Versions Compared

Old Version 3

changes.mady.by.user Admin

Saved on

compared with

New Version Current

changes.mady.by.user Former user

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

VORMETRIC TRANSPARENT ENCRYPTION and SoftNAS Filers

 


CHALLENGES:

  1. Customers are interested in Public Cloud storage as a cost-effective solution to on-premise NAS/SAN but weary of the inability to manage Encryption Key.  The need is to have the keys outside of the Cloud Providers platform with only the only possibility of un-encryption being a customer regulated action.
  2. Customers want to be able to have a central repository of the data to manage global access but maintain the ability to silo data for particular regions while keeping the data encrypted to all other locations.

SOLUTIONS:


 

 


Vormetric is an agent-based solution that uses the agent along with defined policies to encrypt the data at rest

...

Vormetric is agnostic as to what type of storage is being encrypted so no configuration or tuning needs to be added to the SoftNAS filer. The share from the filer just needs to be added as a Guarded File System. 


  1. 1.       Create a Vormetric Policy

 

...



1) Click Policies

2) Click Add Policy

3) Add the following to the policy details section: 


Policy Type:  Standard

Name:  test-transformation

Description:  Test Data Transformation

Policy Learn Mode: ☐ 


Note: The top section, Security Rules, is for the policy access controls and encryption functions. The bottom section allows you to choose which keys will be used in this policy. 


4) Click Add in the Security Rules section

...

6) Select key_op at the bottom

 


 


7) Click Select Action

8) Click Select next to the Effect field

...

Note: By selecting key_op as the action, the DSM recognizes this to be a transformation policy and adds a third “Data Transformation Rules” section. There are now two kinds of policies defined. 


Standard Operational Policies

...

Key Selection Rules- Defines what encryption key will be used when “Apply Key” is selected as an effect 


Transformation or Initial Encryption Policies

...

Data Transformation Rules - Defines what key the data will be transformed into after the encryption process is complete

 


12) Click Add in the Security Rules section to add the second rule

...

25) Click Select Key

26) Click OK 


Your policy should look like this:

 


27) Click OK to save this policy 


Note: The effect of this policy is as follows:

...

Rule 2 – will be applied to all IO activity not handled by rule 1 and deny the IO 


  1. 2.       Encrypting the Data

...


1) Log into DSM Web GUI with access to the Test domain

...

6) Click the Guard FS tab

  



7) Click Guard

8) In the Policy drop-down menu, select Windows

...

10) From the Remote File Browser, select C:\ETEST and click OK.  To guard the SoftNAS share type in UNC entries (\\IP\share or \\DNS_name\share )into the Path field and click OK. 


Note: You do not have to use the remote file browser. You can type in entries into the Path field. 


11) Click OK to create the new Guardpoint

12) Click Refresh on the page until the status turns green – this may take a few seconds

 

 

 



Note: The Guardpoint is now active and the policy rules are in effect. The Administrator can only perform reads and Access has full access to the data with the application of the encryption key.

 


13) Switch back to the windows VM RDP session

...

Note: The files are now encrypted in C:\vipdata2. When Access copies the data to the directory with a Guardpoint applied, the application key is applied because of the “Apply Key” effect of the rule in the policy. 


15) Copy all the files within C:\ETEST to C:\ETEST2 to test locally. To test NAS filerCopy all the files within C:\ETEST to UNC path. (\\IP\share or \\DNS_name\share (ex \\172.16.96.133\share\))

16) Open some files in the C:\ETEST2 directory 


Note: The application of encryption is completely transparent for Access.

17) Logoff as Access 


20) Reopen the RDP session, this time logging in as Buser

21) Open some files in the C:\ETEST2 directory and To test NAS filer open some files in the\\172.16.96.133\share\ or \\172.16.96.133\cloud\shares.

 

 



Note: The behavior of Buser is different than Access. BUser has readability for the files, but without the “Apply Key” effect, the reads are not decrypted.

 


Conclusions:

Vormetric Transparent Encryption and a SofNAS filer can be used to ensure that customers maintain control of their encryption key locally and can be used on both local and cloud disk to provide encryption at rest.

Vormetric Data Security Manager DSM policies can be used to silo data based on location and even more granular criteria.