array or entire SAN) to a single tenant. The lack of flexibility and associated cost of this approach goes against the trend towards virtualization and cloud computing and the goal of achieving a software-defined data center.

mailto:[email protected]

WHITE PAPER



One of the traditional objections to software-based encryption has been that it degrades performance. This misperception has been countered by the fact that the Advanced Encryption Standard (AES) has now become the algorithm of choice for hardware acceleration for cryptographic operations in a majority of enterprise-class servers. As a result, the overhead of software encryption is less significant with the help of the built-in hardware acceleration. This has created an opportunity for software-based encryption appliances such as SecureVSA to challenge traditional encryption approaches with superior performance. As a software appliance, the resources consumed by encrypting software can be scaled up and down as the demand for encryption workloads change. When SecureVSA runs on a Vblock System, resource consumption can be tuned to keep up with busy file server, web server or database server applications and minimized when performance requirements are modest. Compared to a hardware appliance, SecureVSA not only reduces costs, power consumption and footprint, it also complements the converged infrastructure’s key benefits of flexibility, agility and simplicity. Key tenets of effective data security management include ease of deployment and administration. Many existing software encryption solutions require agents to be deployed on each virtual machine (VM) containing sensitive data. This approach places an unnecessary burden on IT administrators who must deploy and maintain the agents and ensure compatibility with the applications and operating systems running on their VMs. Furthermore, the complexity in configuring numerous agents makes it challenging to develop and maintain an effective security policy. In addition, when tenants and data owners require oversight and control of their own data separate from IT infrastructure administrators, deployment and ongoing operational management become even more complex and daunting. SecureVSA’s multi-tenant, agent-less approach to data encryption eliminates these challenges. Encrypting software appliances must be easy to deploy and maintain while empowering tenant administrators to have the control they desire. This is especially true for virtualized environments. The software architectural design must encompass these concepts from the start to leverage these key benefits of converged infrastructure: simplicity of deployment and management.

Solution Overview CloudLink has partnered with industry-leading converged infrastructure provider VCE to provide a Vblock Ready certified encryption solution to meet today’s challenges. SecureVSA provides the ability to encrypt data-at-rest and data-in-motion from CloudLink Gateway to CloudLink vNode in virtualized and multi-tenant environments. In addition, SecureVSA enables flexible security administration control, performance monitoring, and integrated key management with RSA Data Protection Manager (DPM). SecureVSA is certified for Vblock Systems 100, 200, 300 and 700, spanning the needs of small and medium-sized businesses to large enterprises and service providers. The Vblock Ready certification provides customers with peace of mind, letting them know that the solution components are compatible and perform as designed. Key features and differentiators of SecureVSA include:

- Native Support for Virtualized Cloud Environments - SecureVSA understands the virtual environment topology and resource elements in multi-tenant environments. It automates deployment of encryption in the VMware vCloud Director environment and is integrated with vCenter and vCAC for ease of deployment and management and advanced security monitoring. It provides end-to-end encryption of VM storage and WAN traffic in virtualized environments. VMs can be migrated between enterprise data centers or between an enterprise data center and a service provider cloud while ensuring that data remain persistently protected.

- Encryption of Data-at-Rest - SecureVSA provides enterprises with the option to encrypt data-at-rest using AES-256 encryption technology. In a dynamic and multi-tenant cloud environment, SecureVSA secures against threats posed by persistent data artifacts, such as snapshots and suspension images and storage layer side attacks. Encryption of data-at-rest enables enterprises to meet storage data deletion compliance

WHITE PAPER



requirements when workloads are moved out of the cloud while malicious or misbehaving co-tenants are remediated.

- Pre-Integration with RSA Data Protection Manager (DPM) Key Management Solution – As a Secured by RSA® Certified Partner, SecureVSA has certified interoperability with RSA® DPM. The integration of these technologies is intended to enable enterprises and cloud service providers to securely encrypt data-at-rest in cloud infrastructures while leveraging robust, enterprise key management.

- Secure Network Extension - SecureVSA establishes a secure network extension between a data center inside the enterprise and a customer virtual data center inside the cloud. All communications between the enterprise and the cloud are encrypted using AES-256 encryption technology. SecureVSA also constantly performs SLA monitoring on this network extension.

- Manageability and Control - Given the perceived complexity of implementing and managing encryption on a day-to-day basis, SecureVSA has been designed with simplicity, flexibility, and manageability in mind from the start.

o CloudLink Center is a web-based interface that provides comprehensive management tools, including a topology map, performance monitoring, dashboards, and threshold alarms. It can also be configured as a VMware vCenter plug-in.

o SecureVSA is agentless and storage and network agnostic. This makes SecureVSA extremely simple to deploy in large enterprise data centers and service provider environments. In a virtualized cloud environment, there are potentially hundreds of VMs being provisioned, deployed, and decommissioned at any given time. Therefore, encryption solution simplicity is essential.

o SecureVSA possesses the unique ability to offer tenants (different enterprises, separate departmental IT administrators, or application administrators) independent control of data security by maintaining their own separate encryption key stores. This provides an extremely flexible way to implement multi-tenancy. For companies that utilize service provider offerings, this means that the implementation of encryption is not dependent upon an external service provider’s policy, permission, or pricing structure. For enterprises, this feature adds flexibility, helping IT to consolidate departmental assets to a more centralized cloud infrastructure, regardless of current organizational structure.

Technology Overview

CloudLink SecureVSA Installed as a virtual appliance, SecureVSA provides encryption to secure virtual resource pools – in VMs, networks, and datastores – in multi-tenant environments. This multi-tenant environment could include different enterprises hosted in the same converged infrastructure, departmental datastores, or application datastores within the same enterprise. These different datastores might require separate data encryption control and policies. SecureVSA seamlessly integrates with virtualized cloud infrastructures, leveraging cloud platform APIs for automatic virtual storage appliance deployment and monitoring of virtual data centers. For ease of implementation, SecureVSA can be set up as a service template, making it easy to order and self-provision. SecureVSA’s management interface, CloudLink Center, offers role-based access control, facilitating access by cloud IT administrators while allowing tenants to maintain complete and sole control of encryption keys. Furthermore, SecureVSA is pre-integrated with RSA DPM for the lifecycle management of encryption keys, enabling robust, enterprise-scale operational management in which hundreds or thousands of encryption keys can be provisioned, deployed or expired and decommissioned with ease.

WHITE PAPER



The CloudLink SecureVSA Architecture Figure 1 depicts the SecureVSA architecture within an enterprise, with departmental data requiring separate encryption datastores. This architecture is equally applicable to a cloud service provider environment or a hybrid environment. Figure 1: SecureVSA: High-level Architecture

CloudLink vNode is a software virtual appliance deployed in the cloud where datastores need to be encrypted. The CloudLink vNode is a virtual machine that provides encrypted storage for VMs within an ESX cluster, an encrypted connection to the CloudLink Gateway for storage volume encryption key retrieval and acts as the communications endpoint between VMs in the virtual data center (VDC) and the enterprise network. The CloudLink vNode encrypts data, collects logs and events, and sends monitoring data to CloudLink Center via the CloudLink Gateway. CloudLink Gateway is a software virtual appliance deployed inside the enterprise data center. The CloudLink Gateway communicates with CloudLink vNodes to create a secure tunnel to the enterprise specific VDCs. The CloudLink Gateway authenticates CloudLink vNodes, monitors connectivity, initiates performance testing, and pushes the enterprise controlled encryption keys via the secure tunnel to the CloudLink vNodes deployed in the cloud. CloudLink Center is a management application that can be accessed as a web-based application or as a VMware vCenter™ plug-in, Figure 2. It manages the CloudLink Gateway and CloudLink vNode, administers trust policies, configures encrypted storage volumes, monitors end-to-end network performance, reports events, logs and alarms, and presents the enterprise network topology by visually depicting SecureVSA VMs.

WHITE PAPER



Figure 2: CloudLink Center Accessed via vCenter Plug-in

In the context of VCE Vblock Systems, a CloudLink Gateway with CloudLink Center can be paired with one or multiple CloudLink vNodes to represent a tenant implementation within the same Vblock System. Multiple sets can then be deployed in a multi-tenant implementation within a single Vblock System, representing separate enterprise, departmental user, or application datastores. Further extending the architecture, multiple CloudLink Gateways may share a common RSA DPM or can each point to a separate instance, providing the utmost flexibility in key management.

VCE Vblock™ Systems Vblock Systems, Figure 3, are pre-integrated technology components that include Cisco Unified Computing System™ (Cisco UCS™) blade servers and networking, EMC storage arrays, and VMware vSphere and management tools, all supported by and with warranty services from VCE. The current Vblock Systems include Vblock Systems 100, 200, 300 and 700. Each Vblock System has a base configuration, which is a minimum set of compute and storage components as well as fixed network resources. Within the base configuration, certain hardware features can be customized. Together, the components offer balanced CPU, I/O bandwidth, and storage capacity relative to the compute and storage arrays in the system. By combining best-of-breed software and hardware solutions in one converged infrastructure, Vblock Systems deliver a cloud-computing experience that is optimized, secure, and faster and easier to deploy and maintain than competitive converged infrastructure solutions.

WHITE PAPER



Figure 3: A VCE Vblock System Based on the following IDC research, VCE’s Vblock System has definite advantages in providing tangible customer results:

Figure 4: IDC research on Vblock customer benefits By partnering with CloudLink and certifying its SecureVSA on Vblock Systems, VCE offers enhanced security encryption technology that helps customers meet today’s compliance challenges in virtualized environments.

WHITE PAPER



RSA Data Protection Manager RSA DPM offers industry-leading application encryption, tokenization, and enterprise-wide key management. DPM enables centralized key management and transparent and automated policy enforcement for encrypting data-at-rest across the information lifecycle. Keys used to protect the virtual disks can be vaulted in the customer’s enterprise within DPM for an extra layer of protection.

Enterprise key management with RSA DPM features:

• Interoperability – The Key Management Interoperability Protocol (KMIP)-enabled DPM server enables a single key management infrastructure and integrates with applications and devices at every layer.

• Simple operations – A simple user interface allows policies and keys to be managed from a central location, simplifying operations and contributing to lower operational expenditures (OpEx).

• Key control – High availability, security, automated replication, and disaster recovery of the key vault can be provided so that keys are always available. Separation of duties can be ensured to control who has access to keys.

• Easier compliance – Audits are simplified by logging the encryption functions necessary to meet compliance.

Solution Architecture Overview This section describes the solution architecture tested and verified during the Vblock Ready certification.

System Configuration The test environment assumed a single enterprise deployment environment with encryption needs for separate datastores. Figure 5 shows the SecureVSA deployment architecture.

WHITE PAPER



Figure 5: SecureVSA Certification Test Environment Configuration A single CloudLink Gateway in the enterprise environment managed the overall encryption infrastructure. The CloudLink Gateway was deployed on a VM situated on Blade Server ESXi 01. CloudLink Center, the operational management interface, ran on the CloudLink Gateway. Below the CloudLink Gateway are the encryption workhorses, the CloudLink vNodes, each of which was deployed within a separate VDC and was responsible for encrypting its assigned datastores. In terms of the multi-tenant data center most common in VCE customer environments, each of these VDCs potentially represents a departmental computing environment or a separate application installation environment that needed encryption protection. Each of the VDCs hosted multiple VMs. These CloudLink vNodes were installed on Blade Servers ESXi 02 and ESXi 03. Installing the CloudLink Gateway and CloudLink vNodes on separate blades mimicked typical enterprise environments. The CloudLink Gateway, performing key control and system monitoring and management, is located within the enterprise data center. The CloudLink vNodes, which provide encrypted storage, might be located in a separate location along with the application workloads or in the cloud service provider’s data center. Tests were performed using the IOmeter test tool suite consisting of an IOmeter instance, providing a management interface for test configuration, and two Dynamo workers. The IOmeter interface was run on ESXi 01, and the Dynamo workers were run on ESXi 02 and ESXi 03, respectively. Connected to ESXi 02 and ESXi 03 was the ESX datastore shared by the two simulated “tenants.” Each tenant had its own encrypted disk shown in Figure 5 in red (Dynamo1 Disk2 and Dynamo2 Disk2 respectively for tenant 1 and tenant

WHITE PAPER



2) and a cleartext disk shown in green (Dynamo1 Disk3 and Dynamo2 Disk3). Encrypted disks were placed into the protected datastores, allocated inside of the big shared datastore. These protected datastores were assigned to their respective CloudLink vNodes and are shown in orange (vNode1 Datastore and vNode2 Datastore). Each Dynamo VM that represents tenant workloads has two virtual disks: one for encrypted data and one for cleartext data. One of the objectives of the tests was to compare the native performance of user workloads on a Vblock System with the performance of the same workloads using SecureVSA for storage encryption. Data in cleartext (green) virtual disks was accessed bypassing the SecureVSA, and data in encrypted disks (red) was accessed through SecureVSA. This configuration allowed for a direct performance comparison of the vNodes’ encrypted storage with native VMAX storage.

Encryption Data Flow Once provisioned and started, CloudLink vNodes established their encrypted connections to the CloudLink Gateway and requested the encryption keys for unlocking their secure datastores. The CloudLink Gateway verified the CloudLink vNodes credentials and Global Unique IDs (GUIDs) of the datastore to make sure that legitimate instances of CloudLink vNodes and datastores were being used. It then issued the Key Encryption Keys (KEKs) which are used to unlock the Data Encryption Keys (DEKs) stored encrypted in the metadata of the datastore.

Once the CloudLink vNode ciphers had the keys, the virtual disks stored on their datastores became available to user VMs for performing IO operations. These user VMs are the Dynamo machines (Dynamo1 and Dynamo2) under the control of IOmeter.

The Dynamo VMs were instructed to execute a test script against SecureVSA. It consists of IO profile characteristics for three typical customer applications: file server, web server, and database server. That mix of IO transactions was executed in two series of tests. In the first, testing was performed using the encrypted virtual disks located in the vNode datastores. In the second, testing was performed using the cleartext virtual disks located in the VMAX storage array, bypassing the vNodes. This allowed for a comparison of CloudLink performance and native performance, measuring the effect of IO traffic being encrypted and decrypted by vNodes on the way to and from the VMAX array.

Hardware and Software CloudLink SecureVSA version 2.0

VCE: Vblock System 700MX , RCM version 2.5.5. There are four Cisco UCS B200 M2 Blade Servers, each with 96GB memory, and two sockets of 6-core 3.46GHz AES-enabled CPUs, VMAX storage array with 40 disk spindles, and two Cisco MDS 9148 SAN switches. VMware vSphere version 5.

Figure 6 contains details of the Vblock System 700MX used for this certification test.

WHITE PAPER



Figure 6: Vblock System 700MX Component Details

Integration with RSA Data Protection Manager Each CloudLink vNode encrypts the storage allocated to it using a DEK which it generates during the installation and initialization process. The CloudLink Gateway generates a KEK for each vNode that is used to encrypt the DEK. In order to unlock a CloudLink vNode storage and make it accessible to user VMs, the CloudLink Gateway retrieves the corresponding KEK and provides it to the CloudLink vNode upon the CloudLink vNode’s request. The CloudLink vNode then decrypts the DEK and uses it to provide access to the encrypted data. To lock the storage, the CloudLink Gateway removes the KEK from the CloudLink vNode, preventing the CloudLink vNode from being able to access the DEK and providing access to the storage. By incorporating the RSA DPM Java client, each CloudLink Gateway instance can entrust its storage KEKs to RSA DPM. CloudLink uses the key archival resources of RSA DPM to store them securely. The KEKs correspond to the AES-256 with CBC encryption algorithm and are archived in a security class created specifically for this purpose. All communication between the CloudLink Gateway and RSA DPM occurs via a certificate-based mutually-authenticated secure session.

WHITE PAPER



Design Considerations

Performance Sizing On a converged infrastructure such as a Vblock System, workloads from multiple tenants may coexist on the same physical infrastructure. It is therefore essential to take the aggregate characteristics of multiple workloads; for example, percentage of reads versus writes, data transfer size, sequential versus random data access) into consideration when sizing a system. In the case of SecureVSA, the CloudLink vNode encryption process tends to be I/O-bound compared to native, un-encrypted workloads. The overhead for a single CloudLink vNode encryption, as demonstrated in our profile tests, is about 5%. In other words, a single CloudLink vNode can achieve about 95% of the performance of equivalent un-encrypted workloads. For two tenants using two CloudLink vNode instances, this rises to about 98%. Our estimates show that three tenant CloudLink vNodes would be able to fully utilize the available Vblock System storage bandwidth in the same configuration used in our certification tests. A lighter workload than what is defined in our test profiles will therefore be able to accommodate a larger number of encrypted tenants. As always in the case of sizing, it is recommended that customers perform a proof-of-concept test using realistic workload inputs in order to understand the sizing characteristics of their specific use cases.

High Availability Part of SecureVSA’s efficiency lies in the fact that it is designed from the ground up as a solution for virtualized environments. It relies on the high availability (HA) features of the underlying virtualization platform to maintain the resiliency and fault tolerance necessary for maintaining the consistency of the data. It is recommended that users with mission-critical workloads utilize the HA features of the vSphere platform to the fullest extent possible.

Key Management Special care must be taken when dealing with encryption keys. If the key is lost, the data encrypted with this key will become unrecoverable. On the other hand, if the backed-up key falls into the wrong hands, sensitive data may be at risk. For that reason, we strongly recommend using a purpose-built key management solution such as RSA DPM for key storage. Customers may prefer to use other key store options supported by SecureVSA, such as Microsoft Active Directory. Use extreme caution to avoid the loss or unintended disclosure of encryption keys.

Storage CloudLink vNode can be configured as either a datastore or network-based file storage server (CIFS/NFS) or iSCSI target. As a datastore, the workloads placed in the CloudLink vNode’s datastore require no changes. The encryption of the workload’s disks is completely transparent to their guest OSs. The administrator simply maps the appropriate VMDK files into the encrypted datastore in order to encrypt the associated virtual disks, Figure 7.

WHITE PAPER



Figure 7: Secure Datastore Mode

CloudLink vNode can also be configured as either a Common Internet File System (CIFS) and Network File System (NFS) server or as an Internet Small Computer System Interface (iSCSI) target. This is useful in environments where an encrypted network file share is required. In order to take advantage of CloudLink under this scenario, user VMs need to have either CIFS/NFS clients or an iSCSI initiator. All of these are readily available in most popular OSs.

Figure 8: SecureVSA Secure Network Storage Mode

Network While many encryption and VPN solutions on the market require the vSwitch to be put in promiscuous mode in order to connect the encryption virtual appliance with the VMs requiring its services, with CloudLink this is not a requirement. In order to increase network security and prevent hostile eavesdropping on vSwitch traffic, when connecting a CloudLink vNode to a vSwitch, ensure that the vSwitch is configured with non-promiscuous mode. There is a variant of the SecureVSA deployment where no tunnel is configured. This is useful when the owner or administrator of the Vblock System is also the owner of the data in need of encryption. In such a case, there is no distinction between the provider and the consumer of the service and, to simplify deployment, only the CloudLink Gateway is deployed and it serves as both CloudLink Center and the storage encryptor.

WHITE PAPER



When two virtualized data infrastructures are at different physical locations, as in the case of an enterprise data center and a service provider data center, the two parties can be connected using the encrypted tunnel. SecureVSA allows two options for configuring the connection between the CloudLink Gateway and CloudLink vNode: Layer 2 and Layer 3 modes. In Layer 2 mode, as shown in Figure 9, the tunnel creates a seamless network extension between the two networks. When configured in this mode, no user network configuration change is necessary. This mode is useful when users have control over a private IP subnet configuration in the provider data center, typically within the same enterprise infrastructure. vCloud Director allows users the choice of an IP subnet in their virtual data center configuration on the provider side as well.

Figure 9: SecureVSA Layer 2 Networking

Layer 3 mode is useful when users do not have control over an IP subnet configuration in the provider data center, as when a enterprise establishes a connection to a cloud service provider that automatically allocates IP subnets to users.

Figure 10: SecureVSA Layer 3 Networking

WHITE PAPER



Solution Validation The test environment was as described in the Solution Architecture Overview section, with testing performed using:

• Vblock System element manager clients • Common web browsers • IOmeter and Dynamo clients

Test Cases and Objectives The following test cases were designed to validate and demonstrate the features of SecureVSA and validate its interoperability with Vblock Systems. Performance statistics were collected to understand the characteristics of encryption behavior of SecureVSA under various conditions. Test cases 1 and 2 were performed in a lab environment as described in the Solution Architecture Overview section. Test cases 3 and 4 validated the SecureVSA features as well as its ease of integration with RSA DPM. These two tests were performed in a separate lab where the RSA DPM platform was readily available. Table 1. Test Cases Demonstrating the Features of SecureVSA on Vblock Systems

Test Case # Test Case Name Objectives

1 SecureVSA installation on Vblock Systems To walk through installation steps and validate the successful installation of SecureVSA on Vblock Systems

2 Data encryption: Simulated application profile tests

To observe the effect of encryption on simulated application loads generated by the IOmeters test tool

3 Data encryption: Selected functional evaluation of the encryption features

To validate selected features of the SecureVSA encryption software

4 Interoperability test with RSA DPM To demonstrate the interoperability and manageability between SecureVSA and RSA DPM in an enterprise environment

Test Case 1 - SecureVSA Installation on Vblock Systems

Procedure 1. Make sure that the installation environment adheres to the minimum requirements listed in the Installation

Requirements section of the CloudLink SecureVSA for VMware vSphere™ Deployment Guide. 2. Install and configure the CloudLink Gateway. 3. Deploy and configure CloudLink vNode in vSphere.

a. Configure all interfaces b. Allocate virtual storage to the CloudLink vNode c. Provision the vNode in vCenter as an NFS datastore

WHITE PAPER



Results It took less than one hour for the initial setup of one CloudLink Gateway and one CloudLink vNode, with the first time user (tester) following the installation manual. As a result of the successful installation, the link between the CloudLink Gateway and CloudLink vNodes was depicted as a green line on the CloudLink Center topology map. The storage was unlocked and available.

Test Case 2 - Data Encryption: Simulated Application Profile Tests

Procedure Using the IOmeter application profiles, data traffic was generated simulating the characteristics of the following three types of applications:

• Database • File server • Web server

Figure 14 includes a list of the profile test patterns generated by the IOmeter test tool.

% of Access Specification Transfer Size Request % Reads % Random

File Server Access Pattern (as defined by Intel)

10% 0.5 KB 80% 100%

5% 1 KB 80% 100%

5% 2 KB 80% 100%

60% 4 KB 80% 100%

2% 8 KB 80% 100%

4% 16 KB 80% 100%

4% 32 KB 80% 100%

10% 64 KB 80% 100%

Database Access Pattern (as defined by Intel/StorageReview.com)

100% 8 KB 67% 100%

Web Server Access Pattern (as defined by Tom's Hardware.com)

22% .5 KB 100% 100%

15% 1 KB 100% 100%

8% 2 KB 100% 100%

23% 4 KB 100% 100%

15% 8 KB 100% 100%

2% 16 KB 100% 100%

6% 32 KB 100% 100%

7% 64 KB 100% 100%

1% 128 KB 100% 100%

1% 512 KB 100% 100%

Figure 14: IOmeter Generated Test Profiles

WHITE PAPER



The simulated traffic was tested against one and two CloudLink vNode instances. Each CloudLink vNode represented a separate encryption datastore. First, the native performance of Vblock Systems was measured by directing the storage traffic directly to the Vblock System’s physical storage, bypassing SecureVSA. The associated measured performance is referred to as “Native results.” Then the same traffic was passed through CloudLink vNode, which performs encryption and decryption of the storage data. These results are referred to as “CloudLink results.” Native and CloudLink tests were performed with one workload and two workloads, respectively, called “1x” and “2x results.” For comparison, the ratio of CloudLink results to native results for both sets of tests was then calculated.

Results As illustrated in Figure 15, the encrypted throughput was 95% or better than that of unencrypted native throughput in terms of I/O per second (IOPS).

Figure 35: SecureVSA relative storage performance results

Test Case 3 - Data Encryption: Functional Evaluation of Select CloudLink Encryption Features The encryption of storage and the effect of operations on the encryption keys and their effect on the storage availability were tested. This test, and the following ones, was conducted in a separate environment from the first two tests due to availability of the DPM software in a different Vblock System.

Procedure 1. Perform a ‘Lock’ operation on storage that effectively removes and destroys the encryption key and verify

that the storage is inaccessible. 2. Perform ‘Unlock’ operation to test availability of the key and the match of the key to the cipher and encrypted

storage. 3. Perform ‘Change Key’ operation to test the key rotation procedure.

Results After locking the storage, CloudLink Center displayed the storage as locked and logged the corresponding event. User VMs lost access to the encrypted storage.

0.900.920.940.960.981.001.021.04

database profile file server profile web server profile

1xCloudLink/1xNative

2xCloudLink/2xNative

WHITE PAPER



Figure11: Locked SecureVSA Storage

Unlocking the storage was also successfully accomplished.

Figure12: Unlocked SecureVSA Storage

A change key operation was also accomplished successfully. The key name was changed and the operation was properly logged.

WHITE PAPER



Figure13: Successful Key Rotation

Test Case 4 – RSA Data Protection Manager Integration The ease of integration with RSA DPM with SecureVSA for enterprise key management was tested.

Procedure To configure RSA DPM as the CloudLink key store location:

1. Open the CloudLink Center on the CloudLink Gateway using the secadmin user account.

Note: Refer to the CloudLink 2.0 SecureVSA User Guide for details on accessing the CloudLink Center console.

2. On the left side of the window, at the top of the VMs list in the Topology Tree, select the Gateway.

3. Click Security tab and then the Key Store tab.

4. To configure the CloudLink to use RSA DPM for encryption key storage, click the RSA DPM link in the Location panel.

5. In the RSA DPM Configuration panel specify the RSA DPM parameters

Host The RSA DPM host IP address.

Port The TCP port number configured on the RSA DPM host (default 443).

Security Class Name The name of the security class configured on the RSA DPM host for the RSA DPM

client.

Trust Certificate The RSA DPM server certificate.

WHITE PAPER



Client Certificate The RSA DPM client certificate.

Password The password used during the RSA DPM client certificate creation.

Important: Ensure that RSA DPM server and client certificates are created and saved on the RSA DPM host.

Figure 16: RSA DPM Configuration Panel in CloudLink Center

6. Click Apply to save the parameters.

Results The CloudLink Gateway was configured properly and connected successfully to RSA DPM. SecureVSA confirmed the event by logging an entry in the CloudLink Center action log.

WHITE PAPER



Figure 17: Action Log Confirming Successful Configuration of RSA DPM as key store

In the RSA DPM management console, SecureVSA was listed as one of its managed clients, Figure 18.

WHITE PAPER



Figure 18: SecureVSA Listed as Managed Client in RSA DPM Management Console

WHITE PAPER



CloudLink key information was available in RSA DPM, Figure 19.

Figure 19: CloudLink Key Information Displayed in RSA DPM Management Console

Conclusion Data encryption provides a high degree of data security, confidentiality, and privacy protection and is mandated for many industries. There are a myriad of industry-specific security standards which require encryption by IT management. These include standards for federal governments such as Federal Information Security Management Act (FISMA) Certification and Accreditation (C&A) and FedRAMP, Basel III, Federal Financial Institutions Examination Council (FFIEC) and Office of the Comptroller for the Currency (OCC) for banking, Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH) for healthcare, and Federal Energy Regulatory Commission (FERC) and North American Electric Reliability Corporation (NERC) for select critical infrastructure. Some requirements, such as Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley (SOX), and the European Union Privacy Directive, affect a broad range of organizations. Furthermore, the shift from the traditional silo-based enterprise data center to the cloud-based converged infrastructure environment necessitates new requirements for data encryption software. Encryption software needs to be able to natively support virtualized environments. It needs to understand virtualization abstractions and to navigate the virtualized components. More importantly, it also needs to support multi-tenant deployments where multiple user datastores or application entities are hosted within a single converged infrastructure. Data isolation and encryption are of paramount importance. SecureVSA, combined with RSA DPM and VCE Vblock Systems, provides a well-integrated and pre-tested solution to ensure that these requirements are met with ease. The solution offers enterprises and service providers the following advantages:

WHITE PAPER



• Native support of multi-tenant virtualized cloud environments. Data-at-rest encryption throughout data centers and cloud environments

• Agentless implementation supporting all guest operating systems and applications, eliminating deployment, upgrade and administration challenges associated with security software installed in VMs

• Interoperation with RSA DPM, simplifying enterprise-scale key management SecureVSA on Vblock Systems reduces complexity and alleviates concerns when implementing data encryption in a virtualized converged infrastructure so that enterprises and service providers can focus on their core business, making managing Vblock Systems cloud infrastructure easier and simpler, with a lower cost of ownership.

For More Information For more information about SecureVSA, go to http://www.cloudlinktech.com/products/cloud-security-management/cloudlink-overview/ For more information on Vblock Systems, go to http://www.vce.com/vblock. For more information on EMC RSA Data Protection Manager, go to http://www.emc.com/security/rsa-data-protection-manager.htm

For more information on Intel AES instructions, go to http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni

Contact us for more information CloudLink Technologies: Phone +1 (613) 224-5994 | Email [email protected] | Click cloudlinktech.com

http://www.cloudlinktech.com/products/cloud-security-management/cloudlink-overview/

http://www.cloudlinktech.com/products/cloud-security-management/cloudlink-overview/

http://www.vce.com/vblock

http://www.emc.com/security/rsa-data-protection-manager.htm

http://www.emc.com/security/rsa-data-protection-manager.htm

http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni

http://software.intel.com/en-us/articles/intel-advanced-encryption-standard-instructions-aes-ni

mailto:[email protected]

http://www.cloudlinktech.com/

cloudlink securevsa on vblock systems white · pdf filewhite paper cloudlink® securevsa...

Documents