Datrium The Only Convergence Platform to Achieve FIPS 140-2 Cryptographic Certification

Datrium’s Blanket encryption is already an industry-first, providing software-based (without hardware dependencies) end-to-end encryption. Datrium’s client software runs as part of the hypervisor and is uniquely able to provide cluster-wide encryption domain with full data services, such as compression, de-duplication, and erasure coding.

The encryption covers ESXi, RedHat Enterprise Virtualization and CentOS KVM host RAM buffers, the host SSDs, the data nodes HDDs and SSDs, the data in-flight between hosts and data nodes, and also the data stored in data nodes NVRAM.

Protecting data-at-rest has become a top priority for organizations. However, despite growing awareness, encryption of data in-flight is consistently overlooked. Nowadays in-flight data is most vulnerable to perpetrators that can tap into the network connections given the widespread use of IP network protocols; security measures for data in storage come to nothing if in-flight data is not safeguarded as well.

Datrium’s encryption uses FIPS 140-2 AES-XTS-256 military grade crypto algorithm and leverage Intel Intelligent Storage Acceleration Library (Intel ISA-L) with Intel AES new encryption instructions set (Intel AES-NI), that can provide a <5% performance hit at the worst-case scenario. Recognizing that software-defined-storage stacks use host CPU cycles to deliver services it is essential that performance impact is minimized.

NIST and CMVP

Datrium is now certified by NIST (National Institute of Standards and Technology) and the Cryptographic Module Validation Program (CMVP). The CMVP validates cryptographic modules to Federal Information Processing Standards (FIPS)140-2, Security Requirements for Cryptographic Modules, and other FIPS cryptography based standards. The Federal Agencies accept the modules approved as conforming to FIPS 140-2. Learn more about it here on the NIST website.

Certificate #3079

With this certification, Datrium becomes the 1st and only converged or hyperconverged platform with a cryptographic module officially certified by NIST for FIPS140-2. Furthermore, a quick search on NIST website demonstrate all supported FIPS algorithms and also the extent of the test configurations, including x86, AIX and ARM platforms.

FIPS 140-2 is also required to achieve compliance with the HIPAA standard to protect Healthcare PHI data. Furthermore, Datrium encryption satisfies regulatory requirements for government agencies, banking, financial, and G2000 enterprise customers who consider data security solutions.

For more information and for the implementation details read the white-paper on Datrium Blanket encryption (here).

Update: I have only considered primary storage converged solutions for my article. Upon additional search on NIST website, I was able to find that Cohesity (secondary storage converged) is also FIPS 140-2 certified.

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.

Datrium DVX Architecture with Devin Hamilton

We have partnered with @vBrownBag and @thectoadvisor to demonstrate the simplicity of the Datrium solution. In this video, Devin Hamilton, our Director of System Engineering, talks with Alastair Cooke about Datrium DVX Architecture and Open Convergence overview.

 

Open Convergence is really, kind of the combination of all the greatest things that SAN ever provided, all the greatest things that HCI ever provided, and none of their pitfalls. – Devin Halmilton

 

In all honesty, this is a must watch video interview for those not yet versed in Open Convergence. Not many in the industry have knowledge depth and the tremendous presentation skills that Devin has.

 

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net

 

Sooner or Later, Storage Drives, Disk or SSD, will Fail!

Storage arrays and HCI systems come in all shapes and sizes with vastly different architectures tailored to a variety of use cases. One thing they all have in common is that, sooner or later, storage drives, disk or SSDs, will fail. Entire drives may become unavailable, or they may silently lose a few sectors to what is known as Latent Sector Errors (LSEs). LSEs and silent corruptions injected by faulty hardware or software are increasingly common despite built-in drive ECC.

A storage system must remain available and continue to serve data in the face of drive failures and LSEs. In our view, any enterprise storage system must tolerate the failures of at least two drives which will most often manifest as the failure of one entire drive plus an LSE on a second drive discovered during a drive rebuild.

Datrium DVX relies on Erasure Coding during its normal operation and exposes no controls to disable EC or change the level of data protection. It does so without any performance sacrifices for workloads heavy on small random writes and overwrites.

The technical paper below describes in detail data protection modes and how DVX with built-in Erasure Coding achieves 1.8M IOPS for 4K random writes for a system configured with 10 hard disk-based Data Nodes which exceeds the performance of most all-flash arrays.

[click image to open paper]

 

 

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net

Load more