Securing Data in the Cloud with ARX CE
Is my data secure and safe from prying eyes when it is put in the cloud? This is a top concern among I.T. professionals considering the use of cloud storage to augment their local data center’s storage facilities. In this article, we’ll explore how F5’s ARX Cloud Extender product secures data in the cloud.
Data is one of a company’s most precious assets. If data leakage occurs, it can reveal competitive positions, business strategy, company secrets, and so on. When data resides in a company’s data center, security can be tightly controlled through physical access controls, such as keycard access, person standing guard, etc. Seeing physical security is comforting and allows one to sleep at night. With the advent of cloud-based storage, the physical security we can see, touch, and feel goes away as the data is stored in a service provider’s data center reachable “over the wire”. So, how do we overcome the concerns of insecure data outside the walls of our company when data is sent to the cloud?
ARX Cloud Extender (CE) is a gateway-to-cloud product designed to run on Microsoft Windows. It “connects” local storage paths (i.e., E:\Data\Marketing) to cloud-based storage, for example Amazon S3. Policies, Rules, and tasks govern ARX CE’s behavior, for example, when to copy data residing on a Windows filer server to cloud storage, or a destination in ARX CE parlance.
For public cloud destinations, ARX CE encrypts data prior to sending it to the destination. Let’s explore how ARX CE this today.
For each public cloud destination, the ARX CE administrator is required to generate a master key. The master key is used to form the basis of per file keys. As such, it is very important the customer does not misplace this key.
When a file is being copied to public cloud storage, it is copied in two parts:
- The file data
- The file’s metadata, for example, last modify name, NTFS ACL, local path on disk, etc.
Each part uses a different key for encryption, which is derived in part by the master key and in part by data specific to the file. Thus, if you have 200,000 files in cloud storage, there are 400,000 keys. Because file object keys are algorithmically generated, there is no need to store each key on the ARX CE device – all that is needed is the master key. When ARX CE is preparing to send data to public cloud destinations, the data is encrypted using AES-256 bit encryption for each object. Further, all transfers from the ARX CE-enabled Windows file server to public cloud storage occur over SSL (HTTPS), which provides network layer encryption.
Lastly, each object receives an object name, which obfuscates the file name. In some respects, a file name can communicate secret data, for example, “plan_to_buy_jc’s_company_for_oodles_of_money.doc”. An enterprising person wishing to try their AES-256 cracking skills is more likely to choose a target file that “sounds” important rather than something ho-hum such as “This_Land_Is_Your_Land.mp3”. Looking at my NFS server, which I use for testing private cloud, here are some example names ARX CE assigns to file objects:
You would have no idea one is called “test.dat” and the other “test_2.dat”.
There are a few threats to be mindful of, which are very manageable.
First is, let’s assume someone was able to obtain an encrypted object and crack the key used to encrypt the data. Knowledge of a specific file’s key does not compromise the master key. In order words, the master key is not derivable from a file’s key. Nor does knowledge of single file object’s key make cracking the next file object’s key any easier. Thus someone wishing to figure out the contents of a specific file must crack AES-256 for each file in the cloud until the right file data is found, given the file names are obfuscated.
Second, if the master key is compromised, it isn’t sufficient enough to obtain data from your cloud provider. In addition to the master key, the miscreant also requires the username and password to your service provider. It is the combination of knowing the master key and the credentials to access cloud storage that is most dangerous to your data. If you suspect your master key has been compromised, change your password immediately at your cloud provider.
Putting one of the company’s most valuable assets – data – in the cloud is a big step. Is it secure? We’ve explored how ARX CE solves this problem by encrypting each file with a separate key and by generating a seemingly random name for each file, making it hard to determine the file containing the most valuable data. We’ve also described some of the threats to be mindful of and defenses you can take if a compromise occurs.
Required Supplementary data
http://en.wikipedia.org/wiki/Advanced_Encryption_Standard - AES description and algorithm
http://en.wikipedia.org/wiki/Brute-force_attack - Brute-force attack, a method for decrypting data.
JC Ferguson has been working in the storage domain for over 9 years and was instrumental in the invention and delivery of the ARX storage virtualization switch at Acopia Networks. F5 acquired Acopia Networks in 2007, and since then JC has continued his role as ARX product architect and project leader. Recently, JC focused on cloud storage and was instrumental in bringing the ARX CE product to market in February 2011. Prior to storage, JC worked on many security products starting with a A1 secure virtual kernel at Digital Equipment Corporation in 1988, Digital’s security compliance tool DECinspect, and Digital’s VPN product AltaVista Tunnel.