Cloud controllers resolve the security issue by employing military-grade file encryption to all files stored in the cloud. The encryption keys are maintained at the customer's own site to ensure complete security.
In cloud deployments, information will be transferred across the Internet. While in some cases virtual private networks may connect sites, or even the cloud, the cloud storage controller provides the utmost in protection for data in flight as well as at rest.
For example, all Panzura Quicksilver Cloud Storage Controllers ship from the factory with an RSA 2048-bit certificate. Customers may use this certificate if desired, but it is typically replaced by a customer-supplied X.509 certificate (PFX/PKCS#12, PEM, DER formats) of up to 4,096 bits.
When a cloud storage system is established, the system administrator designates the IP addresses of cloud controllers that are allowed to join the file system. Existing controllers in the file system use HMAC-SHA-256 authentication to establish a secure tunnel to the new controller and share the file system's X.509 certificate with it, encrypting the certificate in flight using AES-CBC-256.
When data traverses the network, either between controllers or between a controller and a public or private cloud, the controller generates a random number that is changed every 32MB of data to ensure key rotation. The user data is AES-CBC-256 encrypted using the random number, and the random number itself is then AES-CBC-256 encrypted using the X.509 certificate's public key and embedded in the header affixed to the chunk of data being transported/stored. The data is now safely encrypted, with the encryption used between chunks of data varying every 32MB, thwarting even brute-force decryption attempts.
Only a holder of the valid X.509 private key may decrypt the data. When a File Services Controller accesses encrypted chunks of information, the chunk header is examined, then the private key is used to decrypt the random number contained within the header, and finally the decrypted random number is used to decrypt the actual data.
Cloud storage controllers implement a robust global file system that delivers rapid access to files by separating metadata from payload data. In addition, cloud controller file systems implement global file lock management and can provide access to multiple copies of a file to protect against data center outages. Finally, cloud storage controllers implement military-grade encryption to eliminate fears about storing sensitive corporate information in a public cloud. Cloud storage controllers thereby overcome common barriers to cloud storage adoption.
Sign up for Computerworld eNewsletters.