In a November 2017 report from Scott Sinclair, Enterprise Storage Group Senior Analyst showed that the top factor that leads organizations to deploy or consider deploying on-premises object storage technology is a higher level of data security.
Object storage offers tremendous advantages over a hierarchical file system when it comes to security. Object storage is designed with a single, massively flat address space enabling files or objects to be accessed by a unique identifier and accompanied by customizable metadata. The metadata not only enables object storage to scale to higher capacities than traditional file systems, it can help meet regulatory requirements for content and records retention by designating specific content as immutable while providing the necessary auditing and reporting to verify immutability. Object storage has the ability to find, move, manipulate, and analyze metadata and data content for data security and protection.
Security is not something that you can wrap around the outside of a product. It must be designed in from the beginning. Hitachi Vantara’s Hitachi Content Platform (HCP) was designed and developed with security at the very core. Here is a recent white paper that provides an Overview of Server Security and Protection for HCP. It focuses on security features built into HCP and HCP cloud storage software to protect data access and secure communications. The white paper is written for systems and network administrators to set best practices for HCP deployment that minimizes vulnerability and threat exposure.
Security highlights include:
On-Premises or Hybrid Deployment
HCP is designed to run in the datacenter or as a hybrid cloud where layers of existing enterprise security processes and protocols already keep hackers out. HCP avoids risk thanks to your custom security that you understand and trust, whereas systems that are run as a public cloud have a much broader attack surface with a one-size-fits-all security approach. Running the system on-prem minimizes risk of accidental public exposure of confidential data.
Multitenancy and Namespace Isolation
A single HCP system is an overall structure for managing one or more tenants enforcing the boundaries that keep applications, users, and data of each tenant isolated. Each tenant is a virtual object storage system with independent management and data access that is bounded by the overall policies of the HCP system. Each tenant in turn has one or more namespaces which follow policies set by the tenant and provides mechanisms for separating the data stored by different applications, business units or customers. Namespaces provide segregation of data while a tenant provides segregation of management. This segregation of HCP, tenant and namespace provides multiple levels of security access to data and provides isolation to a namespace should a hack occur.
Role-Based Access Control for Management
HCP provides role-based access controls (RBAC) for administration accounts at both the system and tenant levels. The roles are system administration, compliance, security, monitoring, search and service. An HCP administrator may fulfill one or more roles at the system and tenant levels. There is no single super user account in HCP. The boundaries between various administrative and data access domains limit the scope of damage that can be done by a malicious user through a compromised account.
Network Security Considerations
Networks are avenues for malicious attacks, so the referenced white paper goes into detail about segregation and managing network access to HCP. HCP is typically deployed behind a corporate firewall and limiting access to the HCP front-end network remains an important part of the security strategy. Network engineers may elect to restrict port utilization to a minimum set required by the HCP software. The referenced white paper lists ports that HCP might need for operations. HCP uses the Transport Layer Security protocol (TLS 1.2) to ensure privacy and data integrity between the HCP and the other systems with which it communicates. TLS provides data in flight encryption for HCP services, including HCP system management, tenant management, RESTful API gateways, replication, and cloud tiering. HCP also operates its own internal firewall and many ports can be enabled or disabled via HCP management. Some port examples are Port 123 for NTP services or Port 514 for Remote Syslog. Syslog can stream HCP event messages to one or more servers performing security audit functions.
Data Access Methods
HCP supports industry standard data access methods that include Amazon S3, OpenStack Swift, WebDAV, SMB/CIFS, NFS, SMTP, as well as a proprietary REST API. When an application writes a file, HCP puts it in a bucket (namespace) along with its metadata. HCP is designed for write once, read many (WORM) access of information, but namespaces can be enabled with versioning to permit write and rewrite operations. Tenant level administrators can restrict access originating from a specific IP address using an allow (whitelist) or deny (blacklist) list. When HCP namespaces are cloud optimized through RESTful APIs, HCP will block all ports associated with SMTP, WebDAV, CIFS and NFS to reduce the attack surface.
HCP uses system level user and group accounts to control access to the data, management consoles, APIs and search console. HCP validates users with any of the following authentication methods:
Remote Active Directory
Remote Keystone (OpenStack)
HCP Anywhere, Hitachi’s file-sync-and-share for mobile devices can be configured to communicate with a corporate virus scanning engine. But the HCP repository does not incorporate a virus scanner since it does not provide an execution environment for objects that are uploaded. Since the file or object is never opened or executed on HCP servers, it is immune to viruses.
Ransomware and Data Protection Strategies
HCP offers several capabilities for protection against data loss, including preventing and reversing a Ransomware attack (a malware attack that encrypts data and demands a ransom for the decryption key, also known as a crypto-locker).
All information that is stored in the HCP is WORM (write once read many), making it immune to Ransomware attacks.
HCP supports the storage of multiple versions of an object to protect data from accidental deletions or roll back accidental changes. Versioning can be enabled at the tenant and namespace level. The tenant administrator can configure how long a prior version of an object is kept.
Retention + Legal Hold
HCP provides flexible retention capabilities to prevent accidental or malicious deletion of object before a designated retention period or while under a legal hold.
A hash is computed for every object at ingest time to ensure data integrity. The hash or “digital fingerprint” is stored as metadata and is used to validate integrity upon retrieval. If there is any discrepancy, HCP can repair the data from the hash or restore the data from a replica copy.
Auditing and Monitoring
The system management console and the tenant management consoles provide displays of critical system events to authorized role-based administrators.
Limiting Command Line Interface Risks
System administrators do not have command line access to HCP systems so that organizations can credibly prove regulatory compliance, auditing, and non-tampering. Everyday administrative capabilities are GUI or API driven. Making system changes that require command line access requires the cooperation of both the organizations’ administrators, and authorized Hitachi Vantara customer support. This approach increases security by preventing clandestine manipulation.
This post is just an overview of the Hitachi Vantara white paper that I referenced at the beginning. Please download the white paper for more information on the data security features of the HCP object store and compare it with other vendor’s data security capabilities when evaluating object storage options.