SlideShare una empresa de Scribd logo

Scality RING Security White Paper

P
Phillip Tribble

The document discusses security mechanisms in the Scality RING data storage architecture. It describes the RING's layered architecture including connectors, storage nodes, and disks. It then discusses how the RING implements security features like role-based access, data encryption, checksums, logging, and versioning to address compliance requirements. The supervisor also uses security protocols for management and role-based access control.

Tecnología
1 de 7
Descargar para leer sin conexión
Scality Technical White Paper February 2017 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
Data Security in the Scality RING 2 White Paper Table of Contents Introduction 3 Chapter 1: The Impact of Security Regulations 3 Chapter 2: The Scality Ring Architecture 3 Chapter 3: Connector and User Interface Security 4 Chapter 4: Core RING Security 5 Summary 6 Appendix A 7 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
Data Security in the Scality RING 3 Introduction When it comes to designing a cloud-based storage infrastructure, there are more important design principles to address than simply storing files. A well-designed storage solution will take into consideration compliance needs and implement proper security protocols and best practices in the architecture. The scope of this whitepaper is to describe how the Scality RING addresses compliance needs for organizations and how security is implemented in the RING’s architecture. Chapter 1: The Impact of Security Regulations There are many different regulatory rules out there that organizations are using. For example, HIPAA is a set of security rules set of rules and safeguards that must be implemented when working with public health information and FIPS-140-2 is used by Government organizations to list requirements and standards for encryption used. Depending on the nature of a particular business, organizations will be impacted by some form of compliance rules whether it is a regulatory compliance such as HIPAA or FIPS 140-2. IT organizations will have to adjust their solutions, services, and workflows to accommodate regulatory practices which can be intensive and chaotic at times. The good news is that there is some common ground between compliance regulations. Here are a few common requirements that organizations take into consideration. ■■ Role-based Access - Not everyone should have privileged access to sensitive information in an organization. Different levels of access should be provided through roles such as user, admin, etc to control access to sensitive data. ■■ Data Encryption - Encryption must be used when uploading and downloading data. ■■ Data Integrity - Ensure that protections are in place to prevent data from being tampered or altered. ■■ Network Security - Firewall rules and network segmentation to protect systems and services. ■■ Auditing - A way to record all the transactions and changes made to a system. The following chapters will explain how the Scality RING implements the compliance requirements that organizations need to remain compliant with regulations. Chapter 2: The Scality Ring Architecture The Scality RING architecture is composed of several layers as displayed in Figure 1. Let’s explore each layer in detail to get a better understanding of the RING architecture. 2.1 Connector Layer The Scality Ring connector layer provides support for the following protocols: ■■ Object: S3, REST. ■■ File System: FUSE, NFS, and SMB. The connector layer is also in charge of chunking files and dispersing the chunks on the Scality Ring using file replication or erasure coding. DISK LAYER STORAGE NODE LAYER CONNECTOR LAYER OBJECT ACCESS S3 / REST FILE ACCESS FUSE / NFS / SMB HDD HDD HDD HDD HDD HDD HDD HDD HDD HDD Figure 1. – Scality Ring Architecture Layers
Data Security in the Scality RING 4 2.2 Storage Node Layer The Storage Node layer consists of a distributed peer-to-peer architecture that ensures files and metadata are properly distributed amongst the storage nodes and disks in the cluster. A RING installation can even span across multiple physical sites and tolerate the loss of an entire site. The RING supports data protection mechanisms such as erasure coding and replication. This intelligent architecture design provides organizations with maximum data durability. 2.3 Disk Layer This is the layer where the file data chunks are written to SAS/SATA drives and the file metadata is written to solid-state drives (SSD’s). Chapter 3: Connector and User Interface Security 3.1 Scality S3 Connector ■■ The Scality S3 Connector supports AWS S3 certificate-based authentication (Signatures v2 and v4) with support for HTTPS to provide secure access to the RING storage. ■■ The Scality Scality S3 Connector implements IAM for Multi-Tenancy: ●● Accounts, users, and groups ●● Access/Secret Key pairs ■■ The Scality S3 Connector supports identity federation for delegated access to APIs: ●● Any SAML 2.0 compatible identity providers ●● Active Directory Federation (ADFS) Scality RING Storage Local and Geo-Protection • Any Hardware File / Object / OpenStack • Multi-Workload Linear Performance Scaling • Limitless Infrastructure Scaling Data to Store (unencrypted) Customer KMS (e.g., SafeNet) Data to Store (unencrypted) KEYS S3 Connector Key GeneratorBucket ID Encryption Key Figure 2. – S3 Connector Architecture
Data Security in the Scality RING 5 3.2 REST Protocol The REST protocol supports HTTPS and can be configured to use basic authentication with the Apache web server to require a username and password. 3.3 File System Protocols ■■ The Scality NFS v3 connector supports Kerberos KDC. ■■ The Scality SMB connector provides Active Directory Server integration and support for simple Windows ACL’s (user and group). Chapter 4: Core RING Security 4.1 Logging All actions performed by a user are in the Supervisor Web Administration console are logged to a file (by default /var/log/scality/dsup/audit.log) on the Supervisor server and can also be set to another location. The audit log file provides detailed information on the user, date and time, name of the action performed (e.g. list, retrieve, delete, modify), RING component (Supervisor, Connector, Storage Node) on which the action was performed, result of the action (successful or not), duration of the action, and the detailed error message if the action wasn’t successful. 4.2 Versioning and WORM As mentioned earlier in this paper, data integrity requirements are in place to ensure that information is not tampered or altered. The S3 connector for the RING supports the versioning features from the Amazon S3 API. If enabled, this feature will allow users to keep track of different versions of a file on the RING storage. Using the standard S3 API calls, organizations will have the ability to view the modification dates and times of each file and it’s checksum as well as the ability to download previous versions of a file. Versioning is not always enough to address compliance requirements so organizations look for solutions that support Write once read many (WORM) operations. If an organization uses a solution that supports WORM, they can be assured that data will be read only and can not be altered. To help address this compliance requirement, Scality created a joint solution with iTernity that can meet legal and industry-specific regulations to provide a compliant long-term archiving solution. For more information, please check out the link to the solution sheet with iTernity in Appendix A. 4.3 Checksums The Scality RING uses a built-in CRC-32 checksum mechanism to ensure that the data being read is the same that was originally written to the RING. Upon reading replicated or Erasure Coded chunks on the disks, the RING calculates a CRC-32 checksum for each of the chunks it has to read and compares it to the CRC-32 checksum that was calculated upon writing the chunk (and stored in metadata with the chunk). If any of the chunks are found to be corrupted, (meaning the checksums do not match), the RING does two things: 1. Uses another replica or EC chunk to serve the requested data 2. Launches a chunk repair operation to repair the corrupted chunk (basically to replace the replica chunk by another replica or recalculates an Erasure Coded chunk). 4.4 Data Encryption Encryption on the disk level can be done today from array controllers or with encrypted
Data Security in the Scality RING 6 drives. The Scality S3 connector supports bucket level encryption via an API extension which is a customized HTTP header used when a file is uploaded. The files are encrypted using OpenSSL with the AES-256 standard and the RING uses an external Key Management Service (KMS) to manage the encryption keys. 4.5 Supervisor Security The Supervisor is the web-based GUI for managing, monitoring, and provisioning resources on the RING. The Supervisor has the following security mechanisms: 1. HTTPS with password authentication. 2. Role-based Access Control (RBAC). Summary This paper explained what it takes to have a compliant storage solution built for the enterprise and went over the impact of security regulations and common compliance requirements. The security mechanisms of the Scality RING architecture was explained in detail ranging from the application layer to the storage layer. We hope that you now have a better idea of the Scality RING architecture and how we implemented common compliance features and security. Figure 4. – Scality Ring Supervisor Ring Overview Figure 3. – Scality Ring Supervisor Login Screen
© 2017 Scality. All rights reserved. Specifications are subject to change without notice. Scality, the Scality logo, Scality RING are trademarks of Scality in the United States and/or other countries. Follow us on Twitter @scality and visit us at www.scality.com to learn more WPSR1-1702 Appendix A A.1 Going beyond this White Paper 1. Information on Scality products and use cases can be found here: http://www.scality.com 2. For more information on the Scality Ring, please view the technical white paper: http://storage.scality.com/white-paper-scality-technical-wp.html 3. Get more information on the S3 Connector in the following white paper: http://storage.scality.com/white-paper-scality-ring-s3-connector.html 4. Get more information on the joint solution with iTernity: http://www.scality.com/partners/iternity/

Recomendados

Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12
Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12
Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12sidg75
 
Dynamic safety stock in Supply Chain planning
Dynamic safety stock in Supply Chain planningDynamic safety stock in Supply Chain planning
Dynamic safety stock in Supply Chain planningVijaySinghArun
 
Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Ramit Surana
 
Install edq on linux
Install edq on linuxInstall edq on linux
Install edq on linuxOsama Mustafa
 
#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health Session#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health SessionBrocade
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505IT Tech
 
Storage Basics
Storage BasicsStorage Basics
Storage BasicsMurali Rajesh
 
What is Object storage ?
What is Object storage ?What is Object storage ?
What is Object storage ?Nabil Kassi
 

Recomendados

Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12
Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12
Garbage Collection, Tuning And Monitoring JVM In EBS 11i And R12sidg75
 
Dynamic safety stock in Supply Chain planning
Dynamic safety stock in Supply Chain planningDynamic safety stock in Supply Chain planning
Dynamic safety stock in Supply Chain planningVijaySinghArun
 
Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Exploring Openstack Swift(Object Storage) and Swiftstack
Exploring Openstack Swift(Object Storage) and Swiftstack Ramit Surana
 
Install edq on linux
Install edq on linuxInstall edq on linux
Install edq on linuxOsama Mustafa
 
#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health Session#IBMEdge: Brocade SAN Health Session
#IBMEdge: Brocade SAN Health SessionBrocade
 
How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505How to configure dhcp on a cisco asa 5505
How to configure dhcp on a cisco asa 5505IT Tech
 
Storage Basics
Storage BasicsStorage Basics
Storage BasicsMurali Rajesh
 
What is Object storage ?
What is Object storage ?What is Object storage ?
What is Object storage ?Nabil Kassi
 
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
VMware vSphere Storage Enhancements
VMware vSphere Storage EnhancementsVMware vSphere Storage Enhancements
VMware vSphere Storage EnhancementsAnne Achleman
 
Production of wine and its scenario in india
Production of wine and its scenario in indiaProduction of wine and its scenario in india
Production of wine and its scenario in indiaNiharikaKulkarni2
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NASSpiceworks
 
NetApp against ransomware
NetApp against ransomwareNetApp against ransomware
NetApp against ransomwareDamien Berezenko
 
HPE InfoSight for Servers
HPE InfoSight for ServersHPE InfoSight for Servers
HPE InfoSight for ServersXylos
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStackHaim Ateya
 
RED WINE - The Facts
RED WINE - The FactsRED WINE - The Facts
RED WINE - The FactsMike Asimos
 
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...Databricks
 
NetApp & Storage fundamentals
NetApp & Storage fundamentalsNetApp & Storage fundamentals
NetApp & Storage fundamentalsShashidhar Basavaraju
 
ZFS
ZFSZFS
ZFSmewandalmeida
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...Sandesh Rao
 
Simplivity 4.0 with storeonce catalyst
Simplivity 4.0 with storeonce catalystSimplivity 4.0 with storeonce catalyst
Simplivity 4.0 with storeonce catalyst裝機安 Angelo
 
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...Jitendra Bafna
 
Top 5 Reasons to Use Kiwi Syslog Server
Top 5 Reasons to Use Kiwi Syslog ServerTop 5 Reasons to Use Kiwi Syslog Server
Top 5 Reasons to Use Kiwi Syslog ServerSolarWinds
 
Tequila
TequilaTequila
TequilaNadine Armstrong
 
Lessons learned processing 70 billion data points a day using the hybrid cloud
Lessons learned processing 70 billion data points a day using the hybrid cloudLessons learned processing 70 billion data points a day using the hybrid cloud
Lessons learned processing 70 billion data points a day using the hybrid cloudDataWorks Summit
 
Packing with returnable material (1)
Packing with returnable material (1)Packing with returnable material (1)
Packing with returnable material (1)Gopi Ponnala
 
S4 hana finance -green field implementations
S4 hana finance -green field implementationsS4 hana finance -green field implementations
S4 hana finance -green field implementationsTrainings Customized
 
Wine Tasting Techniques
Wine Tasting TechniquesWine Tasting Techniques
Wine Tasting TechniquesIndieWinemakers
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET Journal
 

Más contenido relacionado

La actualidad más candente

2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)Mirantis
 
VMware vSphere Storage Enhancements
VMware vSphere Storage EnhancementsVMware vSphere Storage Enhancements
VMware vSphere Storage EnhancementsAnne Achleman
 
Production of wine and its scenario in india
Production of wine and its scenario in indiaProduction of wine and its scenario in india
Production of wine and its scenario in indiaNiharikaKulkarni2
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NASSpiceworks
 
HPE InfoSight for Servers
HPE InfoSight for ServersHPE InfoSight for Servers
HPE InfoSight for ServersXylos
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStackHaim Ateya
 
RED WINE - The Facts
RED WINE - The FactsRED WINE - The Facts
RED WINE - The FactsMike Asimos
 
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...Databricks
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...Sandesh Rao
 
Simplivity 4.0 with storeonce catalyst
Simplivity 4.0 with storeonce catalystSimplivity 4.0 with storeonce catalyst
Simplivity 4.0 with storeonce catalyst裝機安 Angelo
 
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...Jitendra Bafna
 
Top 5 Reasons to Use Kiwi Syslog Server
Top 5 Reasons to Use Kiwi Syslog ServerTop 5 Reasons to Use Kiwi Syslog Server
Top 5 Reasons to Use Kiwi Syslog ServerSolarWinds
 
Lessons learned processing 70 billion data points a day using the hybrid cloud
Lessons learned processing 70 billion data points a day using the hybrid cloudLessons learned processing 70 billion data points a day using the hybrid cloud
Lessons learned processing 70 billion data points a day using the hybrid cloudDataWorks Summit
 
Packing with returnable material (1)
Packing with returnable material (1)Packing with returnable material (1)
Packing with returnable material (1)Gopi Ponnala
 
S4 hana finance -green field implementations
S4 hana finance -green field implementationsS4 hana finance -green field implementations
S4 hana finance -green field implementationsTrainings Customized
 

La actualidad más candente (20)

2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
2 Day Bootcamp for OpenStack--Cloud Training by Mirantis (Preview)
 
VMware vSphere Storage Enhancements
VMware vSphere Storage EnhancementsVMware vSphere Storage Enhancements
VMware vSphere Storage Enhancements
 
Production of wine and its scenario in india
Production of wine and its scenario in indiaProduction of wine and its scenario in india
Production of wine and its scenario in india
 
CDW: SAN vs. NAS
CDW: SAN vs. NASCDW: SAN vs. NAS
CDW: SAN vs. NAS
 
NetApp against ransomware
NetApp against ransomwareNetApp against ransomware
NetApp against ransomware
 
HPE InfoSight for Servers
HPE InfoSight for ServersHPE InfoSight for Servers
HPE InfoSight for Servers
 
Introduction To OpenStack
Introduction To OpenStackIntroduction To OpenStack
Introduction To OpenStack
 
RED WINE - The Facts
RED WINE - The FactsRED WINE - The Facts
RED WINE - The Facts
 
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
Apache Spark vs Apache Spark: An On-Prem Comparison of Databricks and Open-So...
 
NetApp & Storage fundamentals
NetApp & Storage fundamentalsNetApp & Storage fundamentals
NetApp & Storage fundamentals
 
ZFS
ZFSZFS
ZFS
 
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
AIOUG : OTNYathra - Troubleshooting and Diagnosing Oracle Database 12.2 and O...
 
Simplivity 4.0 with storeonce catalyst
Simplivity 4.0 with storeonce catalystSimplivity 4.0 with storeonce catalyst
Simplivity 4.0 with storeonce catalyst
 
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
MuleSoft Surat Meetup#52 - Flex Gateway (Port Based Routing V/S Path Based Ro...
 
Top 5 Reasons to Use Kiwi Syslog Server
Top 5 Reasons to Use Kiwi Syslog ServerTop 5 Reasons to Use Kiwi Syslog Server
Top 5 Reasons to Use Kiwi Syslog Server
 
Tequila
TequilaTequila
Tequila
 
Lessons learned processing 70 billion data points a day using the hybrid cloud
Lessons learned processing 70 billion data points a day using the hybrid cloudLessons learned processing 70 billion data points a day using the hybrid cloud
Lessons learned processing 70 billion data points a day using the hybrid cloud
 
Packing with returnable material (1)
Packing with returnable material (1)Packing with returnable material (1)
Packing with returnable material (1)
 
S4 hana finance -green field implementations
S4 hana finance -green field implementationsS4 hana finance -green field implementations
S4 hana finance -green field implementations
 
Wine Tasting Techniques
Wine Tasting TechniquesWine Tasting Techniques
Wine Tasting Techniques
 

Similar a Scality RING Security White Paper

IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET Journal
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAIRJET Journal
 
Cloud Storage System like Dropbox
Cloud Storage System like DropboxCloud Storage System like Dropbox
Cloud Storage System like DropboxIRJET Journal
 
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud SystemsIRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud SystemsIRJET Journal
 
Survey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud ComputingSurvey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud ComputingIRJET Journal
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionCSCJournals
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computingijceronline
 
IRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain TechnologyIRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain TechnologyIRJET Journal
 
IRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing DatabasesIRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing DatabasesIRJET Journal
 
Secure Logging as a Service
Secure Logging as a ServiceSecure Logging as a Service
Secure Logging as a ServiceArul Edison
 
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAINCLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAINIRJET Journal
 
Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...IRJET Journal
 
IRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing FrameworkIRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing FrameworkIRJET Journal
 

Similar a Scality RING Security White Paper (20)

IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud Environment
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key Exposure
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
 
Cloud Storage System like Dropbox
Cloud Storage System like DropboxCloud Storage System like Dropbox
Cloud Storage System like Dropbox
 
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud SystemsIRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
 
Survey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud ComputingSurvey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud Computing
 
Paper2
Paper2Paper2
Paper2
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data Encryption
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computing
 
IRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain TechnologyIRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain Technology
 
CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session
 
IRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing DatabasesIRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing Databases
 
Secure Logging as a Service
Secure Logging as a ServiceSecure Logging as a Service
Secure Logging as a Service
 
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAINCLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
 
Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
IRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing FrameworkIRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing Framework
 

Último

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxRustici Software
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherRemote DBA Services
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...apidays
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...apidays
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamUiPathCommunity
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfsudhanshuwaghmare1
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistandanishmna97
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerThousandEyes
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Angeliki Cooney
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Victor Rentea
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...DianaGray10
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelDeepika Singh
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdfSandro Moreira
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Jeffrey Haguewood
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityWSO2
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businesspanagenda
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...apidays
 

Último (20)

Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Strategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a FresherStrategies for Landing an Oracle DBA Job as a Fresher
Strategies for Landing an Oracle DBA Job as a Fresher
 
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
Apidays New York 2024 - Accelerating FinTech Innovation by Vasa Krishnan, Fin...
 
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
Apidays New York 2024 - Passkeys: Developing APIs to enable passwordless auth...
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Boost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdfBoost Fertility New Invention Ups Success Rates.pdf
Boost Fertility New Invention Ups Success Rates.pdf
 
CNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In PakistanCNIC Information System with Pakdata Cf In Pakistan
CNIC Information System with Pakdata Cf In Pakistan
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
Biography Of Angeliki Cooney | Senior Vice President Life Sciences | Albany, ...
 
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024Finding Java's Hidden Performance Traps @ DevoxxUK 2024
Finding Java's Hidden Performance Traps @ DevoxxUK 2024
 
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
Connector Corner: Accelerate revenue generation using UiPath API-centric busi...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
Web Form Automation for Bonterra Impact Management (fka Social Solutions Apri...
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
Why Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire businessWhy Teams call analytics are critical to your entire business
Why Teams call analytics are critical to your entire business
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...Apidays New York 2024 - The value of a flexible API Management solution for O...
Apidays New York 2024 - The value of a flexible API Management solution for O...
 

Scality RING Security White Paper

  • 1. Scality Technical White Paper February 2017 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
  • 2. Data Security in the Scality RING 2 White Paper Table of Contents Introduction 3 Chapter 1: The Impact of Security Regulations 3 Chapter 2: The Scality Ring Architecture 3 Chapter 3: Connector and User Interface Security 4 Chapter 4: Core RING Security 5 Summary 6 Appendix A 7 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
  • 3. Data Security in the Scality RING 3 Introduction When it comes to designing a cloud-based storage infrastructure, there are more important design principles to address than simply storing files. A well-designed storage solution will take into consideration compliance needs and implement proper security protocols and best practices in the architecture. The scope of this whitepaper is to describe how the Scality RING addresses compliance needs for organizations and how security is implemented in the RING’s architecture. Chapter 1: The Impact of Security Regulations There are many different regulatory rules out there that organizations are using. For example, HIPAA is a set of security rules set of rules and safeguards that must be implemented when working with public health information and FIPS-140-2 is used by Government organizations to list requirements and standards for encryption used. Depending on the nature of a particular business, organizations will be impacted by some form of compliance rules whether it is a regulatory compliance such as HIPAA or FIPS 140-2. IT organizations will have to adjust their solutions, services, and workflows to accommodate regulatory practices which can be intensive and chaotic at times. The good news is that there is some common ground between compliance regulations. Here are a few common requirements that organizations take into consideration. ■■ Role-based Access - Not everyone should have privileged access to sensitive information in an organization. Different levels of access should be provided through roles such as user, admin, etc to control access to sensitive data. ■■ Data Encryption - Encryption must be used when uploading and downloading data. ■■ Data Integrity - Ensure that protections are in place to prevent data from being tampered or altered. ■■ Network Security - Firewall rules and network segmentation to protect systems and services. ■■ Auditing - A way to record all the transactions and changes made to a system. The following chapters will explain how the Scality RING implements the compliance requirements that organizations need to remain compliant with regulations. Chapter 2: The Scality Ring Architecture The Scality RING architecture is composed of several layers as displayed in Figure 1. Let’s explore each layer in detail to get a better understanding of the RING architecture. 2.1 Connector Layer The Scality Ring connector layer provides support for the following protocols: ■■ Object: S3, REST. ■■ File System: FUSE, NFS, and SMB. The connector layer is also in charge of chunking files and dispersing the chunks on the Scality Ring using file replication or erasure coding. DISK LAYER STORAGE NODE LAYER CONNECTOR LAYER OBJECT ACCESS S3 / REST FILE ACCESS FUSE / NFS / SMB HDD HDD HDD HDD HDD HDD HDD HDD HDD HDD Figure 1. – Scality Ring Architecture Layers
  • 4. Data Security in the Scality RING 4 2.2 Storage Node Layer The Storage Node layer consists of a distributed peer-to-peer architecture that ensures files and metadata are properly distributed amongst the storage nodes and disks in the cluster. A RING installation can even span across multiple physical sites and tolerate the loss of an entire site. The RING supports data protection mechanisms such as erasure coding and replication. This intelligent architecture design provides organizations with maximum data durability. 2.3 Disk Layer This is the layer where the file data chunks are written to SAS/SATA drives and the file metadata is written to solid-state drives (SSD’s). Chapter 3: Connector and User Interface Security 3.1 Scality S3 Connector ■■ The Scality S3 Connector supports AWS S3 certificate-based authentication (Signatures v2 and v4) with support for HTTPS to provide secure access to the RING storage. ■■ The Scality Scality S3 Connector implements IAM for Multi-Tenancy: ●● Accounts, users, and groups ●● Access/Secret Key pairs ■■ The Scality S3 Connector supports identity federation for delegated access to APIs: ●● Any SAML 2.0 compatible identity providers ●● Active Directory Federation (ADFS) Scality RING Storage Local and Geo-Protection • Any Hardware File / Object / OpenStack • Multi-Workload Linear Performance Scaling • Limitless Infrastructure Scaling Data to Store (unencrypted) Customer KMS (e.g., SafeNet) Data to Store (unencrypted) KEYS S3 Connector Key GeneratorBucket ID Encryption Key Figure 2. – S3 Connector Architecture
  • 5. Data Security in the Scality RING 5 3.2 REST Protocol The REST protocol supports HTTPS and can be configured to use basic authentication with the Apache web server to require a username and password. 3.3 File System Protocols ■■ The Scality NFS v3 connector supports Kerberos KDC. ■■ The Scality SMB connector provides Active Directory Server integration and support for simple Windows ACL’s (user and group). Chapter 4: Core RING Security 4.1 Logging All actions performed by a user are in the Supervisor Web Administration console are logged to a file (by default /var/log/scality/dsup/audit.log) on the Supervisor server and can also be set to another location. The audit log file provides detailed information on the user, date and time, name of the action performed (e.g. list, retrieve, delete, modify), RING component (Supervisor, Connector, Storage Node) on which the action was performed, result of the action (successful or not), duration of the action, and the detailed error message if the action wasn’t successful. 4.2 Versioning and WORM As mentioned earlier in this paper, data integrity requirements are in place to ensure that information is not tampered or altered. The S3 connector for the RING supports the versioning features from the Amazon S3 API. If enabled, this feature will allow users to keep track of different versions of a file on the RING storage. Using the standard S3 API calls, organizations will have the ability to view the modification dates and times of each file and it’s checksum as well as the ability to download previous versions of a file. Versioning is not always enough to address compliance requirements so organizations look for solutions that support Write once read many (WORM) operations. If an organization uses a solution that supports WORM, they can be assured that data will be read only and can not be altered. To help address this compliance requirement, Scality created a joint solution with iTernity that can meet legal and industry-specific regulations to provide a compliant long-term archiving solution. For more information, please check out the link to the solution sheet with iTernity in Appendix A. 4.3 Checksums The Scality RING uses a built-in CRC-32 checksum mechanism to ensure that the data being read is the same that was originally written to the RING. Upon reading replicated or Erasure Coded chunks on the disks, the RING calculates a CRC-32 checksum for each of the chunks it has to read and compares it to the CRC-32 checksum that was calculated upon writing the chunk (and stored in metadata with the chunk). If any of the chunks are found to be corrupted, (meaning the checksums do not match), the RING does two things: 1. Uses another replica or EC chunk to serve the requested data 2. Launches a chunk repair operation to repair the corrupted chunk (basically to replace the replica chunk by another replica or recalculates an Erasure Coded chunk). 4.4 Data Encryption Encryption on the disk level can be done today from array controllers or with encrypted
  • 6. Data Security in the Scality RING 6 drives. The Scality S3 connector supports bucket level encryption via an API extension which is a customized HTTP header used when a file is uploaded. The files are encrypted using OpenSSL with the AES-256 standard and the RING uses an external Key Management Service (KMS) to manage the encryption keys. 4.5 Supervisor Security The Supervisor is the web-based GUI for managing, monitoring, and provisioning resources on the RING. The Supervisor has the following security mechanisms: 1. HTTPS with password authentication. 2. Role-based Access Control (RBAC). Summary This paper explained what it takes to have a compliant storage solution built for the enterprise and went over the impact of security regulations and common compliance requirements. The security mechanisms of the Scality RING architecture was explained in detail ranging from the application layer to the storage layer. We hope that you now have a better idea of the Scality RING architecture and how we implemented common compliance features and security. Figure 4. – Scality Ring Supervisor Ring Overview Figure 3. – Scality Ring Supervisor Login Screen
  • 7. © 2017 Scality. All rights reserved. Specifications are subject to change without notice. Scality, the Scality logo, Scality RING are trademarks of Scality in the United States and/or other countries. Follow us on Twitter @scality and visit us at www.scality.com to learn more WPSR1-1702 Appendix A A.1 Going beyond this White Paper 1. Information on Scality products and use cases can be found here: http://www.scality.com 2. For more information on the Scality Ring, please view the technical white paper: http://storage.scality.com/white-paper-scality-technical-wp.html 3. Get more information on the S3 Connector in the following white paper: http://storage.scality.com/white-paper-scality-ring-s3-connector.html 4. Get more information on the joint solution with iTernity: http://www.scality.com/partners/iternity/