Bloombase Spitfire StoreSafe Storage Security Server
Bloombase Technologies
Bloombase Spitfire
StoreSafe Storage
Security Server
Bloombase Spitfire
KeyCastle Key
Management
Server
Bloombase
Spitfire SOA
Security Server
Bloombase
Keyparc
Bloombase Spitfire
Message Security
Server
Bloombase Spitfire
Identity Security
Server
Bloombase Spitfire
Edge Security Suite
Overview
Enterprise Data At-Rest In Risk
Sensitive data are stored
in clear-text in storage
systems with minimal
access control vulnerable
to core attacks
Hosts and applications
require data access in
plain
How StoreSafe Protects Your Data
On-the-fly non-
disruptive
application
transparent
encryption and
unencryption
Proxy
Bump-in-the-
wire
Why Traditional Methods Are Inadequate
File encryption utilities – mcrypt, ccrypt, zip
– Only for static files, not for dynamic files, e.g. database
Database encryption tools – Oracle crypto package
– Tremendous 2nd development efforts at database tier
– Huge performance impact, not for business intelligence
Crypto tools – openssl, JCE, Microsoft capicom, HSM
– Very steep learning curve
– Tremendous 2nd development efforts at application tier
– Not for business intelligence applications
Security = High cost + SkillN +Slow + Instability + Insecure
StoreSafe Benefits
Secures operational data in databases
Protect backup/offsite/remote data from electronic and
hardware theft
Meet IT governance compliance requirements
Assure digital corporate assets integrity
Protects websites from deface and assure data integrity
Enforce effective change management
High ROI – lawsuits and worst, bankruptcy
Low TCO - One solution for all applications
StoreSafe Benefits
Management
Immediate regulatory compliance
Hardware and software independent
Application transparent
On-the-fly encryption/decryption
No programming required
No application changes
No user behavior changes
OS independent
Hardware independent
Functions and Features
Transparent Encryption and Unencryption
Fully automated data
encryption and
unencryption for
authorized clients
On-premises: SAN,
NAS, DAS, CAS, Object
Store, etc
Cloud: RESTful
Features
StoreSafe virtualizes physical storage systems
Virtual storage sub-system created providing
trusted/decrypted/verified replica of physical storage
Supports SAN, DAS, NAS, CAS and cloud storage
Data protection
– Access control
– Privacy
– Integrity
Features
Level of protection
– Disk / Block
– File
– Object
Hardware and software independent
Application transparent
On-the-fly encryption/decryption/watermark verification
Features
No programming required
No application changes
No user behavior changes
File-system independent
– Works with all file-system types supported by the OS
Entensive OS support
Application independent
– Works with virtually all applications
Features
Plug-in architecture for future cipher upgrades
Web-based management console
NIST FIPS 140-2 validated cryptographic module
PKCS#11 hardware security module support
Chinese National OSCCA crypto module support
Industry Proven Security
Industry standard cipher algorithm support
Regional and special cipher support
IEEE 1619 compliant
OASIS KMIP support
NIST FIPS 140-2 validated
Security Accreditations
Security
– NIST FIPS 140-2 validated
(NIST Certificate #1241)
Algorithms
– NIST FIPS-197 AES encryption and decryption (NIST Certificate
#1041)
– RSA and DSA public key cryptography (NIST Certificate #496)
– SHA hash generation (NIST Certificate #991)
– Hash Message Authentication Code HMAC (NIST Certificate #583)
– Random Number Generator (NIST Certificate #591)
Security Accreditations
Algorithms
– NIST FIPS-46-3 3DES encryption and decryption
– NTT/Mitsubishi Electric Camellia encryption/decryption
– DES, RC4, RC2, CAST5 encryption and decryption
– 512, 1024 and 2048 bit public key cryptography
– MD5 hash generation
Standards
– IEEE 1619 storage in security
Unified Storage Support
Block storage
based, file based,
object based
FCP, FCoE, iSCSI
NFS, CIFS
HTTP, WEBDAV
RESTful cloud
Unified Storage Support
Fiber Channel Protocol (FCP)
Small Computer System Interface (SCSI)
Internet SCSI (iSCSI)
Network File System (NFS)
Common Internet File System (CIFS)
File Transfer Protocol (FTP)
Hyper Text Transfer Protocol (HTTP)
Representational State Transfer (REST)
Storage System Support
Storage Area Network (SAN)
Network Attached Storage (NAS)
Direct Attached Storage (DAS)
Just a Bunch Of Disk (JBOD)
SCSI-based local disk arrays
Content Addressable Storage (CAS)
Cloud storage
Object storage, etc
Proprietary Object and Cloud Storage Support
EMC Atmos
EMC Centera
Microsoft Windows Azure
Amazon Elastic Block Store (EBS)
IBM Cloud
Caring CAStor / Dell DX Object Storage, etc
File System Support
File system independent
Raw / Uncooked
Solaris UFS
Symantec Veritas VxFS
IBM JFS
HPFS
Red Hat GFS
XFS
Linux Ext3
Windows NTFS, FAT32 and FAT
CDFS, etc
Database Support
Supports all database systems
Oracle
IBM DB2
IBM Informix
Sybase
Microsoft SQLServer
MySQL
Hadoop, etc
Application Support
Native Java client library
Native C client library
Java RMI connectivity
Web Services connectivity
Socket connectivity, etc
Appliance Platform Support
Hardware architecture
– Intel x86-based
– Intel Itanium-2
–AMD64 based
– IBM PowerPC based
Appliance operating platform
– Bloombase SpitfireOS
Operating Platform Support
IBM AIX
IBM z/OS
IBM i5/OS
HP-UX
Oracle Sun Solaris
Linux
Windows
Mac OS X, etc
Virtual Platform Support
VMware ESX, ESXi, Server
Red Hat KVM
Citrix XenServer
Oracle VirtualBox
Microsoft Hyper-V
IBM PowerVM, etc
Compute Cloud Platform Support
EMC Atmos
Windows Azure
Amazon Elastic Compute Cloud (EC2), etc
Key Management
Stored separately from
encrypted information
Key vault protected by
AES-256 strong
encryption
Supports 3rd party
PKCS#11 HSMs and
KMIP-compliant key
managers
Host Security and Access Control
User-based
authentication: LDAP,
MSAD, Kerberos,
CHAP
Host-based
authentication:
network address,
LUN mask
High Availability
Spitfire High Availability Module to provide
– Automated failover of nodes or load-balancing
– Cluster monitoring
– Cluster management
– Configuration synchronization
Spitfire Quorum Server to strengthen robustness of Spitfire cluster and avoid potential split-brain scenario
Management
Web-based and CLI
management consoles
Privilege-based
administrator access
control
Separation of duties
(SoD)
Recovery quorum
Operator smart tokens
Network Management
SNMP (v1, v2, v3)
Syslog
Windows Event Monitor
Audit trail
Log viewer and export
Dashboard
Audit Trail and Logging
Customizable system log
Full storage access audit trail
Web-based management console accessible
Log export and digital signing
2005-02-20 20:23:47,798 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,801 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,804 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,807 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,810 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,812 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,815 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:23:47,875 DEBUG audit.storesafe - read file : /mnt/storesafe/vs0\Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:24:56,751 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/, from : /192.168.1.30, by : demo1
2005-02-20 20:24:58,263 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:28:32,729 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:30:20,340 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/, from : /192.168.1.30, by : demo1
2005-02-20 20:30:21,621 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:30:38,467 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, by : demo1
2005-02-20 20:30:57,152 DEBUG audit.storesafe - open file : /mnt/storesafe/vs0/Movie_0001.wmv, from : /192.168.1.30, by : demo1
Product Editions
StoreSafe appliance with built-in SpitfireOS
StoreSafe QEMU OVF-compliant virtual appliance
StoreSafe for Windows
StoreSafe for Linux
StoreSafe for IBM AIX
StoreSafe for HPUX
StoreSafe for Solaris
Specifications
Maximum number of CIFS servers/shares: no definite
limit
Maximum number of NFS servers/shares: no definite
limit
Maximum number of iSCSI targets: no definite limit
Maximum number of SAN LUNs: no definite limit
Maximum number of RESTful service endpoints: no
definite limit
Technology In Depth
Inside StoreSafe
Application, server and storage
transparent
Automated encryption
Turnkey and immediate
regulatory compliance
Scale-up and scale-out
Cost-effective
High availability ready for
mission critical applications
Storage Cryptography Transparency
Extract payload from storage
commands (SCSI, NFS,
REST, etc)
Encrypt/decrypt/verify
storage contents on-the-fly
and recompose crypto-
processed commands
Why Now Not Earlier?
Advancement in solid state and network technologies
Network speed far excels storage speed
Multi-core processors
Multi-processor systems
High-performance computing systems
Ready For Giga/Tera/Petabyte Data?
Storage network access
protocols
Block based rather than file
based
Random access rather than
sequencial
On-demand
encryption/decryption
Not giga/tera/peta-byte but
kilo/byte!!!
Modular Pluggable Cipher Architecture
Pluggable cipher architecture for future cipher upgrade
User-Customed cipher support
Out of the box ciphers - AES, 3DES, DES, Twofish, Blowfish,
RC2, RC4, RC5, RC6, Camellia, SEED, ARIA, etc
Adaptive Block-based Encryption
Random accessible
On-demand block-based data encryption/decryption
User-defined block size for I/O optimization
Enterprise applications access storage block-by-block to
reduce I/O overheads and latency
Some applications (e.g. Oracle) allow user to configure
data unit size to boost application performance
User customizable unit of encryption size
Round Trip Reduction
Encryption block size smaller than application unit of access
I/O round trips
Cipher re-initialization
Payload Reduction
Encryption block size larger than application unit of access
Encrypt and un-encrypt more than needed
Use Cases
Share/File-based Encryption
StoreSafe appliance with
network interface cards
(NIC)
Transparent file encryption
for NFS, CIFS, WebDAV,
FTP, etc
Protocol conversion
iSCSI Block-based Encryption
StoreSafe appliance with iSCSI
host-bus adapters (HBA),
converged network adapters
(CNA) or simply NIC
Transparent block storage
encryption for iSCSI targets
StoreSafe virtual storage
presented as iSCSI targets
Fiber Channel SAN Block-based Encryption
StoreSafe appliance with fiber
channel (FC) host-bus adapters
(HBA)
Transparent block storage
encryption for LUNs of SAN
targets
StoreSafe virtual storage
presented as FC targets
Object-based Encryption
StoreSafe appliance with network
interface cards (NIC)
Transparent object encryption for
RESTful object store, cloud
storage and content addressable
storage (CAS)
Protocol proprietary object store
including EMC Atmos, Dell DX, etc
Product Roadmap
StoreSafe Product Roadmap
Questions? Comments?
Conclusion
Protect Your Corporate Data
– Protect your customers
– Corporate governance
Implement Data Protection
– Access Control
– Digital Asset Encryption
Your Action Items
Review your corporate perimeter security measures
Identify your enterprise data
Classify your enterprise data into levels of security
Devise an encryption strategy based on the
classification
Evaluate impact to users and applications
Implement hassle free transparent protection to your
corporate storage and message systems