Jun 04 2017

Is your data safe? A deeper look at Datrium In-Flight and At-Rest AES-XTS-256 encryption

breachlevelindex.com

I am starting to discuss some of the features and design aspects that got me enthusiastic about Datrium tech. A feature that has been driving many interesting conversations with customers is the new Blanket Encryption. First, let’s obertewind a bit.

(If you only want to find out about the product features and skip my long-winded write-up just skip the bottom of the article.)

 

Gemalto’s Breach Level Index (BLI) tracks publicly disclosed breaches across the globe, measuring their severity via a multidimensional index based on factors including the number of compromised records, the source and the type of breach. In March 2017, Gemalto released the BLI findings revealing that 1,792 data breaches led to almost 1.4 billion data records being compromised worldwide during 2016, an increase of 86% compared to 2015.

These are mind-blowing numbers!

Most security breaches exploit human frailties, and CIOs need to educate their user populations on good security practices. That said, according to Gemalto’s research, only 4.2% of breaches were “Secure Breaches” where encryption was used, and the stolen data was rendered useless.

Folks, only 4.2%!

 

Protecting data ‘At-Rest’ has become a top priority for organizations. However, despite growing awareness, encryption of data (In-Flight) as it moves across the network is consistently overlooked. Nowadays In-Flight data is most vulnerable to perpetrators that have the ability to tap into the network connections given the widespread use of IP network protocols; security measures for data in storage come to nothing if In-Flight data is not properly guarded as well.

 

Blanket Encryption

Datrium’s encryption is an industry-first, providing software-based (no hardware dependencies) End-to-End encryption WITH Data Reduction. Datrium encryption covers ESX Host RAM Buffer, ESX Server SSDs, Data Nodes HDDs and SSDs, data In-Flight between hosts and data nodes, and also data node NVRAM encryption.

Because Datrium’s FE (FrontEnd client) runs as part of the hypervisor, Datrium is the only (…and please, correct me if I’m wrong) convergence solution that provides cluster-wide encryption domain for data In-Flight and At-Rest and is still able to provide the benefits of data reduction. Data is reduced, compressed and then encrypted as soon as it is created in the host RAM before it’s written to the host flash or transmitted to the data server fully encrypted. The design leverages resources on the ESX servers for most of the work and scale in line with the architecture.

 

 

While some app-based or OS-based encryption solutions offer an In-Flight encryption capability, they eliminate all data reduction optimizations (storage or transfer over WAN) as they randomize the blocks before they can be data-reduced.

 

 

Cryptographic Protocol

Datrium’s encryption uses FIPS (validated/approved) AES-XTS-256 military grade crypto algorithm and leverage Intel Intelligent Storage Acceleration Library (Intel ISA-L) with Intel AES new encryption instructions set (Intel AES-NI), that can provide a <5% performance hit at worst case scenario.Recognizing that software-defined-storage stacks use host CPU cycles to provide such services

Recognizing that software-defined-storage stacks use host CPU cycles to provide such services is important, as there can be performance implications when enabling data services.

 

  • AES – Advanced Encryption Standard specified in FIPS 197
  • FIPS – Federal Information Processing Standard
  • XTS-AES – Mode of Operation specified in IEEE Std. 1619-2007 and approved by SP800-38E with one additional requirement on the lengths of the data units.

 

FIPS 140-2 is a requirement to achieve compliance with the HIPAA standard to protect Healthcare data. Already mandated by the U.S. Department of Defense (DoD) for encryption, FIPS 140-2 is a robust security solution that reduces risk without increasing costs.

Datrium encryption satisfies regulatory requirements for government agencies, banking, financial, healthcare and other G2000 enterprise customers who consider data security products and solutions.

 

[click to enlarge]

 

Enabling or disabling encryption is done via CLI.

datastore encryption enable [--hide-password]
dvx-01>> datastore encryption enable
New data will be encrypted. Existing data may remain unencrypted. <NEW Startup mode is unlocked.>
IMPORTANT! Datrium cannot recover the encryption password. Losing this password will mean losing access to all data in the DVX! 
The password must be at least 8 characters long.
Encryption password : mypassword
Confirm password : mypassword
Enable encryption {yes|no} [no] : yes
Encryption enabled. New data will be encrypted.
dvx-01>>

 

Approved vs. Validated

The FIPS-validated mode provides acceptable performance, but it does impose some additional CPU load on Controllers, while FIPS-approved (or fast mode) provides <5% performance degradation, but that may not be considered FIPS-validated. Both modes have no significant impact on data reduction.

> datastore encryption set –fips-mode [approved|validated]

 

Cross-Cluster and Cross-Site Replication

Datrium implements native one-click SSL/TLS encryption to secure data replication traffic between clusters and datacenters. The session encryption is selective and may be enabled on a Protection Group basis. So you only encrypt replication for VMs you deem necessary – or just allow it for everything!

When replicating between clusters the source and destination DVX data nodes have different AES-XTS-256 encryption keys. The source is responsible for decrypting the data and encrypting the resulting data stream with an SSL/TLS session key. The destination DVX data node is responsible for decrypting the data stream with the SSL/TLS session key and encrypting the result with the destination’s AES-XTS-256 encryption method. This ensures that the AES-XTS-256 encryption used by a DVX cluster is kept within the DVX.

 

.

This release supports:

  • Instant enable/disable encryption
  • Encrypt data In-Use, In-Flight, and At-Rest at a cluster-wide and full-stack levels
  • Built-in Key Manager
    • Startup unlocked (password not required on startup)
    • Startup locked (password is required on startup)
    • Rotate passwords per security policy (New Tenant Encryption Key (TEK))
  • Instant Secure Erase disk(s) using Crypto Erase
  • Enable/disable encryption with live data
  • Convert clusters from secure to non-secure (and vice-versa)

 

Important Deployment Considerations

At current release, only new data is encrypted upon turning the feature on, but some old data may also be opportunistically encrypted during backend tasks, such as maintenance processes. Additionally, an external key manager is not supported in this first release.

 

Final Thoughts

Hackers have already breached internet-connected camera systems, smart TVs, and even baby monitors. It’s is dangerous to think that they aren’t already mining your organization’s data. Independent of the preferred security approach CIOs must take action before they are the next target. Robert Mueller, ex-FBI Director once said: “There are only two types of companies: those that have been hacked, and those that will be.”

This is all heavy and concerning stuff, so I thought I would end this blog post with something a little more humorous.

 

Find more about Datrium’s Blanked Encryption here.

References

http://www.gemalto.com/press/Pages/Gemalto-releases-findings-of-2016-Breach-Level-Index.aspx
http://www.zdnet.com/article/cybersecurity-predictions-for-2016-how-are-they-doing/

 

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.

Jun 02 2017

Top vBlog 2017 is now Open. Please Vote and Support Bloggers!

Eric Siebert has opened the Top vBlog for this year’s voting with sponsorship support from Turbonomic. This blog myvirtualcloud.net has ranked 14th place for the last four years, coming down from the 17th and 39th in years before.

All bloggers do an excellent job, using their personal time to share experiences and challenges with the broader community. I also found myself in work and technology transition, moving companies and trying to talk and demonstrate different viewpoints and technologies.

The technology datacenter world is at a major inflection point where many distinct and complimentary technologies are competing for awareness as organizations move into the public and hybrid infrastructure world, and where applications deployment models are drastically improving and reducing IT friction. It is a superb time to be in technology! If you like the content I have been publishing, please consider voting for this blog.

 

Here are a couple of my recent and favorite articles:

 

Here are a couple of the tools I have published or open-sourced:

 

[Click the button to vote]

 

 

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.

May 29 2017

My Top Mac OS X “Must Have” Apps (Business & Geek)

A somewhat a casual blog post if compared to my usual Storage, Virtualization, and Cloud topics. My day-to-day activities involve a high degree of organization with productivity tools to manage the business side of my job, but I also need comfort and easiness when geeking out with infrastructure solutions, demos, automation and even ‘hobby’ coding.

I do not care so much about the app cost as long as it does the job well and the easiest possible way – so some apps may have a higher $ associated. I do however understand that not everyone can think or act like that.

 

Here are my Top OS X “Must Have” Apps.

What do you think? Any apps I should give a go?

 

Fantastical 2

If you are not using Outlook, Fantastical 2 is probably the best replacement for the weak OS X Calendar. The app tightly integrates with IOS and Apple Watch. I recently started using Fantastical 2, and the app is already on my favorite list because of the excellent integration with Google Calendar and its ability to work with room and resource scheduling.

 

Grammarly

Grammarly is a safe-heaven with grammar auto-correction, contextual spelling, sentence structure, and punctuation capabilities. It integrates natively with Safari and has an OS X desktop app, but is still missing native any app integration for OS X, such as Mail. Still a very useful tool for native and non-native English speakers.

 

Alfred

Alfred is probably the best replacement for OS X Spotlight, but what makes Alfred shine is its ability to execute very complex workflows that can include AppleScripts, shell scripts, Ruby or Python code. You can download hundreds of workflows being shared by the Alfred community that provides integration services with the most diverse set of OS X apps or Web Services. I have also created and published workflows to interact with Nutanix (here).

 

ScreenFlow

My go-to app whenever I need to screencast or video record a demo. I tried other tools in the past, but I like the simplicity and functionality that ScreenFlow brings to OS X. I have been using ScreenFlow for a long time, and the tool gets better with every release.

 

MailTags

I like Apple Mail for the native stack integration with OS X, but I have to agree that Mail lacks essential functionality. MailTags provides basic message tagging with keywords, projects, importance, due dates, calendar and more. You will find MailTags-related commands and information in contextual menus, Message Attribute submenu, Preferences, and even in the drop-down menu from the search field, which will suggest categories such as keywords and projects when you start typing. I cannot operate Apple Mail without MailTags.

 

MailButler

I have recently included this Mail plugin in my list. MailButler brings Gmail-like features to Mail, like contact photos with Social Media profile search, emojis, and reminders to add an image or attachment if you have mentioned one in a message. When you attach large files, MailButler automatically uploads them to the cloud and links them in your message. The Professional version adds scheduling (so your emails get delivered at the optimal time), tracking (so you know if your email got opened), follow-up reminders and much more. Not cheap, but helps with my productivity.

 

CleanMyMac

There are many free and paid tools out there to keep your Mac tidy. I like CleanMyMac as it has been working great for me for a long time. It is simple and does a good job removing garbage, completely uninstalling apps, running maintenance scripts, letting me manage all installed extensions and much more. Useful!

 

Docker

The new Docker for OS X has become my test bed whenever I need to deploy or test a Linux app. For me, Docker is replacing Fusion and VirtualBox whenever possible. It does require some prior knowledge to operate given the CLI-based commands, but once you learn it, there’s no way back. Optionally, you may also download Kitematic for the visual experience, but at this time the functionality is somewhat limited.

 

Sublime

If you code you need an IDE, and for me, Sublime Text Code Editor is the go-to tool. Sublime provides Autocompletion, Syntax Highlight, Code Folding, Customizability, Powerful Search, and Simultaneous Editing. Given it is maturity, Sublime has hundreds, maybe thousands, of existing plugins for all the critical languages. Exclusively for Python, I always use the Anaconda plugin that transforms sublime into a rich featured Python development stack that also ensures the quality and style of the code. It may not be the best Text Code Editor for a single language, but certainly the all-in-one tool for someone like me.

 

Evernote

By now everyone should be familiar with Evernote. I use for personal journaling and archival, but the tool has become indispensable in my apps library. Evernote allows you to capture a note or memo in any format (web clip of a product or service review for reference, a photo of a business receipt, audio file, or text meeting or handwritten notes) and make it accessible and searchable on virtually any mobile device, on the web, or laptop. They also have collaboration tools, but I do not use. That said, their PDF text search is what keeps me going back.

 

Other honorable mentions:

– VMware Fusion (for Virtual Machines)
– Filezilla (easy FTP)
– MS Office (sure, there’s no real OS X alternative to Office)
– Eclipse (yeah, I still use it for Java)
– Moom (manage your OS X windows)
– iTerm (replacement for Terminal)
– Zoom.us (powerfull replacement for WebEx)

 

This article was first published by Andre Leibovici (@andreleibovici) at myvirtualcloud.net.

Older posts «

» Newer posts