Embed Size (px)
Citation preview
Page 1 of 12 www.SimpliVity.com
White Paper
SimpliVity OmniStack with Vormetric Transparent Encryption
www.SimpliVity.comPage 2 of 12
White Paper
Table of Contents
Executive Summary ................................................................................................................................................................... 3
Audience ................................................................................................................................................................................ 3
Solution Overview ..................................................................................................................................................................... 3
Simplivity Introduction ........................................................................................................................................................... 3
Why Simplivity For Virtualized Environments? ................................................................................................................ 5
Vormetric Technology ............................................................................................................................................................ 6
Vormetric Transparent Encryption ......................................................................................................................................... 6
Solution Overview ..................................................................................................................................................................... 7
Customer Benefits ................................................................................................................................................................. 7
Solution Architecture ................................................................................................................................................................ 8
Topology ................................................................................................................................................................................ 8
Testing Infrastructure ............................................................................................................................................................. 8
Technical Details .................................................................................................................................................................... 9
Testing Methodology ................................................................................................................................................................ 9
Vdbench Performance Test .................................................................................................................................................... 9
Simplivity Operations And Feature Test .............................................................................................................................. 10
Vormetric Operation Test .................................................................................................................................................... 10
Test Results.............................................................................................................................................................................. 11
Vdbench ............................................................................................................................................................................... 11
Simplivity Operation Results ................................................................................................................................................ 11
Vormetric Operation Test Setup & Execution ...................................................................................................................... 12
Best Practices .......................................................................................................................................................................... 12
Conclusion............................................................................................................................................................................... 12
www.SimpliVity.comPage 3 of 12
White Paper
Executive Summary
This solution guide introduces SimpliVity OmniStack technology and Vormetric Transparent Encryption, as a combined solution that reduces security risks and helps to ensure compliance with regulatory requirements, while still delivering superior application performance. It discusses the interoperability of both technologies through testing conducted by SimpliVity, in collaboration with Vormetric, and provides best practices and recommendations for implementing the solution.
AudienceThis document is intended for IT administrators who want to implement a VM encryption solution running on SimpliVity OmniStack systems within their IT datacenter.
Solution Overview
SimpliVity IntroductionSimpliVity’s hyperconverged infrastructure solution transforms the data center by virtualizing data and incorporating all IT infrastructure and services below the hypervisor into standard x86 building blocks. With 3X total cost of ownership (TCO) reduction, SimpliVity OmniStack software-defined hyperconverged infrastructure delivers the best of both worlds: the enterprise-class performance, protection and resiliency that today’s organizations require, with the cloud economics busi-nesses demand.
Designed to work with any hypervisor or industry-standard x86 server platform, the SimpliVity solution provides a single, shared resource pool across the entire IT stack, eliminating point products and inefficient siloed IT architectures. The solu-tion is distinguished from other converged infrastructure solutions by three unique attributes: accelerated data efficiency, built-in data protection functionality and global unified management capabilities.
• Accelerated Data Efficiency: OmniStack performs inline data deduplication, compression and optimization on all data at inception across all phases of the data lifecycle, all handled with fine data granularity of just 4KB-8KB. On average, Sim-pliVity customers achieve 40:1 data efficiency while simultaneously increasing application performance.
• Built-In Data Protection: OmniStack includes native data protection functionality, enabling business continuity and disaster recovery for critical applications and data, while eliminating the need for special-purpose backup and recov-ery hardware or software. OmniStack’s inherent data efficiencies minimize I/O and WAN traffic, reducing backup and restore times from hours to minutes.
• Global Unified Management: OmniStack’s VM-centric approach to management eliminates manually intensive, error-prone administrative tasks. System administrators are no longer required to manage LUNs and volumes; instead, they can manage all resources and workloads centrally, using familiar interfaces such as VMware vCenter and VMware vRealize Automation.
SimpliVity packages OmniStack on popular x86 platforms—either on 2U servers marketed as OmniCube, or with partner systems such as Cisco and Lenovo, marketed as OmniStack Integrated with Cisco UCS and OmniStack Solution with Lenovo System x, respectively.
www.SimpliVity.comPage 4 of 12
White Paper
Storage Caching
Data Protection Apps
WAN Optimization
Cloud Gateway
Backup & Dedupe
SSD Array
(4) Servers + VMware
Storage Switch
(2) HA Shared Storage
• One Building Block• 3x TCO Savings• Global Unified Management• Operational Efficiency
EnterpriseCapabilities
CloudSimplicity &Economics
An individual OmniStack node includes:
• A compact hardware platform - a 2U industry-standard virtualized x86 platform containing compute, memory, perfor-mance-optimized SSDs and capacity-optimized HDDs protected in hardware RAID configurations, and 10GbE network interfaces
• A hypervisor such as VMware vSphere/ESXi
• OmniStack virtual controller software running on the hypervisor
• An OmniStack Accelerator Card – a special-purpose PCIe card with an FPGA, flash, and DRAM, protected with super capacitors; the accelerator card offloads CPU-intensive functions such as data compression, deduplication and optimi-zation from the x86 processors.
Figure 1 – Legacy Comparison
www.SimpliVity.comPage 5 of 12
White Paper
Why SimpliVity for Virtualized Environments?OmniStack was specifically designed to meet the stringent price-performance, scalability, agility and resiliency demands of today’s data-intensive, highly virtualized IT environments. Key benefits and advantages include:
• Simplicity and superior economics: OmniStack eliminates infrastructure cost and complexity by consolidating a variety of IT functions (compute, storage, network switching, replication, backup, etc.) onto commodity virtualized x86 hardware, with global unified management. The solution contains CAPEX by eliminating IT silos, converging technol-ogy stacks, and optimizing storage capacity; and it reduces OPEX by containing power, cooling, rack space and system administration expenses.
• Linear scalability: The SimpliVity solution features a scale-out architecture that minimizes upfront investments and pro-vides a high degree of flexibility and extensibility. OmniStack nodes are installed in an incremental fashion to accom-modate growth, enable new applications or extend system availability. Two or more OmniStack nodes can be feder-ated to create a massively scalable pool of shared resources that is administered as a cohesive system, with a single administrative interface.
• VM-centric design: OmniStack was designed from the ground up with virtualization in mind. The solution abstracts data from the underlying hardware; virtual machine files are mapped directly to blocks on storage. All data storage, management, and protection functions are inherently optimized for virtualization. And all administrative tasks includ-ing managing data protection policies, analyzing performance and troubleshooting problems are all performed at the VM level. From an administrative perspective, a datastore is simply a logical construct, decoupled from the underlying physical infrastructure. Concepts like LUNs, volumes, shares, and disk groups simply don’t apply with SimpliVity.
• Accelerated IT service agility: OmniStack’s inherent data efficiencies and VM-centric management capabilities dra-matically simplify operations and boost IT service agility. With OmniStack, system administrators can spin up IT services and clone VMs in just seconds with two or three mouse clicks.
• High resiliency: The SimpliVity solution is designed to be highly resilient, with no single point of failure. The solution supports both RAID (redundant array of independent disks) for disk-level resiliency and RAIN (redundant array of inde-pendent nodes) for node-level resiliency. In a high availability RAIN implementation, the complete set of data associ-ated with a VM is simultaneously written to two distinct nodes, protecting data in the event of disk or node failures.
Public Cloud
Figure 2 – An OmniStack Federation
www.SimpliVity.comPage 6 of 12
White Paper
Vormetric TechnologyThe Vormetric Data Security Platform makes it efficient to manage data-at-rest security across an entire organization. Built on an extensible architecture, Vormetric Data Security Platform products can be deployed individually, while sharing effi-cient, centralized key management. With the platform’s comprehensive, unified capabilities, an organization can efficiently scale to address expanding security and compliance requirements, while significantly reducing total cost of ownership.
The Vormetric Data Security Platform delivers capabilities for transparent file-level encryption, application-layer encryp-tion, tokenization, dynamic data masking, cloud encryption gateway, integrated key management, privileged user access control and security intelligence.
With the solution, organizations can address security policies and compliance mandates across databases, files and big data nodes—whether assets are located in cloud, virtualized or traditional environments.
Vormetric Transparent EncryptionThe Transparent Encryption solution involves the Vormetric Data Security Manager and transparent encryption agents. The Data Security Manager represents the central component of the Vormetric Data Security Platform, enabling the man-agement of multiple Vormetric products. The software appliance offers centralized capabilities for storing and managing host encryption keys, data access policies, administrative domains and administrator profiles.
Vormetric Transparent Encryption features an agent that runs in the file system to provide high-performance encryp-tion and least-privileged access controls for files, directories and volumes. This enables encryption of both structured databases and unstructured files. Unlike other encryption solutions, protection does not end after the encryption key is applied. Vormetric continues to enforce least-privileged user policies to protect against unauthorized access by users and processes, and it continues to log access. With these capabilities, you can ensure continuous protection and control of your data.
The product enforces granular, least-privileged user access policies that protect data from misuse by privileged users and advanced persistent threat (APT) attacks. Granular policies can be applied by user (including for administrators with root privileges), process, file type, time of day, and other parameters. Enforcement options are very granular; they can be used to control not only permission to access clear-text data, but which file-system commands are available to a user.
The platform logs all permitted, denied and restricted access attempts from users, applications and processes. These logs are all captured in the Data Security Manager, enabling administrators to get detailed insights and to efficiently track secu-rity status. This also enables easy integration with security information and event management (SIEM) systems.
www.SimpliVity.comPage 7 of 12
White Paper
The following diagram shows Vormetric Transparent Encryption architecture in a normal production environment.
Solution Overview
Customer BenefitsSimpliVity is simplifying IT by providing a virtual computing infrastructure solution that seamlessly combines all data center infrastructure and services below the hypervisor. Delivered on x86 building blocks to create one shared resource pool for compute, primary storage and backup storage that expands by adding nodes within or across data centers.
The combined SimpliVity/Vormetric solution provides enterprise performance, supporting business critical applications while ensuring security across the data life cycle. Benefits of the combined solution include:
• Scales and grows with your requirements: SimpliVity OmniStack enables you to scale your environment easily by add-ing nodes to the SimpliVity Federation. With Vormetric transparent encryption, organizations can easily expand protec-tion of files and data as new business requirements arise across physical, virtual, cloud or big data environments.
• Transparent deployment: No downtime or changes are required to existing infrastructure or applications when deploying Vormetric transparent encryption on SimpliVity OmniStack systems.
• Supports compliance and contractual mandates: Vormetric software satisfies mandates around data encryption, file encryption, least privileged access, monitoring, and encryption key management.
• The broadest heterogeneous operating system and application support: Vormetric Transparent Encryption agents support Windows, Linux and Unix platforms running as VMs on SimpliVity OmniStack systems as well as most databases and all unstructured file types.
• Privileged user access controls: In addition to encryption and key management, the agent can enforce very granular, privileged user access policies, enabling protection of data from misuse by privileged users and APT attacks. Granular policies can be applied by user (including for administrators with root privileges), process, file type, time of day, and other parameters. Enforcement options are also very detailed; they can be used to control not only whether users can access clear-text data, but which file system commands are available.
www.SimpliVity.comPage 8 of 12
White Paper
Solution Architecture
TopologyThe following diagram shows the topology of the environment that was tested for this solution guide.
Testing Infrastructure
HyTrust DataControl Version
Guest Operating System
Vdbench
Hypervisor
OmniStack Version
Hardware Model OmniStack CN-2200
OmniStack 3.0.8
vSphere 6.0
5.04.03
Windows Server 2012 R2
5.2.3.1530
Production
DSMAD/DC/
DNSSQL
ServervCenterServer
Infrastructure
1Gbe
10GbeTest & Dev
Encrypted VM’s
...VM-1 VM-10
...VM-11 VM-50
VM-22_Clone VM-43_Restored
www.SimpliVity.comPage 9 of 12
White Paper
Technical DetailsThe test environment included three distinct “pods,” as shown in the diagram above.
Infrastructure: All resources needed to support operations within the test bed, including Data Control components were hosted here. These components are:
• DC/Active Directory/DNS: Windows components used to manage servers running Windows operating systems, assign IP’s etc.
• DSM: Data security manager software appliance that performs encryption and management
• SQL Server: Database for the vCenter Server
• vCenter Server: Management interface for Virtual Machines
Production: This pod hosted all the virtual machines that were tested in this solution. The test consisted of running a sus-tained load on the virtual machines and validation of SimpliVity operations as well as Vormetric features.
Test & Dev: This pod was used to validate that VMs remained encrypted when HA functionality of SimpliVity OmniStack systems is used.
Testing Methodology
Vdbench Performance TestVdbench is a command line utility tool that is used to measure application and storage performance. A sustained load was run on 50 virtual machines and the baseline performance was measured. After, 20% of the VMs were encrypted and the same sustained load was run and performance was measured.
The following profiles were used for Vdbench testing:
• VM Profile
- 2vCPU
- 2GB RAM
- 100GB Storage (50GB data drive)
• Load Profile
- 70:30 Read/Write
- 8K Random IO
- 40 IOPS per VM
Significance
This test was run to measure the impact of encryption on the performance of the virtual machines under sustained load that resembled a production environment closely.
www.SimpliVity.comPage 10 of 12
White Paper
SimpliVity Operations and Feature TestThe following SimpliVity operations were tested and observed:
• VM Clone
• VM Backups
• VM Restore
• VM Move
• Deduplication
• Compression
Significance
These tests are intended to validate that SimpliVity OmniStack VM-centric data protection operations normally when encrypted using Vormetric.
Vormetric Operation testVormetric transparent encryption was installed and configured to test both the encryption of data as well as to test the capabilities of access control. Data was first encrypted and then guard points and policies were configured to enable the access control of who could encrypt/decrypt data in the guard point.
Significance
The capabilities of the Vormetric transparent encryption were put to the test to verify that encryption takes place and that the access control policies worked as intended. Organizations worldwide have several compliance requirements as well as the need to protect their data. Vormetric offers the ability to meet both objectives and in a way that does not affect perfor-mance negatively.
www.SimpliVity.comPage 11 of 12
White Paper
Test Results
VdbenchThe following graph shows the IOPS and latency for the Vdbench testing. Latency is shown for the baseline test and the encrypted test.
In the graph, looking at the baseline latency of 50 VMs and latency when 20% (10 VMs) are encrypted, applying a constant load of 2000 IOPS on average across both tests, we can infer that encryption adds some overhead to performance. This overhead is expected with all encryption technologies, as the data has to be decrypted when accessed.
SimpliVity Operation Results• All SimpliVity operations like VM clone, backup, restore and move worked the same on encrypted VMs as they did on
non-encrypted VMs.
• Access to encrypted volumes on cloned and restored VMs without a network path to the DSM was not available. Thus an attacker cannot misuse VM data if a copy or backup is stolen.
• Data efficiency features like deduplication and compression do not provide additional benefits on encrypted VMs, which is expected as encryption inhibits the ability to perform deduplication and compression in general. We recom-mend using Vormetric encryption capabilities, and only encrypt files and folders as needed.
www.SimpliVity.comPage 12 of 12
White Paper
Vormetric Operation Test Setup & Execution• The guard points on file paths were set up and configured to only allow certain Active Directory groups or single users
to encrypt/decrypt data.
• Data inside guard points was encrypted using AES 256 strength encryption.
• All SimpliVity operations worked the same whether using Vormetric Transparent Encryption or not. Thus, the title of Transparent Encryption, is very fitting.
Best Practices
SimpliVity recommends customers consider the following guidelines when implementing/running the combined solution:
• Encrypt the drive/folder within a VM before populating data.
• Encryption is expected to add some overhead to performance. Although the increase in latency demonstrated in the testing above was minimal, it is recommended to encrypt only the VMs or files/virtual disks that need to be encrypted. Data within a VM that needs to be encrypted can be placed on a separate virtual disk. Vormetric allows encryption granularity at a file level.
• To protect against failures and for disaster recover purposes, backup the Data Security Manager periodically.
• Take advantage of the granular access policies that can be applied to encrypted data to provide a higher level of security.
Conclusion
This paper demonstrates the use of Vormetric’s Transparent Encryption technology to protect and secure data within vir-tual machines running on SimpliVity OmniStack hyperconverged infrastructure.
The testing cited in this paper validates the interoperability of a combined SimpliVity OmniStack and Vormetric Transparent Encryption solution that reduces security risk while still delivering superior performance and key operational capabilities.
Through the detailed testing across a range of real-world customer scenarios, the document demonstrates that the com-bined solution provides several core benefits, including:
1. Data encryption within a VM with deep granularity and access policies.
2. Negligible performance overhead for encrypted data.
3. SimpliVity data protection operations across encrypted and unencrypted data.
For more information, visit:www.simplivity.com
© 2015 Vormetric, Inc. All rights reserved. Vormetric is a registered trademark of Vormetric, Inc. All other trademarks are the property of their respective owners. No part of this publication may be reproduced, stored in a retrieval system or transmitted, in any form or by any means, photocopying, recording or otherwise, without prior written consent of Vormetric. © 2015, SimpliVity Corporation. All rights reserved. Information described herein is furnished for informational use only, and is subject to change without notice. SimpliVity, the SimpliVity logo, OmniCube, OmniStack, and Data Virtualization Platform are trademarks or registered trademarks of SimpliVity Corporation in the United States and certain other countries. All other trademarks are the property of their respective owners.
J0496_Vormetric_WP - 1215
