Storage Vendor News
Hu Yoshidas blog
Object Storage Answers the Need for Higher Levels of Data Security
Tue, 20 Feb 2018
In a November 2017 report from Scott Sinclair, Enterprise Storage Group Senior Analyst showed that the top factor that leads organizations to deploy or consider deploying on-premises object storage technology is a higher level of data security.
Object storage offers tremendous advantages over a hierarchical file system when it comes to security. Object storage is designed with a single, massively flat address space enabling files or objects to be accessed by a unique identifier and accompanied by customizable metadata. The metadata not only enables object storage to scale to higher capacities than traditional file systems, it can help meet regulatory requirements for content and records retention by designating specific content as immutable while providing the necessary auditing and reporting to verify immutability. Object storage has the ability to find, move, manipulate, and analyze metadata and data content for data security and protection.
Security is not something that you can wrap around the outside of a product. It must be designed in from the beginning. Hitachi Vantara’s Hitachi Content Platform (HCP) was designed and developed with security at the very core. Here is a recent white paper that provides an Overview of Server Security and Protection for HCP. It focuses on security features built into HCP and HCP cloud storage software to protect data access and secure communications. The white paper is written for systems and network administrators to set best practices for HCP deployment that minimizes vulnerability and threat exposure.
Security highlights include:
On-Premises or Hybrid Deployment
HCP is designed to run in the datacenter or as a hybrid cloud where layers of existing enterprise security processes and protocols already keep hackers out. HCP avoids risk thanks to your custom security that you understand and trust, whereas systems that are run as a public cloud have a much broader attack surface with a one-size-fits-all security approach. Running the system on-prem minimizes risk of accidental public exposure of confidential data.
Multitenancy and Namespace Isolation
A single HCP system is an overall structure for managing one or more tenants enforcing the boundaries that keep applications, users, and data of each tenant isolated. Each tenant is a virtual object storage system with independent management and data access that is bounded by the overall policies of the HCP system. Each tenant in turn has one or more namespaces which follow policies set by the tenant and provides mechanisms for separating the data stored by different applications, business units or customers. Namespaces provide segregation of data while a tenant provides segregation of management. This segregation of HCP, tenant and namespace provides multiple levels of security access to data and provides isolation to a namespace should a hack occur.
Role-Based Access Control for Management
HCP provides role-based access controls (RBAC) for administration accounts at both the system and tenant levels. The roles are system administration, compliance, security, monitoring, search and service. An HCP administrator may fulfill one or more roles at the system and tenant levels. There is no single super user account in HCP. The boundaries between various administrative and data access domains limit the scope of damage that can be done by a malicious user through a compromised account.
Network Security Considerations
Networks are avenues for malicious attacks, so the referenced white paper goes into detail about segregation and managing network access to HCP. HCP is typically deployed behind a corporate firewall and limiting access to the HCP front-end network remains an important part of the security strategy. Network engineers may elect to restrict port utilization to a minimum set required by the HCP software. The referenced white paper lists ports that HCP might need for operations. HCP uses the Transport Layer Security protocol (TLS 1.2) to ensure privacy and data integrity between the HCP and the other systems with which it communicates. TLS provides data in flight encryption for HCP services, including HCP system management, tenant management, RESTful API gateways, replication, and cloud tiering. HCP also operates its own internal firewall and many ports can be enabled or disabled via HCP management. Some port examples are Port 123 for NTP services or Port 514 for Remote Syslog. Syslog can stream HCP event messages to one or more servers performing security audit functions.
Data Access Methods
HCP supports industry standard data access methods that include Amazon S3, OpenStack Swift, WebDAV, SMB/CIFS, NFS, SMTP, as well as a proprietary REST API. When an application writes a file, HCP puts it in a bucket (namespace) along with its metadata. HCP is designed for write once, read many (WORM) access of information, but namespaces can be enabled with versioning to permit write and rewrite operations. Tenant level administrators can restrict access originating from a specific IP address using an allow (whitelist) or deny (blacklist) list. When HCP namespaces are cloud optimized through RESTful APIs, HCP will block all ports associated with SMTP, WebDAV, CIFS and NFS to reduce the attack surface.
HCP uses system level user and group accounts to control access to the data, management consoles, APIs and search console. HCP validates users with any of the following authentication methods:
Remote Active Directory
Remote Keystone (OpenStack)
HCP Anywhere, Hitachi’s file-sync-and-share for mobile devices can be configured to communicate with a corporate virus scanning engine. But the HCP repository does not incorporate a virus scanner since it does not provide an execution environment for objects that are uploaded. Since the file or object is never opened or executed on HCP servers, it is immune to viruses.
Ransomware and Data Protection Strategies
HCP offers several capabilities for protection against data loss, including preventing and reversing a Ransomware attack (a malware attack that encrypts data and demands a ransom for the decryption key, also known as a crypto-locker).
All information that is stored in the HCP is WORM (write once read many), making it immune to Ransomware attacks.
HCP supports the storage of multiple versions of an object to protect data from accidental deletions or roll back accidental changes. Versioning can be enabled at the tenant and namespace level. The tenant administrator can configure how long a prior version of an object is kept.
Retention + Legal Hold
HCP provides flexible retention capabilities to prevent accidental or malicious deletion of object before a designated retention period or while under a legal hold.
A hash is computed for every object at ingest time to ensure data integrity. The hash or “digital fingerprint” is stored as metadata and is used to validate integrity upon retrieval. If there is any discrepancy, HCP can repair the data from the hash or restore the data from a replica copy.
Auditing and Monitoring
The system management console and the tenant management consoles provide displays of critical system events to authorized role-based administrators.
Limiting Command Line Interface Risks
System administrators do not have command line access to HCP systems so that organizations can credibly prove regulatory compliance, auditing, and non-tampering. Everyday administrative capabilities are GUI or API driven. Making system changes that require command line access requires the cooperation of both the organizations’ administrators, and authorized Hitachi Vantara customer support. This approach increases security by preventing clandestine manipulation.
This post is just an overview of the Hitachi Vantara white paper that I referenced at the beginning. Please download the white paper for more information on the data security features of the HCP object store and compare it with other vendor’s data security capabilities when evaluating object storage options.
Object Storage Becomes Mission Critical
Tue, 13 Feb 2018
Object storage, or content addressable storage, which was once an afterthought for archiving data has now become mission critical as we see the explosion of unstructured data driving more of our business decisions. While core database applications with structured data still drive much of the business today, integration with unstructured data from mobile devices, internet and other connected devices are driving a digital transformation through the cloud, big data, analytics, governance, and IoT.
All major public cloud storage providers, including Amazon Web Services (AWS), Microsoft, IBM and Google have adopted object storage as their primary platform for unstructured data which makes it the primary storage for hybrid cloud applications. Service providers see immediate benefits from object storage’s flexibility and scalability over file-based approaches. As more enterprises adopt public and hybrid cloud applications, object storage with RESTful cloud interfaces and APIs provide easy access to cloud applications and management of unstructured data. Hitachi object storage, Hitachi Content Platform (HCP) provides object storage flexibility and scalability from edge mobile devices, to on-prem core, to cloud.
Unstructured data growth is far outpacing the growth of structured data, and more enterprises are struggling to store and manage multiple petabytes of unstructured data. File systems with their hierarchical data structures cannot scale to meet the growth of this data without creating multiple silos of isolated data. Backup, which multiplies the storage requirements has also become untenable. The only way to manage this big data growth is to implement a metadata based, scale out platform that is not dependent on infrastructure or location. The data will outlive the application that created it and the infrastructure where it initially resides. Object storage metadata will preserve the data’s content and RESTful interfaces will keep it accessible in a cloud environment. Backup can be eliminated by keeping two or more replicas of the data store.
Analytics will be driving more critical business decisions, but analytics is only as good as the data that it analyzes. Analysts and data scientists spend 80% of their time gathering, cleansing, and curating the data that goes into their analytic models. This is where the metadata in object storage is valuable. Metadata is attached to data when it is ingested and stays with the data until it is deleted and scrubbed. The content of metadata is customizable and offers flexibility in the identification and management of the stored data. A key differentiator in object storage systems is the vendor’s metadata framework that best addresses the enterprise’s long term needs. Another differentiator are APIs for access by analytic tools.
The metadata in object storage also facilitates the governance of data, especially where content awareness is needed for regulation compliance. For instance, European Union privacy regulations require that an individual has the right to be forgotten, which means that all records with their private information must be found and deleted unless they are under legal hold. That would be difficult to do without metadata. Object storage can also provide WORM (Write Once Read Many) technology to prevent data from being modified. Hitachi’s object storage solution also provides a hash to prove immutability.
IoT is driving even more unstructured data to improve business operations. Machine driven data has very little metadata. In order to integrate operational data into the business process, we need to address the growing issues around data management, data governance, data sovereignty, identity protection and security breaches. These can be helped with object storage metadata.
Hitachi Content Platforms Strengths
Hitachi Vantara’s Hitachi Content Platform (HCP) object storage solution, has significant market traction in mission critical applications. With over 2,000 global customers, we are installed in 4 out of 5 of the largest banks in the world, 4 out of 5 of the largest insurance organizations, and 5 out of the 10 largest telecom companies. We have over 14 years of experience, deploying into highly sophisticated environments, and satisfying the most stringent governance requirements.
Here are some analysts reports that evaluate our object storage capabilities;
Gartner Critical Capabilities for Object Storage report
GigaOm Sector Roadmap: Object Storage report
IDC MarketScape: Worldwide Object -Based Storage 2016 Vendor Assessment report
Enterprise Storage Group: Hands-On Evaluation of Hitachi Content Platform Portfolio report
If you have not yet considered Object Storage, review these reports, call our HCP representatives, and talk to our customers to see what HCP can do for your critical business needs.