EMC Encryption as a Service with CloudLink SecureVSA

White Paper
EMC ENCRYPTION AS A SERVICE
With CloudLink SecureVSA
 Data security for multitenant clouds
 Transparent to applications
 Tenant control of encryption keys
EMC Solutions
Abstract
This White Paper describes EMC EaaS based on an AFORE CloudLink SecureVSA
solution. This solution enables Cloud Service Providers to offer EaaS in a
multitenant cloud environment and enables their customers to meet regulatory
compliance requirements related to data security.
April 2014
Copyright © 2014 EMC Corporation. All Rights Reserved.
EMC believes the information in this publication is accurate as of its
publication date. The information is subject to change without notice.
The information in this publication is provided as is. EMC Corporation makes no
representations or warranties of any kind with respect to the information in this
publication, and specifically disclaims implied warranties of merchantability or
fitness for a particular purpose.
Use, copying, and distribution of any EMC software described in this
publication requires an applicable software license.
For the most up-to-date listing of EMC product names, see EMC Corporation
Trademarks on EMC.com.
All trademarks used herein are the property of their respective owners.
Part Number H13044
EMC Encryption as a Service
with CloudLink SecureVSA
2
Table of contents
Executive summary............................................................................................................................... 5
Business case .................................................................................................................................. 5
Solution overview ............................................................................................................................ 5
Key benefits ..................................................................................................................................... 5
Introduction.......................................................................................................................................... 7
Purpose ........................................................................................................................................... 7
Scope .............................................................................................................................................. 7
Audience ......................................................................................................................................... 7
Terminology ..................................................................................................................................... 8
Technology overview ............................................................................................................................ 9
CloudLink vNode .............................................................................................................................. 9
CloudLink Gateway .......................................................................................................................... 9
CloudLink Center............................................................................................................................ 10
Solution architecture .......................................................................................................................... 11
Overview ........................................................................................................................................ 11
Data-at-rest encryption .................................................................................................................. 12
Secure datastore mode ............................................................................................................. 13
Secure NAS mode ...................................................................................................................... 13
System requirements ......................................................................................................................... 15
CloudLink vNode requirements ...................................................................................................... 15
CloudLink Gateway requirements ................................................................................................... 15
Common deployment models ............................................................................................................. 16
Overview ........................................................................................................................................ 16
Model 1—Full deployment in the cloud .......................................................................................... 17
Model 1 workflow ...................................................................................................................... 18
Model 1 workflow reference ...................................................................................................... 19
Model 2—Key store in the private data center with SecureVSA in the cloud .................................... 20
Model 2 workflow ...................................................................................................................... 21
Model 2 workflow reference ...................................................................................................... 22
Model 3—Key Store and CloudLink gateway in the private data center with the vNode in the cloud 24
Model 3 workflow ...................................................................................................................... 25
Model 3 workflow reference ...................................................................................................... 26
CloudLink management ...................................................................................................................... 28
EMC Encryption as a Service
with CloudLink SecureVSA
3
Encryption key management .............................................................................................................. 29
RSA DPM integration ...................................................................................................................... 30
Microsoft Active Directory integration............................................................................................. 33
Configuring Active Directory as a key store ..................................................................................... 34
Conclusion ......................................................................................................................................... 35
References.......................................................................................................................................... 35
VMware documentation ................................................................................................................. 35
EMC Encryption as a Service
with CloudLink SecureVSA
4
Executive summary
This White Paper describes EMC Encryption as a Service (EaaS) based on an AFORE
CloudLink SecureVSA solution. The paper includes business benefits, solution
architecture, deployment models, workflows, and encryption key management. This
solution enables Cloud Service Providers (CSPs) to offer EaaS in a multitenant cloud
environment and enables their customers to meet regulatory compliance
requirements related to data security.
Business case
As organizations realize the benefits of migrating business applications, virtual
desktops, storage, back-ups, and disaster recovery solutions into the cloud, security
remains a top concern. Organizations tasked with ensuring regulatory compliance
(such as HIPAA, PCI, CSA, and NIST) have additional requirements that make the
move to the cloud even more challenging.
When enterprises adopt cloud services, new data security challenges emerge,
including:

Enterprise workloads running on an infrastructure managed by cloud service
providers

Enterprise-sensitive data on shared cloud storage systems

Traditional perimeter-based security that is ineffective for preventing data
leakage in a cloud environment

Data remanence issues and the challenge of data destruction on cloud storage
systems shared by multiple live customers
Enterprises increasingly expect cloud providers to provide data protection services in
addition to the compute infrastructure.
Solution overview
Service providers can assist enterprises in using EMC EaaS to secure sensitive data in
a variety of cloud use cases, including Infrastructure as a Service, Storage as a
Service, Disaster Recovery as a Service, and hosted virtual desktops.
EaaS is simple to deploy and enables the efficient introduction of new customers,
while it is transparent to both the cloud infrastructure and customer workloads. EaaS
is the perfect solution to segregate and encrypt customer data in a multitenant cloud
while providing control of the encryption keys to the data owner to ensure data is
completely unreadable by unauthorized users.
Key benefits
The business benefits of EMC EaaS for CSPs are as follows:

Increases per-subscriber revenues by adding encryption services to the
provider’s service offerings without having to invest in new infrastructure

Expands customer opportunities by hosting workloads subject to regulatory
compliance

Enables simple deployment and transparency to provider’s infrastructure and
their customers’ workloads
EMC Encryption as a Service
with CloudLink SecureVSA
5

Encrypts only sensitive data at rest and in motion, not the entire storage array

Enables enterprises to have full control of encryption keys

Mitigates provider’s compliance risk by enabling customers to secure sensitive
data and maintain key control in the cloud with enterprise-controlled
encryption

Enables cloud environments that are required to meet regulatory compliance
requirements to offer and implement critical data-at-rest encryption
EMC Encryption as a Service
with CloudLink SecureVSA
6
Introduction
This White Paper describes how a cloud service provider can use CloudLink
SecureVSA to deliver EaaS as a premium service offering.
Purpose
Scope
This White Paper describes the following key components of this solution:

EaaS architecture

Data encryption in a multitenant cloud environment.

Transparent data encryption with no changes of applications and underlying
storage infrastructure

Integration with enterprise key management to secure data in a cloud
environment

Flexible key management options with encryption keys completely controlled
by enterprise data owners or managed by the cloud service security
administrator as part of a managed cloud service offering
This White Paper demonstrates how you can deploy CloudLink SecureVSA in the
cloud service provider infrastructure to enable multitenant EaaS.
This paper describes three deployment models:

All CloudLink SecureVSA components and key management are deployed by
the service providers and managed by the service providers.

All CloudLink SecureVSA components are deployed and managed by the
service providers and the tenants are responsible for the key management.

Hybrid deployment model where service providers install the CloudLink
SecureVSA component in the cloud and tenants deploy CloudLink SecureVSA
on site and manage the encryption key.
This paper also includes the general deployment procedures and workflows for this
solution. However, for detailed product installation, configuration, and on-going
management procedures refer to the CloudLink SecureVSA user documentation listed
in References.
While this document focuses on installing EaaS on the VMware vCloud Director or
vSphere environment, CloudLink SecureVSA also supports encryption on other cloud
platforms, such as Microsoft Hyper-V. For information about EaaS outside of VMware
cloud environments, contact your EMC Global Service representative or email AFORE
Solutions at info@aforesolutions.com.
Audience
This paper is intended for systems engineers, solution architects, product managers,
and operation engineers of cloud service providers.
You should be knowledgeable about VMware vCloud Director, vSphere, vCenter, EMC
storage systems, and networking concepts. You need at least a high-level
understanding of CloudLink SecureVSA functionality.
EMC Encryption as a Service
with CloudLink SecureVSA
7
Terminology
This paper includes the following terminology.
Table 1.
Terminology
Term
Definition
RSA DPM
RSA Data Protection Manager
EaaS
Encryption as a Service
CloudLink Center
Management console for CloudLink that integrates with
encryption key stores. CloudLink Center may also be
referred to as the CloudLink Gateway when describing the
CloudLink node represented.
CloudLink Gateway
Software virtual appliance that provides encrypted storage
and the management interface (see CloudLink Center)
CloudLink vNode
Software virtual appliance that provides encrypted storage
DAS
Direct-attached storage
DRaaS
Disaster Recovery as a Service
IaaS
Infrastructure as a Service
NAS
Network-attached storage
SAN
Storage Area Network
VDIaaS
VDI as a Service
VPN
Virtual Private Network
VSA
Virtual Storage Appliance
EMC Encryption as a Service
with CloudLink SecureVSA
8
Technology overview
CloudLink SecureVSA is a software-defined storage encryption solution that is
designed to secure sensitive data in virtualized and multitenant cloud environments.
It is delivered as a virtual storage appliance that can be deployed on a perapplication, per-tenant basis and provides a software encryption layer between
virtualized applications and physical storage, as shown in Figure 1.
Figure 1.
CloudLink SecureVSA
To offer EaaS, service providers install CloudLink SecureVSA in the existing VMware
vSphere or vCloud Director cloud platform. CloudLink SecureVSA includes three
components:
CloudLink vNode

CloudLink vNode

CloudLink Gateway

CloudLink Center
Service providers deploy this software virtual appliance over a shared storage
resource to provide encrypted virtual storage for the tenant’s workloads and establish
an encrypted tunnel to a CloudLink Gateway for encryption key management.
Optionally, this tunnel can also be used as a network extension between customer
networks and the network in the tenant’s virtual data center in the cloud. Service
providers who want to offer self-service CloudLink-based EaaS can offer the
CloudLink vNode as a service template in their service catalogs.
CloudLink Gateway Service providers deploy this software virtual appliance in the service provider cloud
or on-site in the customer private data center. The CloudLink Gateway establishes a
secure connection for managing CloudLink vNodes in the cloud. Like CloudLink
EMC Encryption as a Service
with CloudLink SecureVSA
9
vNode, CloudLink Gateway supports storage encryption. The Gateway generates
enterprise-controlled encryption keys, places them in a secure key store, and delivers
them through the secure tunnel to the vNodes deployed in the cloud. In addition, the
Gateway authenticates vNodes, monitors connectivity, and initiates performance
testing.
Note: The CloudLink Gateway is not a traditional IT gateway. It is a CloudLink SecureVSA
component to which CloudLink vNodes connect.
CloudLink Center
A web-service application delivered as part of the CloudLink Gateway, CloudLink
Center provides a user interface to configure and manage CloudLink SecureVSA.
CloudLink Center provides secure storage encryption management, network
monitoring and testing, and provides audit trails of actions, alarms, and security
events. A representative display from the CloudLink Center is shown in Figure 2.
Figure 2.
CloudLink Center management interface
Note: CloudLink Center is one of two management interfaces. The other is a low-level
appliance console that is used to deploy vNodes and the CloudLink Gateway.
EMC Encryption as a Service
with CloudLink SecureVSA
10
Solution architecture
Overview
CloudLink SecureVSA is a software-defined storage encryption solution designed to
secure sensitive data on a virtualized and multitenant cloud environment. It is
delivered as a virtual storage appliance which can be deployed on a per-application,
per-tenant basis, and provides a software encryption layer between virtualized
applications and physical storage.
EaaS uses CloudLink SecureVSA to provide cryptographic protection of sensitive data
while enabling the data owner to keep control over security and compliance in a
multitenant virtualized cloud environment.
Service providers can offer EaaS to customers who need to encrypt their workloads
and data in a multitenant cloud environment to meet data security and regulatory
compliance requirements.
CloudLink EaaS adopts a secure storage overlay approach to encrypt data so that it is
transparent to applications and works across various underlying storage systems that
service providers use. This premium service enables secure Infrastructure as a
Service (IaaS), secure VDI as a service, and secure DRaaS in private, public or hybrid
cloud environments.
CloudLink SecureVSA provides the following important capabilities:

Presents itself as a secure datastore or multiple datastores to the hypervisor
and encrypts virtual machine disks transparently without changing
applications. Service providers can deploy CloudLink as an encrypted storage
overlay over physical storage systems and allocate the encrypted storage
resource to respective tenants.

Presents itself as a secure software storage appliance to virtual machines
directly over Microsoft SMB, NFS, or iSCSI. Service providers are able to offer
this as part of their service template and tenants can enable this encryption
service in a self-service model.

Enables the enterprise or tenant to control the encryption key and security
policy related to accessing the encrypted storage.

Integrates with existing enterprise key management, RSA Data Protection
Manager (DPM), to secure data in the cloud environment. Enterprises can
benefit from their existing investment and enterprise key management
expertise. As an alternative, Microsoft Active Directory server is supported as a
CloudLink encryption key store.

Supports heterogeneous cloud storage systems providing full protection for the
service provider’s existing storage system investment. The software encryption
layer spans the entire cloud storage infrastructure.

Supports all existing data center operations provided by cloud platforms,
including virtual machine live migration, storage backup, replication, high
availability, and fault tolerance capacity.
EMC Encryption as a Service
with CloudLink SecureVSA
11
Depending on customer requirements, service providers can offer EaaS in a variety of
ways:

CloudLink SecureVSA as an encryption service template within a service
catalog. Each tenant is able to install SecureVSA in a self-service manner and
use it on a pay-as-you-go basis.

CloudLink SecureVSA as part of a storage service and encrypted storage as part
of a storage resource pool for workload deployment by a particular tenant.

Encryption key management options:


The service provider assumes full responsibility for encryption key
management in a managed cloud service model.

The tenant assumes responsibility for key management.
A hybrid model, where an enterprise can use CloudLink on site to encrypt the
data in its private data center environment, and also to encrypt the data in the
service provider environment.
Figure 3 represents the solution architecture.
Figure 3.
Data-at-rest
encryption
EaaS solution architecture
In a multitenant cloud, CloudLink SecureVSA is deployed on a per-tenant basis. In
this shared cloud infrastructure environment, storage is connected to the hypervisor
either directly or by using standard SAN (FC, FCoE), NAS, or iSCSI protocols. Each
tenant has its own dedicated CloudLink vNode instance or a dedicated virtual volume
on a CloudLink vNode instance on top of this shared infrastructure. Each tenant
encrypts the volume and stores the encryption key safely on premises and within its
control. By doing this, multiple secure virtual storage volumes are created on top of
the shared storage infrastructure. All data in each secure volume are AES-256encrypted with a unique encryption key controlled by the tenant. Once a secure
EMC Encryption as a Service
with CloudLink SecureVSA
12
virtual storage volume is created, vNode exposes this volume in either secure
datastore mode or secure NAS mode.
Secure datastore mode
The secure datastore mode for CloudLink SecureVSA provides encrypted storage for
use by the hypervisor (VMware vSphere or Microsoft Hyper-V). In this mode, virtual
machines associated with the encrypted datastore can be thought of as running in an
encrypted container. The entire virtual machine can reside within the encrypted
datastore.
Alternatively, administrators can choose to associate only the data volumes with the
encrypted datastore, using a standard datastore for the operating system and
application volume. Administrators can then combine volumes into a single large
datastore. Alternatively, each attached volume can be encrypted with unique
encryption keys and shared as individual datastores.
The benefit of encrypted datastore mode is that it is completely transparent to the
virtual machines running with the encrypted datastore, requiring no changes or
modifications to virtualized servers and applications (agentless). This mode also
offers the benefits of supporting standard VMware features such as Distributed
Resource Scheduler (DRS), high availability (HA), fault tolerance (FT), and Storage
vMotion. Secure datastore mode is depicted in Figure 4.
Figure 4.
Secure datastore mode
Secure NAS mode
The Secure NAS mode of CloudLink SecureVSA provides encrypted storage at the
network level for virtual machines using NFS, CIFS/SMB, or iSCSI protocols. Similar to
encrypted datastore mode, encrypted NAS mode is an agentless data‑at‑rest
encryption solution, with the encryption completely transparent to the virtual
machines and applications attached or mapped to the NAS. Administrators can
combine volumes into a single large network share. Alternatively, each attached
volume can be encrypted with unique encryption keys and shared individually. Figure
5 represents secure NAS mode.
EMC Encryption as a Service
with CloudLink SecureVSA
13
Figure 5.
Secure NAS mode
EMC Encryption as a Service
with CloudLink SecureVSA
14
System requirements
CloudLink SecureVSA supports any cloud platform based on VMware vSphere 4.1 or
later and vCloud Director 5.1.
CloudLink vNode
requirements
Typical system requirements for CloudLink vNode include the following:

Two vCPUs (recommended)

4 GB vRAM (recommended)

ESX server with CPUs that support Advanced Encryption Standard New
Instructions (AES-NI), which is highly recommended for better encryption
performance

8 GB storage for deploying vNode

Network requirements:


One network interface for managing a CloudLink Gateway

One IP storage network interface for a vNode to present itself as a virtual
storage appliance directly to virtual machines (in secure NAS mode) or to
the ESX hypervisor as a datastore

An additional network interface for virtual machines to communicate with
VPN tunnel, if required
Virtual disks from vSphere or from vCloud Director to use as an encrypted
storage resource; up to 10 TB can be supported per vNode
CloudLink Gateway Typical system requirements for CloudLink Gateway include:
requirements
 One vCPU (recommended) if CloudLink Gateway is used only as a management
node (CloudLink Center); two vCPUs (recommended) if CloudLink Gateway is
used as both a management node and storage encryption node

1 GB vRAM (recommended) if CloudLink Gateway is used only as a
management node (CloudLink Center); 4 GB vRAM (recommended) if CloudLink
Gateway is used as both a management node and storage encryption node

8 GB storage for deploying CloudLink Gateway

Network requirements:

One network interface for managing CloudLink vNodes

An IP storage network interface for CloudLink Gateway to present itself as a
virtual storage appliance directly to virtual machines (in Secure NAS mode)
or to the ESX hypervisor as a datastore when CloudLink Gateway is used as
a storage encryption node

An additional network interface for virtual machines to communicate with
VPN tunnel if required

Virtual disks from vSphere or from vCloud Director for use as an encrypted
storage resource—up to 10 TB can be supported per CloudLink Gateway

CloudLink Center is part of CloudLink Gateway; accessing the CloudLink
Center web interface requires a web browser with Adobe Flash plug-in
EMC Encryption as a Service
with CloudLink SecureVSA
15
Common deployment models
Overview
CloudLink SecureVSA components can be distributed across the customer’s private
data center and the service provider’s multitenant cloud to meet a variety of EaaS
deployment situations.
This section describes three common EaaS deployment models, as represented by
Tenant 1, Tenant 2, and Tenant 3 in Figure 6. Each customer has a dedicated private
data center. The multitenant service provider cloud includes one resource pool for
each tenant for CloudLink SecureVSA encrypted storage. Tenant 4 represents a tenant
that is hosted in the multitenant cloud but does not use the encryption services of
CloudLink SecureVSA.
Figure 6.
Deployment models
The three customers who make use of CloudLink SecureVSA encrypted storage in this
example represent the three common deployment models that are described in this
White Paper:

Model 1—All CloudLink SecureVSA components and the key store are deployed
in the Tenant 1 cloud resource pool. The service provider maintains control over
the encryption keys and the security policy. From web browsers in the private
data center, the customer’s users can access the encrypted storage in the
service provider’s cloud using NAS protocols (CloudLink Secure NAS mode) or
indirectly through applications that use the encrypted storage (CloudLink
Secure Datastore mode). This model has two submodels:

Single CloudLink Gateway in the Tenant 1 resource pool, which supports
both CloudLink management and storage encryption

Single CloudLink Gateway with one or more CloudLink vNodes. In this
model, the storage encryption function is performed by the vNodes, and the
CloudLink Gateway manages these vNodes
EMC Encryption as a Service
with CloudLink SecureVSA
16

Model 2—All CloudLink SecureVSA components are deployed in the Tenant 2
cloud resource pool. The key store is hosted in the private data center, and the
customer maintains control over encryption keys and security policy.
As in Model 1, the same two submodels exist here:

Model 1—Full
deployment in the
cloud

Single CloudLink Gateway

Single CloudLink Gateway that manages multiple CloudLink vNodes
Model 3—Only CloudLink vNode is deployed in the Tenant 3 resource pool. The
CloudLink Gateway and key store are hosted in the private data center, and the
customer maintains control over encryption keys and security policy.
Many customers prefer the service provider to take responsibility for managing the
CloudLink SecureVSA components and the key store. For these customers, service
providers can use a deployment model in which the CloudLink Gateway, vNode, and
key store are deployed in the appropriate tenant resource pool in the service
provider’s cloud, as shown in Figure 7.
Figure 7.
Model 1 deployment
EMC Encryption as a Service
with CloudLink SecureVSA
17
Model 1 workflow
The workflow in Figure 8 represents the tasks for a full CloudLink SecureVSA
deployment in the service provider’s cloud. In this workflow, the service provider
performs all tasks.
Workflow
Start
Deploy Gateway OVF template
Add private network interface for Gateway
Configure Gateway
Deploy vNode OVF template
Add SAN network interface and hard disks for vNode,
and configure SAN interface properties (optional)
Add private network interface for vNode
Configure vNode (including VPN)
Upload and assign storage license for vNode
Merge disks (optional)
Configure encryption key store
Format secure storage
Configure access to secure storage
Create secure datastore (optional)
End
Figure 8.
Model 1 workflow
EMC Encryption as a Service
with CloudLink SecureVSA
18
Model 1 workflow reference
Table 2 lists each task shown in Figure 8 for a full CloudLink SecureVSA deployment
in the service provider’s cloud.
Table 2.
Model 1 workflow references
Task
Reference/topic
Deploy the CloudLink Gateway OVF
template
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the CloudLink Gateway OVF
Template
Add the private network interface for the
Gateway
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Adding Components
 Deploy a Gateway with No Storage
Configure the Gateway
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Configuring the CloudLink Gateway
Deploy the vNode OVF template
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the vNode OVF Template
Add SAN and private network interfaces,
add hard disks for vNode, and configure
SAN interface properties.
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the vNode OVF Template
Configure vNode, including VPN connection
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Storage Licenses:
 Uploading Storage Licenses
 Assigning Storage Licenses
Merge disks (optional)
Merge disks to present multiple disks as a
single encrypted storage volume.
Otherwise, each disk is presented as a
separate encrypted storage volume.
Configure encryption key store
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Merging Volumes
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Encryption Key Store Management
EMC Encryption as a Service
with CloudLink SecureVSA
19
Task
Reference/topic
Format secure storage
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Formatting Volumes
Configure access to secure storage (for
Secure NAS mode only)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage:
 Configuring NFS/SMB Access to
Secure Storage
 Configuring iSCSI Access to Secure
Storage
Create secure datastore (for Secure
Datastore mode only)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Configuring Secure Datastore
Model 2—Key
store in the private
data center with
SecureVSA in the
cloud
Some customers want the service provider to be responsible for managing the
CloudLink SecureVSA components but prefer to retain control over encryption keys
and security policy. For these customers, service providers can use a deployment
model in which the key store is hosted in the customer’s private data center, and
CloudLink SecureVSA components are hosted in the appropriate tenant resource pool
in the service provider’s cloud, as shown in Figure 9.
Figure 9.
Model 2 deployment
EMC Encryption as a Service
with CloudLink SecureVSA
20
Model 2 workflow
The workflow in Figure 100 represents the tasks for a key store in the private data
center with all CloudLink SecureVSA components in the service provider’s cloud.
Resources
Workflow
Start
Deploy Gateway OVF template
Add private network interface for Gateway
Configure Gateway
Deploy vNode OVF template
Add SAN network interface and hard disks for vNode,
and configure SAN interface properties (optional)
Add private network interface for vNode
Service Provider
Configure vNode to point of VPN setup steps
Generate one-time passcode
Set up VPN using one-time passcode
Provide CloudLink Center credentials and URL, and
storage license to customer
Upload and assign storage license for vNode
Merge disks (optional)
Configure encryption key store
Customer
Format secure storage
Configure access to secure storage
Create secure datastore (optional)
Service Provider
End
Figure 10.
Model 2 workflow
EMC Encryption as a Service
with CloudLink SecureVSA
21
Model 2 workflow reference
Table 3 lists each task shown in the deployment workflow for a key store in the
private data center, with CloudLink SecureVSA components in the service provider’s
cloud. For each task, the table identifies the party responsible for the task and the
appropriate topic for more information in the related references.
Table 3.
Model 2 workflow reference
Task
Reference/topic
Service Provider deploys the Gateway OVF
template
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the CloudLink Gateway OVF
Template
Service Provider adds the private network
interface for the Gateway
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Adding Components
 Deploy a Gateway with No Storage
Service Provider configures the Gateway
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Configuring the CloudLink Gateway
Service provider deploys the vNode OVF
template
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the vNode OVF Template
Service provider adds SAN and private
network interfaces, adds hard disks for
vNode, and configures SAN interface
properties
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Adding Components
 Configuring CloudLink for Use as
Datastore Storage
 Process for Configuration
Service provider configures the vNode to
the point where the VPN setup steps begin
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Configuring the vNode
Service provider generates the one-time
passcode
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Configuring the vNode
Note: The steps to generate the one-time
passcode in CloudLink Center on the
CloudLink Gateway are provided at the end
of the procedure to configure the vNode.
EMC Encryption as a Service
with CloudLink SecureVSA
22
Task
Reference/topic
Service provider sets up the VPN
connection to connect the vNode to the
Gateway using the one-time passcode
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay,
Configuring the vNode
Note: The steps to set up the VPN
connection, including entering the one-time
passcode are provided at the end of the
procedure to configure the vNode.
Service provider provides the CloudLink
Center credentials and URL, and storage
license to the customer
n/a
Customer uploads and assigns storage
license for vNode
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Storage Licenses:
 Uploading Storage Licenses
 Assigning Storage Licenses
Customer merges disks (optional)
Merge disks to present multiple disks as a
single encrypted storage volume.
Otherwise, each disk is presented as a
separate encrypted storage volume.
Customer configures encryption key store
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Merging Volumes
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Encryption Key Store Management
Customer formats secure storage
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Formatting Volumes
Customer configures access to secure
storage (for Secure NAS mode only)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage:
 Configuring NFS/SMB Access to
Secure Storage
 Configuring iSCSI Access to Secure
Storage
Service provider creates secure datastore
(for Secure Datastore mode only)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Configuring Secure Datastore
EMC Encryption as a Service
with CloudLink SecureVSA
23
Model 3—Key
Store and
CloudLink gateway
in the private data
center with the
vNode in the cloud
Some customers prefer the service provider to be responsible only for providing
CloudLink SecureVSA encrypted storage. These customers prefer to maintain control
over the CloudLink Gateway and the encryption keys and security policy in a hybrid
cloud environment. For these customers, service providers can use a deployment
model in which the CloudLink vNode is deployed in the appropriate tenant resource
pool in the service provider’s cloud, and the CloudLink Gateway and the key store are
hosted in the customer’s private data center, as shown in Figure 11.
Figure 11.
Model 3 deployment
EMC Encryption as a Service
with CloudLink SecureVSA
24
Model 3 workflow
The workflow in Figure 12 represents the tasks for the key store and CloudLink
Gateway in the private data center, with the CloudLink vNode in the service provider’s
cloud. The workflow identifies whether the service provider or customer performs
each task.
Resources
Workflow
Start
Deploy Gateway OVF template
Customer
Add private network interface for Gateway
Configure Gateway
Deploy vNode OVF template
Service Provider
Add SAN network interface and hard disks for vNode,
and configure SAN interface properties (optional)
Add private network interface for vNode
Configure vNode (including VPN)
Upload and assign storage license for vNode
Merge disks (optional)
Customer
Configure encryption key store
Format secure storage
Configure access to secure storage
Create secure datastore (optional)
Service Provider
End
Figure 12.
Model 3 workflow
EMC Encryption as a Service
with CloudLink SecureVSA
25
Model 3 workflow reference
Table 4 lists each task for a key store and CloudLink Gateway in the private data
center, with the CloudLink vNode in the service provider’s cloud. For each task, the
table identifies the party responsible for the task and the appropriate topics for more
information in the related references.
Table 4.
Model 3 workflow reference
Task
Reference/topic
Customer deploys the CloudLink Gateway
OVF template
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the CloudLink Gateway OVF
Template
Customer adds the private network
interface for the Gateway
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Adding Components
 Deploy a Gateway with No Storage
Customer configures the Gateway
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Configuring the CloudLink Gateway
Service provider deploys the vNode OVF
template
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Deploying the vNode OVF Template
Service provider adds SAN and private
network interfaces, adds hard disks for
vNode, and configures SAN interface
properties
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Adding Components
 Configuring CloudLink for Use as
Datastore Storage
 Process for Configuration
Customer configures vNode, including VPN
connection
CloudLink SecureVSA v2.2 VMware vSphere
Deployment Guide
 Scalable Encrypted Storage Overlay
 Configuring the vNode
Customer uploads and assigns storage
license for vNode
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Storage Licenses:
 Uploading Storage Licenses
 Assigning Storage Licenses
EMC Encryption as a Service
with CloudLink SecureVSA
26
Task
Reference/topic
Customer merges disks (optional)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
Merge disks to present multiple disks as a
single encrypted storage volume.
Otherwise, each disk is presented as a
separate encrypted storage volume.
Customer configures encryption key store
 Managing Secure Storage
 Merging Volumes
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Encryption Key Store Management
Customer formats secure storage
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Formatting Volumes
Customer configures access to secure
storage (for Secure NAS mode only)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage:
 Configuring NFS/SMB Access to
Secure Storage
 Configuring iSCSI Access to Secure
Storage
Service provider creates secure datastore
(For Secure datastore mode only)
CloudLink SecureVSA v2.2 VMware vSphere
Administration Guide
 Managing Secure Storage
 Configuring Secure Datastore
EMC Encryption as a Service
with CloudLink SecureVSA
27
CloudLink management
CloudLink Center provides web-based management of encryption services, including:

Key management—Configuration of key stores and key changing scheduling
policies.

Encrypted storage management—Merging disks, resizing the storage, and
locking or unlocking encrypted storage volumes.

Secure communication management between CloudLink Gateway and
CloudLink vNodes—Key delivery, VPN traffic, and authentication status of
CloudLink vNodes.

Performance monitoring—Monitoring of storage and network performance. The
performance data for the past 24 hours is reported and can be exported as a
spreadsheet file.

Security event and log management—All security events and logs are displayed
on CloudLink Center. They can be sent to an external application using SNMP or
consolidated on a central syslog server.
CloudLink Center supports role-based administration, which separates security
management from infrastructure administration. There are three pre-defined roles in
CloudLink: security administrator (secadmin), regular IT administrator (admin), and
observer for monitoring. Each role has its own unique privilege set as defined in Table
5.

In a Model 1 deployment, the service providers assume the roles of “secadmin”
and “admin” while the tenants assume the role of “observer.”

In Model 2 and Model 3 deployments where the tenants control the data
security and encryption keys, the tenants assume the role of “secadmin” and
the service providers assume the “admin” role.

The observer role can be assigned to both tenants and service providers, as
required.
Table 5.
Role-based administration
Operation
SEC admin
Admin
Observer
Control of keys for encrypted storage



VPN configuration and control



Network performance and SLA monitoring



View VM security audit status



View security events



View actions



View alarms and events



Syslog/SNMP configuration



EMC Encryption as a Service
with CloudLink SecureVSA
28
Encryption key management
Each CloudLink SecureVSA encrypted virtual storage volume has two associated
encryption keys:

The data encryption key (DEK) is generated by the CloudLink vNode on a pervolume basis to encrypt data at block level using AES-256.

The DEK is then encrypted with a key encryption key (KEK) and stored on the
disk with the data.
Data security administrators have full control of the encryption keys and the KEKs can
be updated regularly by the security administrators using CloudLink Center. Special
care must be taken to ensure that enterprise-owned data are never stored or
transferred in clear text and can be promptly withdrawn by the enterprise at any time.
Cloud administrators do not have access to DEKs and KEKs; therefore, neither cloud
administrators, nor other tenants or intruders can access enterprise data in the cloud.
KEKs are generated and managed by the CloudLink Gateway. They must be changed
regularly according to key management policies and kept in a safe place to ensure
the safety of encrypted data. CloudLink supports three key stores:

RSA Data Protection Manager (DPM) provides a key store that is tamper proof
and supports high availability. The RSA DPM client is integrated into CloudLink
Gateway.

Microsoft Active Directory provides an alternate secure encryption key store.
This option allows an enterprise to use its existing Active Directory deployment
and securely store cloud encryption keys.

KEKs may also be stored within the CloudLink Gateway. This option is suitable
for trials and testing but is not recommended for production deployment.
Figure 13.
Key store configuration
CloudLink Center is the entry point for CloudLink SecureVSA key management.
Depending on the deployment models discussed above, the key management can be
performed by the service provider security administrators or by enterprise data
security administrators. Through the CloudLink Center interface, the security
EMC Encryption as a Service
with CloudLink SecureVSA
29
administrator can monitor and control the availability of encrypted volumes by
choosing whether KEKs are made available to the CloudLink SecureVSA cipher.
CloudLink Center’s lock operation withdraws the KEK for an encrypted volume from
the CloudLink SecureVSA, preventing it from decrypting the volume’s DEK and
rendering the data stored on the volume unavailable.
Conversely, the unlock operation provides the KEK for an encrypted volume to
CloudLink which then uses it to decrypt the volume’s DEK and uses the DEK to
decrypt and make the data available.
Using CloudLink Center, the security administrator can also perform key change
operations, either on demand or on a scheduled policy basis. Figure 14 shows the
options for locking and unlocking encrypted storage.
Figure 14.
RSA DPM
integration
Locking and unlocking encrypted storage
CloudLink SecureVSA provides out-of-box integration with RSA DPM. All storage KEKs
created and managed by CloudLink can be stored securely in DPM. DPM provides
centralized key vaulting, protection and recoverability of the keys. The keys are
generated by CloudLink and provided to DPM for safe storage. They are then retrieved
by CloudLink and provided to CloudLink vNodes that must provide access to their
encrypted storage volumes (that is, to unlock the volumes). At any time, a security
administrator using CloudLink Center can instruct CloudLink to lock one or all of a
node’s encrypted volumes. CloudLink then issues a lock command to the node and
the node destroys its cached version of the storage KEKs.
RSA DPM is available in the following form factors:

Hardware appliance

Virtual appliance

Software server deployable in customer software infrastructure.
EMC Encryption as a Service
with CloudLink SecureVSA
30
Both the hardware and virtual appliances come with a prepackaged software stack
that includes a web application server, enterprise-class database, and access
management. Client applications authenticate with the server using mutual SSL. A
client application using a DPM client for encryption and key management can operate
with a local protected cache for keys.
Figure 15 shows a typical deployment architecture for key management that contains
at least two load-balanced nodes within the primary site for high availability and
more nodes in remote sites for scalability or disaster recovery purposes, all clustered
together. All nodes in a cluster are active. DPM appliances come with built-in
replication to keep all the nodes in sync. RSA DPM virtual and hardware appliances
can be deployed in the same way.
Client
Apps/Systems
Distributed
load balancing
Local
load balancing
Local
load balancing
Key
Replication
Key Replication
Key
Replication
Primary Datacenter
Figure 15.
Secondary Datacenter
Typical RSA DPM deployment architecture
To use RSA DPM to store CloudLink KEKs, ensure that an RSA DPM host version 3.1 or
later is accessible by the CloudLink Gateway though its private LAN network. The
CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide and the CloudLink
SecureVSA v2.2 VMware vSphere Administration Guide provide more information on
deploying, configuring, and using CloudLink.
To prepare RSA DPM for storage of CloudLink KEKs:
1.
Log on to the RSA Data Protection Manager console.
2.
Create an identity that belongs to a particular RSA DPM identity group, as
shown in Figure 16.
EMC Encryption as a Service
with CloudLink SecureVSA
31
Figure 16.
3.
Creating an RSA DPM identity
Create a security class object with infinite duration that belongs to the same
RSA DPM identity group, as shown in Figure 17.
Figure 17.
Creating a security class object
To configure CloudLink to use RSA Data Protection Manager as its key store:
1.
Open CloudLink Center on the Gateway using the secadmin user account.
2.
Under the topology tree, select the gateway.
3.
Click Security > Key Store.
4.
To configure CloudLink to use RSA Data Protection Manager for KEK storage,
under Location, click RSA DPM.
5.
Under RSA DPM Configuration, shown in Figure 18, specify the RSA DPM
parameters:

Host—RSA DPM host IP address
EMC Encryption as a Service
with CloudLink SecureVSA
32
6.

Port—TCP port number configured on the RSA DPM host (default port is
443)

Security Class Name—Name of the security class configured on the RSA
DPM host for the RSA DPM client

Trust Certificate—RSA DPM server certificate

Client Certificate—RSA DPM client certificate

Password—Password used during creation of the RSA DPM client
certificate
Click Apply.
Figure 18.
RSA DPM Configuration panel in CloudLink Center
CloudLink Gateway displays the RSA DPM status as Accessible. It creates a
new entry in the CloudLink Center Actions log, as shown in Figure 18, and
records a Key store change security event, as shown in Figure 19.
Figure 19.
Microsoft Active
Directory
integration
Key store change security event recorded by CloudLink
As an alternative to using RSA DPM as a key store, you can configure Microsoft Active
Directory as a CloudLink key store. It is very important that the Active Directory server
is properly backed up to ensure the safety of the encryption key. Losing the
encryption key will cause data loss. For high availability and disaster recovery, Active
Directory servers acting as CloudLink key stores are deployed on both the product site
and the DR site.
EMC Encryption as a Service
with CloudLink SecureVSA
33
Configuring Active
Directory as a key
store
To use Active Directory to store CloudLink encryption keys, deploy a Windows Server
to be accessible by CloudLink Center from its private LAN network.
During this procedure, you must provide the host name of the Windows Server, which
means you must have already set up the DNS server.
To configure the Active Directory for the CloudLink encryption key store on a Windows
2003 or 2008 Server that is configured as a domain controller, the following highlevel steps are required.
1.
Set up an organization unit on Windows Server.
2.
Create a bind user.
3.
Add the bind user to the security group.
4.
Record the DN of CloudLink.
5.
Apply the domain controller in CloudLink.
For detailed configuration instructions, refer to the CloudLink SecureVSA v2.2 VMware
vSphere Administration Guide.
EMC Encryption as a Service
with CloudLink SecureVSA
34
Conclusion
EMC EaaS powered by CloudLink SecureVSA enables cloud service providers to
address the compliance and data security requirements of their customers. It eases
concerns of cloud service customers about their data security in a multitenant
environment by providing them with a tool to manage the encryption keys and
security policy. It generates additional service revenue associated with a premium
encryption service, which requires data encryption in the cloud, and additional
workloads moving into the cloud.
CloudLink SecureVSA is very easy to deploy, and is transparent to business
applications and underlying infrastructure. It is a granular encryption solution that is
workload driven and can be deployed on a per-tenant basis. It encrypts only the data
for which tenants and applications require encryption. Other workloads in the cloud
environment can continue to use regular cloud storage.
The three deployment models described in this White Paper demonstrate the ease
with which CloudLink SecureVSA can be deployed and configured by service
providers and their customers.
With flexible key management options, customers always have a choice to entrust
cloud service providers to manage the key on their behalf or to use existing enterprise
key management to secure their data in the service provider environment. The
enterprise key management investment is fully protected.
CloudLink EaaS secures the cloud and ultimately helps enterprises to trust the cloud.
References
VMware
documentation
For additional information, see the documents listed below.

CloudLink SecureVSA v2.2 VMware vSphere Deployment Guide

CloudLink SecureVSA v2.2 VMware vSphere Administration Guide

CloudLink SecureVSA v2.2 VMware vCloud Director Supplementary Deployment
Guide
EMC Encryption as a Service
with CloudLink SecureVSA
35