Why is data security so important at the edge?

Click here to download this solution brief in PDF format.

The need for data security has never been more important due to the negative impact security breaches can have on an organization – such as point-of-sale malware attacks, leaked credit card payment details and ransomware attacks. In some cases, these incidents have resulted in hefty fines and financial penalties for the companies involved. Couple that with the need to comply with government regulations such as HIPAA, GDPR, SOX and PCI DSS, and securing data quickly jumps to the top of most IT departments to-do list.

Most large organizations that have enterprise-class datacenters are focused on data security at these locations because there is so much data at risk. However, edge computing locations like retail stores, branch offices, factories, warehouses and even oil rigs may not get the same level of attention. These smaller locations typically don’t have the same levels of physical security – servers are often kept in unsecure rooms or closets, under a desk or even right in the middle of a factory floor, making it easier to access the data or steal the servers. Data security is often overlooked at the edge, and this is exactly the problem that StorMagic and Fornetix are focused on solving.

StorMagic SvSAN

StorMagic SvSAN removes the need for a physical SAN in some of the world’s most demanding environments by converting the disk, flash and memory of two servers into a virtual SAN. SvSAN coupled with a hypervisor (VMware, Microsoft or Linux KVM) and any server hardware creates a hyperconverged solution that is perfect for large organizations with thousands of sites and companies running SME datacenters that require a highly available, two-server solution that is simple, cost-effective and flexible. SvSAN’s StorSecure encryption feature encrypts data in-flight before being written to disk, using military-grade, FIPS 140-2 compliant algorithms. Additionally, it is KMIP-compliant, allowing third party KMS solutions to be used, such as Fornetix Key Orchestration, which has been fully tested and verified with SvSAN and StorSecure.

Fornetix Key Orchestration KMS

Fornetix Key Orchestration is an enterprise encryption key management solution that enables a unified approach to data security by deploying and enforcing encryption across an entire organization. This unification allows for centralized storage and control for all encryption keys across all types of environments; whether it’s on premise storage, virtualized, or cloud. Through a robust and extensive API and a dedication to industry standards, Fornetix is built on interoperability. When paired with the ability to scale to millions of keys, Key Orchestration ensures seamless integration with organizations today and provides the ability to grow with them in the future.

Fornetix KMS Cluster

What are the benefits of the StorMagic/Fornetix Data Encryption Solution?

Simple to use – 100% software approach that encrypts data before writing to disk and seamlessly integrates with key management servers.

Cost-effective – Eliminates the need for operating system or hypervisor-level encryption. No special self-encrypting disk drives, RAID cards or hardware acceleration cards required.

Flexible – Choose to encrypt all or only selected volumes of data, and have rich features like secure erase, rekey and Predictive Storage Caching, typically found only in datacenter class encryption solutions.

Highly secure – Meets the most strenuous security requirements demanded by vertical industries such as healthcare, government, finance and others. SvSAN’s StorSecure encryption feature is FIPS 140-2 compliant through OpenSSL XTS-AES-256 bit encryption and meets HIPAA, PCI DSS, SOX and EU GDPR compliance requirements. All data is encrypted on the drives and in-flight between storage caching tiers and highly available clustered servers.

How does it work?

Step 1: Establish a trust relationship between Fornetix KMS and SvSAN

Using Fornetix Key Orchestration Server user interface, create SvSAN clients so keys can be provided and managed for SvSAN.

Step 2: Create an encrypted volume or encrypt an existing volume

When a volume is selected for encryption, SvSAN will request a pair of symmetric 256-bit AES encryption keys to be created and activated from the Fornetix Key Orchestration KMS.

Two keys are required as the XTS-AES cipher actually requires a 512-bit key – the two 256-bit keys provided by the KMS are concatenated together to form a 512-bit key.

Each volume will have its own pair of encryption keys.

For a mirrored volume, the same encryption keys are used for both sides (plexes) of the mirror.

Step 3: The KMS returns encryption key identifiers to SvSAN

Step 4: SvSAN obtains the encryption keys using the identifiers

The keys are not persistently stored by SvSAN, they only reside in memory, for security reasons. If SvSAN is rebooted then the keys need to be retrieved from the KMS.

Inability to retrieve the keys from the KMS will mean that the data is inaccessible.

Step 5: The keys are used to encrypt/decrypt the data

When data is written to the volume the XTS-AES cipher uses the keys to encrypt the data which is then written to disk.

When writing data to mirrored volumes, the user data that is synchronously mirrored between the VSAs will also be encrypted.

When data is read from the volume the XTS-AES cipher uses the keys to decrypt the data which is then returned to the application.

More information

Fornetix Key Orchestration has been extensively tested alongside SvSAN and a dedicated integration guide has been written to enable simple, straightforward joint implementation of the two solutions. The integration guide is included as part of the SvSAN manual, which can be accessed in full at stormagic.com/manual/

For more information on StorSecure, SvSAN’s integrated encryption and key management feature, visit: stormagic.com/storsecure or contact the StorMagic team who will be happy to answer any questions: [email protected].

Click here to download this solution brief in PDF format.