«TECHNICAL SOLUTION GUIDE The information furnished herein is believed to be accurate and reliable to the best of our knowledge. However, CloudLink ...»
Data security administrators have full control of the encryption keys and the KEKs can be updated regularly by the security administrators via CloudLink Center. Special care is taken to ensure that the enterprise-owned data are never stored in clear text, and can be promptly withdrawn by the enterprise at any time. Cloud administrators do not have access to DEKs and KEKs; therefore, cloud administrators, other tenants, or intruders cannot access the enterprise data in the cloud.
KEKs are generated and managed by the CloudLink Gateway. They must be changed regularly according to key management policy, and kept in a safe place in order to ensure the safety of encrypted
data. CloudLink supports three different key stores:
RSA Data Protection Manager (DPM) provides a key store that is tamper proof and supports high availability. The RSA DPM client has been integrated into the CloudLink Gateway.
Microsoft Active Directory provides an alternate encryption key store. This option allows an enterprise to leverage its existing Active Directory deployment and store cloud encryption keys.
KEKs may also be stored within the CloudLink Gateway. This option is suitable for trials and testing, but is not recommended for production deployment.
CloudLink Center is the entry point for SecureVSA key management. In each of the deployment scenarios discussed previously, key management is completely under the control of the enterprise data security administrators. Keys can be kept in key stores deployed in the private data center or in the vCloud Hybrid Server. Through CloudLink Center, the security administrator can monitor and control the availability of encrypted volumes by choosing whether KEKs are made available to the SecureVSA cipher.
CloudLink Center’s lock operation withdraws the KEK for an encrypted volume from the SecureVSA, preventing it from decrypting the volume’s DEK and rendering the data stored on the volume unavailable.
Conversely, the unlock operation provides the KEK for an encrypted volume to CloudLink SecureVSA,
VMW ARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA | 21which uses it to decrypt the volume’s DEK and then uses the DEK to decrypt and make the data available.
Using CloudLink Center, the security administrator can also perform key change operations, either on demand or on a scheduled policy basis.
RSA Data Protection Manager Integration SecureVSA provides out-of-box integration with RSA Data Protection Manager (DPM). All storage key encryption keys (KEKs) created and managed by CloudLink SecureVSA can be stored securely in RSA DPM. RSA DPM provides centralized key vaulting, protection and recoverability of the keys. The keys are generated by CloudLink SecureVSA and provided to RSA DPM for safe storage. They are then retrieved by CloudLink Gateway and provided to CloudLink vNodes that must provide access to their encrypted storage volumes (that is, to unlock the volumes). At any time, a security administrator using CloudLink Center can instruct CloudLink SecureVSA to lock one or all of a node’s encrypted volumes. CloudLink then issues a lock command to the node and the node destroys its cached version of the storage KEKs.
RSA DPM is available in the following form:
Hardware appliance Virtual appliance Software server deployable in customer software infrastructure.
Both the hardware and virtual appliances come with a pre-packaged software stack that includes a web application server, enterprise class database, and access management. Client applications authenticate with the server using mutual SSL. A client application using an RSA DPM client for encryption and key management can operate with a local protected cache for keys.
VMW ARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA | 22A typical deployment architecture for key management is comprised of at least two load-balanced RSA DPM nodes within the primary site for high availability, and more nodes in remote sites for scalability or disaster recovery purposes, all clustered together. All nodes in a cluster are active. RSA DPM appliances come with built-in replication to keep all the nodes in sync. RSA DPM virtual and hardware appliances can be deployed in the same way.
To use RSA DPM to store CloudLink KEKs, ensure that the CloudLink Gateway can access an RSA DPM host (version 3.1 or later) through the CloudLink SecureVSA private LAN network. The CloudLink SecureVSA 3.0 VMware vSphere Deployment Guide and CloudLink SecureVSA 3.0 CloudLink Center Administration Guide provide more information on deploying, configuring, and using CloudLink SecureVSA.
To prepare RSA DPM for storage of CloudLink KEKs:
1. Log on to the RSA Data Protection Manager console.
2. Create an identity that belongs to a particular RSA DPM identity group:
To configure CloudLink to use RSA DPM as its key store:
1. Open CloudLink Center using the secadmin user account.
2. Under the topology tree, select the CloudLink Gateway.
3. Click Security Key Store tab.
4. To configure CloudLink Center to use RSA DPM for KEK storage, under Location, click RSA DPM.
5. Under RSA DPM Configuration (see figure below), specify the RSA DPM parameters Host - RSA DPM host IP address.
Port - TCP port number configured on the RSA DPM host. (The default port is 443.) Security Class Name - Name of the security class configured on the RSA DPM host for the RSA DPM client.
Trust Certificate - RSA DPM server certificate.
Client Certificate - RSA DPM client certificate.
Password - Password used during creation of the RSA DPM client certificate.
6. Click Apply.
VMW ARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA | 24CloudLink Center displays the RSA DPM status as Accessible. It creates a new entry in the CloudLink Center Actions log, as shown above, and records a Key store change security event, as shown below.
Microsoft Active Directory Integration As an alternative to RSA DPM, you can configure Microsoft Active Directory as a CloudLink key store. It is very important that the Active Directory server is properly backed up to ensure the safety of the encryption keys. Losing encryption keys will result in data loss. For high availability and disaster recovery, Active Directory servers acting as CloudLink key stores are deployed on both the production and disaster recovery sites.
Configuring Active Directory as a Key Store To use Active Directory to store CloudLink encryption keys, deploy a Windows Server that is accessible by CloudLink Center from its private LAN network.
During this procedure, you must provide the host name of the Windows Server, which requires that you have already set up a DNS server.
To configure Active Directory for the CloudLink encryption key store on Windows 2003 or 2008 Server that is configured as a domain controller, the following high-level steps are required.
1. Set up an organization unit on Windows Server.
2. Create a bind user.
3. Add the bind user to the security group.
4. Record the DN of CloudLink.
5. Apply the domain controller in CloudLink.
For detailed configuration instructions, refer to the CloudLink SecureVSA 3.0 CloudLink Center 6.
VMW ARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA | 25Conclusion SecureVSA is a powerful platform that’s designed to meet a variety of deployment and security requirements for organizations who wish to realize the benefits of running their virtual applications in vCloud Hybrid Service.
SecureVSA provides the:
Opportunity to seamlessly extend into vCloud Hybrid Service while addressing concerns about encryption key control, security policy management, regulatory compliance, and data destruction obligations.
Ease of using familiar VMware tools to manage your hybrid cloud.
Flexibility to fully manage and control your encryption keys, leveraging what you already have.
Transparency of an agentless encryption approach, requiring no installation or maintenance of client software in your application VMs.
Oversight associated with monitoring and controlling the security of you application data across the hybrid cloud from a single CloudLink Center management console.
The three deployment scenarios described in this guide demonstrate the ease with which SecureVSA can be deployed and configured. SecureVSA components can be distributed completely in vCloud Hybrid Service. Just as easily, SecureVSA can be deployed across your organization’s hybrid cloud, consisting of your private data center and vCloud Hybrid Service.
CloudLink Technologies provides SecureVSA to customers world-wide. For more information about how
SecureVSA can benefit your cloud environment, contact us:
Phone +1 (613) 224-5994 Email firstname.lastname@example.org Click cloudlinktech.com
VMW ARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA | 26References
For more information, see the following documents:
CloudLink SecureVSA 3.0 VMware vSphere Deployment Guide CloudLink SecureVSA 3.0 CloudLink Center Administration Guide
These documents are available from CloudLink by contacting Support at:
VMW ARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA | 27Appendix A: Deploying CloudLink SecureVSA
Deploying SecureVSA manually in vCloud Hybrid Service involves the following tasks:
1. Download the appropriate CloudLink SecureVSA template.
2. Add the CloudLink SecureVSA template to the vCloud Hybrid Service organization catalog.
3. Deploy the CloudLink SecureVSA appliance in vCloud Hybrid Service.
4. Add a network interface.
5. Add storage volumes.
6. Power on the CloudLink SecureVSA vApp.
7. Configure the CloudLink SecureVSA appliance using the console.
To download the CloudLink SecureVSA template:
1. Decide whether you will deploy a CloudLink Gateway or CloudLink vNode in vCloud Hybrid Service.
2. Download the appropriate template from CloudLink. To register for a SecureVSA trial, visit:
To add a CloudLink SecureVSA template to the vCloud Hybrid Service
1. Log into vCloud Hybrid Service using your account credentials:
2. From the Dashboard tab, click the virtual data center in which you wish to deploy CloudLink SecureVSA.
3. In the Virtual Data Center Details page, click Manage Catalogs in vCloud Director.
4. On the Catalogs tab, do one of the following:
If the organization catalog where you want to add a CloudLink SecureVSA template exists, select the catalog.
If the organization catalog does not exist, create a new organization catalog and open it.
5. Select Upload.
6. Browse to the CloudLink SecureVSA template you downloaded.
7. Provide a name and description for the template.
8. Click OK to complete the import.
When the import is complete, the CloudLink SecureVSA template appears in your organization catalog.
To deploy a CloudLink SecureVSA appliance in vCloud Hybrid Service:
1. On the My Cloud tab, select the vApp into which you wish to deploy the CloudLink SecureVSA appliance.
From the Virtual Machines tab, Select Add VM… 2.
Tip: Find the green “plus” sign in the menu bar.
3. In Look in list, select My organization Catalogs.
4. Select the CloudLink SecureVSA template and click Add to add it to the list of virtual machines.
6. On the Configure Resources screen, select a Storage Policy and click Next.