Data encryption

Content

  • Executive summary
  • Data Security Requirements
  • Solution
  • In conclusion
  1. Executive summary

The benefits of networked data storage technologies such as network-attached storage (NAS) are well established, but storing an organization's data on a network creates significant security risks.

Technologies like NAS and backup tapes can aggregate data for storage, improving scalability, manageability and access to critical data while dramatically reducing the overall cost of storage. In addition, storage networking can simplify the process for enterprises to implement comprehensive disaster recovery procedures.

However, data in a networked storage environment is more vulnerable to unauthorized access, theft, or misuse than data in traditional direct-attached storage.

The design purpose of aggregate storage is not to separate the data it contains, and the data from different departments on livisions will be mixed together. Data replication, backups, off-site mirroring, and other disaster recovery techniques increase the risk of unauthorized access from both inside and outside the enterprise. Accessing partners through firewalls and other legitimate business needs also creates unwelcome security risks. For storage networks, a security breach can threaten the data assets of the entire organization.

Technologies such as firewalls, intrusion detection systems (IDS), and virtual private networks (VPNs) protect data assets by securing the perimeter of the network. While these targeted approaches are important in their own right, they don't adequately protect storage. As such, they put data at the heart of danger, making it vulnerable to internal and external attacks. |Once these barriers are breached -- through stolen passwords, uncaught viruses, or simple misconfigurations -- data assets are completely exposed.

  1. Data Security Requirements

Corporate information is one of the most valuable assets of a business. Adequate security measures are required to prevent unauthorized access and misuse of this data, and it often takes time to comply with regulations. nwStor's Encryption Appliance is a data encryption and control solution - providing comprehensive security for organizations of all sizes, protecting local and remote sites with unprecedented efficiency and cost-effectiveness

  1. Solution:

iSAV storage security appliance nwStor enables you to protect your data across organizations without affecting ongoing operations. iSav storage security device combines storage encryption, file access control, user authentication and security logging to provide protection for vour sensitive data on your storage devices (including cloud storage). Your company's sensitive data located in network file servers and NAS devices will be safely locked by iSav with the highest industry encryption standard AES-256 encryption. The level of data security is further enhanced by assigning a unique encryption key to each file. The data encryption and decryption process will be done efficiently and transparently by hardware. All encryption keys and data are further encrypted and saved in the cloud and key management servers, iSav can be restored anywhere in the world if a disaster event occurs at the local site.

Sav is a hardware-based data encryption system. Deployment of iSav is as easy as installing a network router. The Signal Unit centrally manages and protects all files stored in NAS devices and file servers on the corporate network, while allowing authorized users to access data (write, read and delete) as usual. Encryption and decryption of all files will be handled transparently by iSav as the data is passed. Via iSav. iSav can be deployed in the data path between the client or host and the storage device, either inline or attached to a switch.

Sav does not store data - it just accepts data from the client/host, encrypts it using the AES algorithm, and sends it to storage. When an authorized user or application requests data, iSav authenticates that user or application, retrieves the data from storage, decrypts it, and displays it at wire speed. isav works in a file-based network storage environment. Keep stored data secure without changing user or application workflows.

Figure 1 illustrates a simple high availability deployment in a file server (NAS) environment.

By encrypting data and routing all access through secure hardware, iSav makes it easier for organizations to control and track data access. Encryption effectively blocks backdoors to all data—protecting sensitive information on disk or tape from theft or misuse. Even if an unauthorized person gains access to the media, all they see is meaningless characters. When implemented correctly, encryption is a powerful tool that can greatly simplify data security.

But not all encryption is created equal. When evaluating encryption technologies, organizations should consider the following capabilities:

3.1 Performance

One of the many advantages of using dedicated hardware for encryption is its excellent performance. Strong encryption is computationally expensive, and traditional software-based encryption methods are slow and cumbersome to implement. In contrast, iSav devices. Drilling into existing infrastructure can be done within hours without taking data offline. Additionally, iSav's encryption and decryption speeds exceed 4GB per second, easily keeping up with the speed of Gigabit Ethernet storage networks. Using unique features, iSav provides a port-to-port latency as low as 50-100 microseconds. Depending on the desired security and throughput requirements, iSav can be placed in various locations in the network. Since many storage networks don't always maximize the 2Gig pipeline, one iSav can handle multiple hosts and multiple storage devices simultaneously. iSav devices can be deployed in an active-active cluster for availability and failover, and additional devices can be added. Handle higher throughput needs.

3.2 Transparency

iSav is designed to protect data while protecting existing infrastructure investments.

The system integrates seamlessly with databases, mail servers, storage management, backup and other applications on laverec for a wide variety of operating systems in all storage environments. Because iSav natively uses CIFS and NFS channels, no software or agents are required for either application host. or client side, making the device easy to install and support. iSav can also use existing security technologies such as firewall authentication schemes, IPs and VPNs.

Compare with software solutions

Software or database encryption solutions are operating system dependent. They must be integrated into each client or application, and it must be taken into account that security may be compromised when the application or operating system is upgraded. Because iSav uses the native protocol of the storage environment, it works with all operating systems, applications and versions, providing greater security and flexibility.

3.3 Security

While performance and ease of implementation are important, perhaps the most important consideration for encryption and access control solutions is the security of the system itself. AES 256-bit encryption standard iSav uses hardware AES-256 encryption as the encryption standard, which is a very strong encryption standard adopted by the US government to protect top-secret documents. iSav has a built-in hardware random number generator (hardware random number generator, RNG) , ensuring that all generated keys are truly random.

Unique key per file Each file is encrypted by a unique key for maximum security. This increases the difficulty for any individual to decipher encrypted stolen files. After deleting an encrypted file, iSav will delete the corresponding encryption key to ensure that the deleted file is not retrievable

3.4 Disaster recovery

All encryption keys, configuration data and metadata are encrypted and backed up to cloud storage, so in the event of a disaster, iSav can be recovered globally. Every file stored in Clouc is secured with very strong encryption standards before the data is sent to cloud storage so that no data center administrator can gain access to your sensitive data.

3.5 Key Management

Secure and efficient key management is critical when encrypting data that may be stored for months or years. Key management has been a weakness of traditional encryption systems, requiring users or administrators to keep track of this important and highly sensitive information. Additionally, keys are often stored in clear text on open operating systems, leading to greater potential for compromise. iSay changes this tradition with an innovative, layered key management system that removes the complexity usually associated with encryption, but ensures keys are fully protected and data can be recovered regardless of location. Data is encrypted at the file level with a file key, which ensures that even the same document will produce different ciphertexts. Additionally, each Cryptainer vault has its own encryption key, so aggregate storage can be cryptographically partitioned. Finally, these keys are wrapped in an extra layer of AES-256 encryption so they can be safely backed up outside of iSav

Figure 2 demonstrates automatic archiving of encryption keys to a key server and backup to cloud storage or NAS

3.6 Additional safety features

Authentication and Assessment Control: Authentication plays a key role in the security provided by iSav, ensuring that only authorizec users and applications can access stored data. n/m administrator authentication is to avoid a single security administrator from abusing his/her administrator rights, ISAV can choose quorum of n/m administrators to log in to activate and configure ISAV.

User authentication is authenticating yourself before accessing data to prevent unauthorized access to data that is not intended for you. It logs every event, action or file access and keeps track of who, when, what and how protected data was accessed. This includes all successful and failed actions by administrators or users. Cannot modify or delete logs. Easy system management: iSav provides many useful tools to help system administrators handle maintenance tasks, such as a remote secure web management interface and email notifications. Cost-effective centralized solution: Signal iSav can securely protect the files of multiple file servers and NAS devices, and is cost-effective without relying on a specific storage provider. and it. Also centrally protects files from different applications.

  1. Conclusion When organizations try to

When saving money and improving access to data by implementing converged storage technologies such as file servers (NAS) and replicating that data for backup and disaster recovery, they have opened the door to greater risk. Identity theft is costing companies and government agencies billions of dollars, and new privacy protections are calling for greater attention to the security of stored data.

Although some common existing security technologies play an important role, they cannot adequately meet the needs of storage security. Software-based storage security solutions are slow, limited in scope, and not completely secure. nwStor provides a comprehensive solution to storage security concerns, enabling organizations to implement defense in depth. nwStor iSav is a powerful, scalable network appliance designed specifically to protect stored data. iSav enables organizations to reap the full benefits of networked storage while ensuring data remains private and secure.