SlideShare ist ein Scribd-Unternehmen logo

Scality RING Security White Paper

P
Phillip Tribble

The document discusses security mechanisms in the Scality RING data storage architecture. It describes the RING's layered architecture including connectors, storage nodes, and disks. It then discusses how the RING implements security features like role-based access, data encryption, checksums, logging, and versioning to address compliance requirements. The supervisor also uses security protocols for management and role-based access control.

Technologie
1 von 7
Downloaden Sie, um offline zu lesen
Scality Technical White Paper February 2017 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
Data Security in the Scality RING 2 White Paper Table of Contents Introduction 3 Chapter 1: The Impact of Security Regulations 3 Chapter 2: The Scality Ring Architecture 3 Chapter 3: Connector and User Interface Security 4 Chapter 4: Core RING Security 5 Summary 6 Appendix A 7 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
Data Security in the Scality RING 3 Introduction When it comes to designing a cloud-based storage infrastructure, there are more important design principles to address than simply storing files. A well-designed storage solution will take into consideration compliance needs and implement proper security protocols and best practices in the architecture. The scope of this whitepaper is to describe how the Scality RING addresses compliance needs for organizations and how security is implemented in the RING’s architecture. Chapter 1: The Impact of Security Regulations There are many different regulatory rules out there that organizations are using. For example, HIPAA is a set of security rules set of rules and safeguards that must be implemented when working with public health information and FIPS-140-2 is used by Government organizations to list requirements and standards for encryption used. Depending on the nature of a particular business, organizations will be impacted by some form of compliance rules whether it is a regulatory compliance such as HIPAA or FIPS 140-2. IT organizations will have to adjust their solutions, services, and workflows to accommodate regulatory practices which can be intensive and chaotic at times. The good news is that there is some common ground between compliance regulations. Here are a few common requirements that organizations take into consideration. ■■ Role-based Access - Not everyone should have privileged access to sensitive information in an organization. Different levels of access should be provided through roles such as user, admin, etc to control access to sensitive data. ■■ Data Encryption - Encryption must be used when uploading and downloading data. ■■ Data Integrity - Ensure that protections are in place to prevent data from being tampered or altered. ■■ Network Security - Firewall rules and network segmentation to protect systems and services. ■■ Auditing - A way to record all the transactions and changes made to a system. The following chapters will explain how the Scality RING implements the compliance requirements that organizations need to remain compliant with regulations. Chapter 2: The Scality Ring Architecture The Scality RING architecture is composed of several layers as displayed in Figure 1. Let’s explore each layer in detail to get a better understanding of the RING architecture. 2.1 Connector Layer The Scality Ring connector layer provides support for the following protocols: ■■ Object: S3, REST. ■■ File System: FUSE, NFS, and SMB. The connector layer is also in charge of chunking files and dispersing the chunks on the Scality Ring using file replication or erasure coding. DISK LAYER STORAGE NODE LAYER CONNECTOR LAYER OBJECT ACCESS S3 / REST FILE ACCESS FUSE / NFS / SMB HDD HDD HDD HDD HDD HDD HDD HDD HDD HDD Figure 1. – Scality Ring Architecture Layers
Data Security in the Scality RING 4 2.2 Storage Node Layer The Storage Node layer consists of a distributed peer-to-peer architecture that ensures files and metadata are properly distributed amongst the storage nodes and disks in the cluster. A RING installation can even span across multiple physical sites and tolerate the loss of an entire site. The RING supports data protection mechanisms such as erasure coding and replication. This intelligent architecture design provides organizations with maximum data durability. 2.3 Disk Layer This is the layer where the file data chunks are written to SAS/SATA drives and the file metadata is written to solid-state drives (SSD’s). Chapter 3: Connector and User Interface Security 3.1 Scality S3 Connector ■■ The Scality S3 Connector supports AWS S3 certificate-based authentication (Signatures v2 and v4) with support for HTTPS to provide secure access to the RING storage. ■■ The Scality Scality S3 Connector implements IAM for Multi-Tenancy: ●● Accounts, users, and groups ●● Access/Secret Key pairs ■■ The Scality S3 Connector supports identity federation for delegated access to APIs: ●● Any SAML 2.0 compatible identity providers ●● Active Directory Federation (ADFS) Scality RING Storage Local and Geo-Protection • Any Hardware File / Object / OpenStack • Multi-Workload Linear Performance Scaling • Limitless Infrastructure Scaling Data to Store (unencrypted) Customer KMS (e.g., SafeNet) Data to Store (unencrypted) KEYS S3 Connector Key GeneratorBucket ID Encryption Key Figure 2. – S3 Connector Architecture
Data Security in the Scality RING 5 3.2 REST Protocol The REST protocol supports HTTPS and can be configured to use basic authentication with the Apache web server to require a username and password. 3.3 File System Protocols ■■ The Scality NFS v3 connector supports Kerberos KDC. ■■ The Scality SMB connector provides Active Directory Server integration and support for simple Windows ACL’s (user and group). Chapter 4: Core RING Security 4.1 Logging All actions performed by a user are in the Supervisor Web Administration console are logged to a file (by default /var/log/scality/dsup/audit.log) on the Supervisor server and can also be set to another location. The audit log file provides detailed information on the user, date and time, name of the action performed (e.g. list, retrieve, delete, modify), RING component (Supervisor, Connector, Storage Node) on which the action was performed, result of the action (successful or not), duration of the action, and the detailed error message if the action wasn’t successful. 4.2 Versioning and WORM As mentioned earlier in this paper, data integrity requirements are in place to ensure that information is not tampered or altered. The S3 connector for the RING supports the versioning features from the Amazon S3 API. If enabled, this feature will allow users to keep track of different versions of a file on the RING storage. Using the standard S3 API calls, organizations will have the ability to view the modification dates and times of each file and it’s checksum as well as the ability to download previous versions of a file. Versioning is not always enough to address compliance requirements so organizations look for solutions that support Write once read many (WORM) operations. If an organization uses a solution that supports WORM, they can be assured that data will be read only and can not be altered. To help address this compliance requirement, Scality created a joint solution with iTernity that can meet legal and industry-specific regulations to provide a compliant long-term archiving solution. For more information, please check out the link to the solution sheet with iTernity in Appendix A. 4.3 Checksums The Scality RING uses a built-in CRC-32 checksum mechanism to ensure that the data being read is the same that was originally written to the RING. Upon reading replicated or Erasure Coded chunks on the disks, the RING calculates a CRC-32 checksum for each of the chunks it has to read and compares it to the CRC-32 checksum that was calculated upon writing the chunk (and stored in metadata with the chunk). If any of the chunks are found to be corrupted, (meaning the checksums do not match), the RING does two things: 1. Uses another replica or EC chunk to serve the requested data 2. Launches a chunk repair operation to repair the corrupted chunk (basically to replace the replica chunk by another replica or recalculates an Erasure Coded chunk). 4.4 Data Encryption Encryption on the disk level can be done today from array controllers or with encrypted
Data Security in the Scality RING 6 drives. The Scality S3 connector supports bucket level encryption via an API extension which is a customized HTTP header used when a file is uploaded. The files are encrypted using OpenSSL with the AES-256 standard and the RING uses an external Key Management Service (KMS) to manage the encryption keys. 4.5 Supervisor Security The Supervisor is the web-based GUI for managing, monitoring, and provisioning resources on the RING. The Supervisor has the following security mechanisms: 1. HTTPS with password authentication. 2. Role-based Access Control (RBAC). Summary This paper explained what it takes to have a compliant storage solution built for the enterprise and went over the impact of security regulations and common compliance requirements. The security mechanisms of the Scality RING architecture was explained in detail ranging from the application layer to the storage layer. We hope that you now have a better idea of the Scality RING architecture and how we implemented common compliance features and security. Figure 4. – Scality Ring Supervisor Ring Overview Figure 3. – Scality Ring Supervisor Login Screen
© 2017 Scality. All rights reserved. Specifications are subject to change without notice. Scality, the Scality logo, Scality RING are trademarks of Scality in the United States and/or other countries. Follow us on Twitter @scality and visit us at www.scality.com to learn more WPSR1-1702 Appendix A A.1 Going beyond this White Paper 1. Information on Scality products and use cases can be found here: http://www.scality.com 2. For more information on the Scality Ring, please view the technical white paper: http://storage.scality.com/white-paper-scality-technical-wp.html 3. Get more information on the S3 Connector in the following white paper: http://storage.scality.com/white-paper-scality-ring-s3-connector.html 4. Get more information on the joint solution with iTernity: http://www.scality.com/partners/iternity/

Empfohlen

Data Engineering Efficiency @ Netflix - Strata 2017
Data Engineering Efficiency @ Netflix - Strata 2017Data Engineering Efficiency @ Netflix - Strata 2017
Data Engineering Efficiency @ Netflix - Strata 2017Michelle Ufford
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureDatabricks
 
Workshop Docker for DSpace
Workshop Docker for DSpaceWorkshop Docker for DSpace
Workshop Docker for DSpacePascal-Nicolas Becker
 
Data Vault Overview
Data Vault OverviewData Vault Overview
Data Vault OverviewEmpowered Holdings, LLC
 
Azure purview
Azure purviewAzure purview
Azure purviewShafqat Turza
 
Data Warehouse Agility Array Conference2011
Data Warehouse Agility Array Conference2011Data Warehouse Agility Array Conference2011
Data Warehouse Agility Array Conference2011Hans Hultgren
 
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateExtreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateBobby Curtis
 
Data Quality With or Without Apache Spark and Its Ecosystem
Data Quality With or Without Apache Spark and Its EcosystemData Quality With or Without Apache Spark and Its Ecosystem
Data Quality With or Without Apache Spark and Its EcosystemDatabricks
 

Empfohlen

Data Engineering Efficiency @ Netflix - Strata 2017
Data Engineering Efficiency @ Netflix - Strata 2017Data Engineering Efficiency @ Netflix - Strata 2017
Data Engineering Efficiency @ Netflix - Strata 2017Michelle Ufford
 
Architect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureArchitect’s Open-Source Guide for a Data Mesh Architecture
Architect’s Open-Source Guide for a Data Mesh ArchitectureDatabricks
 
Workshop Docker for DSpace
Workshop Docker for DSpaceWorkshop Docker for DSpace
Workshop Docker for DSpacePascal-Nicolas Becker
 
Data Vault Overview
Data Vault OverviewData Vault Overview
Data Vault OverviewEmpowered Holdings, LLC
 
Azure purview
Azure purviewAzure purview
Azure purviewShafqat Turza
 
Data Warehouse Agility Array Conference2011
Data Warehouse Agility Array Conference2011Data Warehouse Agility Array Conference2011
Data Warehouse Agility Array Conference2011Hans Hultgren
 
Extreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateExtreme Replication - Performance Tuning Oracle GoldenGate
Extreme Replication - Performance Tuning Oracle GoldenGateBobby Curtis
 
Data Quality With or Without Apache Spark and Its Ecosystem
Data Quality With or Without Apache Spark and Its EcosystemData Quality With or Without Apache Spark and Its Ecosystem
Data Quality With or Without Apache Spark and Its EcosystemDatabricks
 
Databricks on AWS.pptx
Databricks on AWS.pptxDatabricks on AWS.pptx
Databricks on AWS.pptxWasm1953
 
ADF Mapping Data Flows Training Slides V1
ADF Mapping Data Flows Training Slides V1ADF Mapping Data Flows Training Slides V1
ADF Mapping Data Flows Training Slides V1Mark Kromer
 
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...Michael Rys
 
Building a Logical Data Fabric using Data Virtualization (ASEAN)
Building a Logical Data Fabric using Data Virtualization (ASEAN)Building a Logical Data Fabric using Data Virtualization (ASEAN)
Building a Logical Data Fabric using Data Virtualization (ASEAN)Denodo
 
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)Cathrine Wilhelmsen
 
Hadoop Administration pdf
Hadoop Administration pdfHadoop Administration pdf
Hadoop Administration pdfEdureka!
 
Your Roadmap for An Enterprise Graph Strategy
Your Roadmap for An Enterprise Graph StrategyYour Roadmap for An Enterprise Graph Strategy
Your Roadmap for An Enterprise Graph StrategyNeo4j
 
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...Amazon Web Services Japan
 
Session découverte de la Data Virtualization
Session découverte de la Data VirtualizationSession découverte de la Data Virtualization
Session découverte de la Data VirtualizationDenodo
 
Master Data Management (MDM) con Talend
Master Data Management (MDM) con TalendMaster Data Management (MDM) con Talend
Master Data Management (MDM) con TalendStratebi
 
Automated Metadata Management in Data Lake – A CI/CD Driven Approach
Automated Metadata Management in Data Lake – A CI/CD Driven ApproachAutomated Metadata Management in Data Lake – A CI/CD Driven Approach
Automated Metadata Management in Data Lake – A CI/CD Driven ApproachDatabricks
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Alan McSweeney
 
Data Migration to Azure
Data Migration to AzureData Migration to Azure
Data Migration to AzureSanjay B. Bhakta
 
Azure Data Factory presentation with links
Azure Data Factory presentation with linksAzure Data Factory presentation with links
Azure Data Factory presentation with linksChris Testa-O'Neill
 
Introduction to Azure Databricks
Introduction to Azure DatabricksIntroduction to Azure Databricks
Introduction to Azure DatabricksJames Serra
 
Metadata Strategies - Data Squared
Metadata Strategies - Data SquaredMetadata Strategies - Data Squared
Metadata Strategies - Data SquaredDATAVERSITY
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Databricks Fundamentals
Databricks FundamentalsDatabricks Fundamentals
Databricks FundamentalsDalibor Wijas
 
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...Databricks
 
Cloud-native Semantic Layer on Data Lake
Cloud-native Semantic Layer on Data LakeCloud-native Semantic Layer on Data Lake
Cloud-native Semantic Layer on Data LakeDatabricks
 
IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET Journal
 

Weitere ähnliche Inhalte

Was ist angesagt?

Databricks on AWS.pptx
Databricks on AWS.pptxDatabricks on AWS.pptx
Databricks on AWS.pptxWasm1953
 
ADF Mapping Data Flows Training Slides V1
ADF Mapping Data Flows Training Slides V1ADF Mapping Data Flows Training Slides V1
ADF Mapping Data Flows Training Slides V1Mark Kromer
 
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...Michael Rys
 
Building a Logical Data Fabric using Data Virtualization (ASEAN)
Building a Logical Data Fabric using Data Virtualization (ASEAN)Building a Logical Data Fabric using Data Virtualization (ASEAN)
Building a Logical Data Fabric using Data Virtualization (ASEAN)Denodo
 
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)Cathrine Wilhelmsen
 
Hadoop Administration pdf
Hadoop Administration pdfHadoop Administration pdf
Hadoop Administration pdfEdureka!
 
Your Roadmap for An Enterprise Graph Strategy
Your Roadmap for An Enterprise Graph StrategyYour Roadmap for An Enterprise Graph Strategy
Your Roadmap for An Enterprise Graph StrategyNeo4j
 
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...Amazon Web Services Japan
 
Session découverte de la Data Virtualization
Session découverte de la Data VirtualizationSession découverte de la Data Virtualization
Session découverte de la Data VirtualizationDenodo
 
Master Data Management (MDM) con Talend
Master Data Management (MDM) con TalendMaster Data Management (MDM) con Talend
Master Data Management (MDM) con TalendStratebi
 
Automated Metadata Management in Data Lake – A CI/CD Driven Approach
Automated Metadata Management in Data Lake – A CI/CD Driven ApproachAutomated Metadata Management in Data Lake – A CI/CD Driven Approach
Automated Metadata Management in Data Lake – A CI/CD Driven ApproachDatabricks
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Alan McSweeney
 
Azure Data Factory presentation with links
Azure Data Factory presentation with linksAzure Data Factory presentation with links
Azure Data Factory presentation with linksChris Testa-O'Neill
 
Introduction to Azure Databricks
Introduction to Azure DatabricksIntroduction to Azure Databricks
Introduction to Azure DatabricksJames Serra
 
Metadata Strategies - Data Squared
Metadata Strategies - Data SquaredMetadata Strategies - Data Squared
Metadata Strategies - Data SquaredDATAVERSITY
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security PresentationFrancisco Alvarez
 
Databricks Fundamentals
Databricks FundamentalsDatabricks Fundamentals
Databricks FundamentalsDalibor Wijas
 
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...Databricks
 
Cloud-native Semantic Layer on Data Lake
Cloud-native Semantic Layer on Data LakeCloud-native Semantic Layer on Data Lake
Cloud-native Semantic Layer on Data LakeDatabricks
 

Was ist angesagt? (20)

Databricks on AWS.pptx
Databricks on AWS.pptxDatabricks on AWS.pptx
Databricks on AWS.pptx
 
ADF Mapping Data Flows Training Slides V1
ADF Mapping Data Flows Training Slides V1ADF Mapping Data Flows Training Slides V1
ADF Mapping Data Flows Training Slides V1
 
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
Big Data and Data Warehousing Together with Azure Synapse Analytics (SQLBits ...
 
Building a Logical Data Fabric using Data Virtualization (ASEAN)
Building a Logical Data Fabric using Data Virtualization (ASEAN)Building a Logical Data Fabric using Data Virtualization (ASEAN)
Building a Logical Data Fabric using Data Virtualization (ASEAN)
 
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
Pipelines and Packages: Introduction to Azure Data Factory (DATA:Scotland 2019)
 
Hadoop Administration pdf
Hadoop Administration pdfHadoop Administration pdf
Hadoop Administration pdf
 
Your Roadmap for An Enterprise Graph Strategy
Your Roadmap for An Enterprise Graph StrategyYour Roadmap for An Enterprise Graph Strategy
Your Roadmap for An Enterprise Graph Strategy
 
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
202201 AWS Black Belt Online Seminar Apache Spark Performnace Tuning for AWS ...
 
Session découverte de la Data Virtualization
Session découverte de la Data VirtualizationSession découverte de la Data Virtualization
Session découverte de la Data Virtualization
 
Master Data Management (MDM) con Talend
Master Data Management (MDM) con TalendMaster Data Management (MDM) con Talend
Master Data Management (MDM) con Talend
 
Automated Metadata Management in Data Lake – A CI/CD Driven Approach
Automated Metadata Management in Data Lake – A CI/CD Driven ApproachAutomated Metadata Management in Data Lake – A CI/CD Driven Approach
Automated Metadata Management in Data Lake – A CI/CD Driven Approach
 
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
Data Privatisation, Data Anonymisation, Data Pseudonymisation and Differentia...
 
Data Migration to Azure
Data Migration to AzureData Migration to Azure
Data Migration to Azure
 
Azure Data Factory presentation with links
Azure Data Factory presentation with linksAzure Data Factory presentation with links
Azure Data Factory presentation with links
 
Introduction to Azure Databricks
Introduction to Azure DatabricksIntroduction to Azure Databricks
Introduction to Azure Databricks
 
Metadata Strategies - Data Squared
Metadata Strategies - Data SquaredMetadata Strategies - Data Squared
Metadata Strategies - Data Squared
 
Oracle Security Presentation
Oracle Security PresentationOracle Security Presentation
Oracle Security Presentation
 
Databricks Fundamentals
Databricks FundamentalsDatabricks Fundamentals
Databricks Fundamentals
 
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
Data Mesh in Practice: How Europe’s Leading Online Platform for Fashion Goes ...
 
Cloud-native Semantic Layer on Data Lake
Cloud-native Semantic Layer on Data LakeCloud-native Semantic Layer on Data Lake
Cloud-native Semantic Layer on Data Lake
 

Ähnlich wie Scality RING Security White Paper

IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET Journal
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET Journal
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET Journal
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAIRJET Journal
 
Cloud Storage System like Dropbox
Cloud Storage System like DropboxCloud Storage System like Dropbox
Cloud Storage System like DropboxIRJET Journal
 
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud SystemsIRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud SystemsIRJET Journal
 
Survey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud ComputingSurvey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud ComputingIRJET Journal
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionCSCJournals
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computingijceronline
 
IRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain TechnologyIRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain TechnologyIRJET Journal
 
IRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing DatabasesIRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing DatabasesIRJET Journal
 
Secure Logging as a Service
Secure Logging as a ServiceSecure Logging as a Service
Secure Logging as a ServiceArul Edison
 
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAINCLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAINIRJET Journal
 
Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...IRJET Journal
 
IRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing FrameworkIRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing FrameworkIRJET Journal
 

Ähnlich wie Scality RING Security White Paper (20)

IRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud EnvironmentIRJET- Improving Data Storage Security and Performance in Cloud Environment
IRJET- Improving Data Storage Security and Performance in Cloud Environment
 
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on CloudIRJET-Using Downtoken Secure Group Data Sharing on Cloud
IRJET-Using Downtoken Secure Group Data Sharing on Cloud
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASCIRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
IRJET- Secure Data Sharing Scheme for Mobile Cloud Computing using SEDASC
 
IRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key ExposureIRJET- Securing Cloud Data Under Key Exposure
IRJET- Securing Cloud Data Under Key Exposure
 
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATAEXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
EXPLORING WOMEN SECURITY BY DEDUPLICATION OF DATA
 
Cloud Storage System like Dropbox
Cloud Storage System like DropboxCloud Storage System like Dropbox
Cloud Storage System like Dropbox
 
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud SystemsIRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
IRJET- Secure and Efficient File Sharing and Shared Ownership in Cloud Systems
 
Survey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud ComputingSurvey on Lightweight Secured Data Sharing Scheme for Cloud Computing
Survey on Lightweight Secured Data Sharing Scheme for Cloud Computing
 
Paper2
Paper2Paper2
Paper2
 
Multi-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data EncryptionMulti-part Dynamic Key Generation For Secure Data Encryption
Multi-part Dynamic Key Generation For Secure Data Encryption
 
An Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud ComputingAn Auditing Protocol for Protected Data Storage in Cloud Computing
An Auditing Protocol for Protected Data Storage in Cloud Computing
 
IRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain TechnologyIRJET- A Survey on File Storage and Retrieval using Blockchain Technology
IRJET- A Survey on File Storage and Retrieval using Blockchain Technology
 
CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session CompTIA Security Plus Mini Bootcamp Session
CompTIA Security Plus Mini Bootcamp Session
 
IRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing DatabasesIRJET- Data and Technical Security Issues in Cloud Computing Databases
IRJET- Data and Technical Security Issues in Cloud Computing Databases
 
Secure Logging as a Service
Secure Logging as a ServiceSecure Logging as a Service
Secure Logging as a Service
 
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAINCLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
CLOUD STORAGE AND RETRIEVAL USING BLOCKCHAIN
 
Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...Revocation based De-duplication Systems for Improving Reliability in Cloud St...
Revocation based De-duplication Systems for Improving Reliability in Cloud St...
 
Ingres database and compliance
Ingres database and complianceIngres database and compliance
Ingres database and compliance
 
IRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing FrameworkIRJET- Blockchain based Data Sharing Framework
IRJET- Blockchain based Data Sharing Framework
 

Kürzlich hochgeladen

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)wesley chun
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...apidays
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesBoston Institute of Analytics
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century educationjfdjdjcjdnsjd
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingEdi Saputra
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?Igalia
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘RTylerCroy
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoffsammart93
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024SynarionITSolutions
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Miguel Araújo
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MIND CTI
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyKhushali Kathiriya
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMESafe Software
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobeapidays
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024The Digital Insurer
 

Kürzlich hochgeladen (20)

Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)Powerful Google developer tools for immediate impact! (2023-24 C)
Powerful Google developer tools for immediate impact! (2023-24 C)
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law DevelopmentsTrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
TrustArc Webinar - Stay Ahead of US State Data Privacy Law Developments
 
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
Apidays New York 2024 - The Good, the Bad and the Governed by David O'Neill, ...
 
HTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation StrategiesHTML Injection Attacks: Impact and Mitigation Strategies
HTML Injection Attacks: Impact and Mitigation Strategies
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost SavingRepurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
Repurposing LNG terminals for Hydrogen Ammonia: Feasibility and Cost Saving
 
A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?A Year of the Servo Reboot: Where Are We Now?
A Year of the Servo Reboot: Where Are We Now?
 
🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘🐬 The future of MySQL is Postgres 🐘
🐬 The future of MySQL is Postgres 🐘
 
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot TakeoffStrategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
Strategize a Smooth Tenant-to-tenant Migration and Copilot Takeoff
 
Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024Top 10 Most Downloaded Games on Play Store in 2024
Top 10 Most Downloaded Games on Play Store in 2024
 
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
Mastering MySQL Database Architecture: Deep Dive into MySQL Shell and MySQL R...
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024Manulife - Insurer Innovation Award 2024
Manulife - Insurer Innovation Award 2024
 

Scality RING Security White Paper

  • 1. Scality Technical White Paper February 2017 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
  • 2. Data Security in the Scality RING 2 White Paper Table of Contents Introduction 3 Chapter 1: The Impact of Security Regulations 3 Chapter 2: The Scality Ring Architecture 3 Chapter 3: Connector and User Interface Security 4 Chapter 4: Core RING Security 5 Summary 6 Appendix A 7 Data Security in the Scality RING Overview of the Security Mechanisms in the Scality RING
  • 3. Data Security in the Scality RING 3 Introduction When it comes to designing a cloud-based storage infrastructure, there are more important design principles to address than simply storing files. A well-designed storage solution will take into consideration compliance needs and implement proper security protocols and best practices in the architecture. The scope of this whitepaper is to describe how the Scality RING addresses compliance needs for organizations and how security is implemented in the RING’s architecture. Chapter 1: The Impact of Security Regulations There are many different regulatory rules out there that organizations are using. For example, HIPAA is a set of security rules set of rules and safeguards that must be implemented when working with public health information and FIPS-140-2 is used by Government organizations to list requirements and standards for encryption used. Depending on the nature of a particular business, organizations will be impacted by some form of compliance rules whether it is a regulatory compliance such as HIPAA or FIPS 140-2. IT organizations will have to adjust their solutions, services, and workflows to accommodate regulatory practices which can be intensive and chaotic at times. The good news is that there is some common ground between compliance regulations. Here are a few common requirements that organizations take into consideration. ■■ Role-based Access - Not everyone should have privileged access to sensitive information in an organization. Different levels of access should be provided through roles such as user, admin, etc to control access to sensitive data. ■■ Data Encryption - Encryption must be used when uploading and downloading data. ■■ Data Integrity - Ensure that protections are in place to prevent data from being tampered or altered. ■■ Network Security - Firewall rules and network segmentation to protect systems and services. ■■ Auditing - A way to record all the transactions and changes made to a system. The following chapters will explain how the Scality RING implements the compliance requirements that organizations need to remain compliant with regulations. Chapter 2: The Scality Ring Architecture The Scality RING architecture is composed of several layers as displayed in Figure 1. Let’s explore each layer in detail to get a better understanding of the RING architecture. 2.1 Connector Layer The Scality Ring connector layer provides support for the following protocols: ■■ Object: S3, REST. ■■ File System: FUSE, NFS, and SMB. The connector layer is also in charge of chunking files and dispersing the chunks on the Scality Ring using file replication or erasure coding. DISK LAYER STORAGE NODE LAYER CONNECTOR LAYER OBJECT ACCESS S3 / REST FILE ACCESS FUSE / NFS / SMB HDD HDD HDD HDD HDD HDD HDD HDD HDD HDD Figure 1. – Scality Ring Architecture Layers
  • 4. Data Security in the Scality RING 4 2.2 Storage Node Layer The Storage Node layer consists of a distributed peer-to-peer architecture that ensures files and metadata are properly distributed amongst the storage nodes and disks in the cluster. A RING installation can even span across multiple physical sites and tolerate the loss of an entire site. The RING supports data protection mechanisms such as erasure coding and replication. This intelligent architecture design provides organizations with maximum data durability. 2.3 Disk Layer This is the layer where the file data chunks are written to SAS/SATA drives and the file metadata is written to solid-state drives (SSD’s). Chapter 3: Connector and User Interface Security 3.1 Scality S3 Connector ■■ The Scality S3 Connector supports AWS S3 certificate-based authentication (Signatures v2 and v4) with support for HTTPS to provide secure access to the RING storage. ■■ The Scality Scality S3 Connector implements IAM for Multi-Tenancy: ●● Accounts, users, and groups ●● Access/Secret Key pairs ■■ The Scality S3 Connector supports identity federation for delegated access to APIs: ●● Any SAML 2.0 compatible identity providers ●● Active Directory Federation (ADFS) Scality RING Storage Local and Geo-Protection • Any Hardware File / Object / OpenStack • Multi-Workload Linear Performance Scaling • Limitless Infrastructure Scaling Data to Store (unencrypted) Customer KMS (e.g., SafeNet) Data to Store (unencrypted) KEYS S3 Connector Key GeneratorBucket ID Encryption Key Figure 2. – S3 Connector Architecture
  • 5. Data Security in the Scality RING 5 3.2 REST Protocol The REST protocol supports HTTPS and can be configured to use basic authentication with the Apache web server to require a username and password. 3.3 File System Protocols ■■ The Scality NFS v3 connector supports Kerberos KDC. ■■ The Scality SMB connector provides Active Directory Server integration and support for simple Windows ACL’s (user and group). Chapter 4: Core RING Security 4.1 Logging All actions performed by a user are in the Supervisor Web Administration console are logged to a file (by default /var/log/scality/dsup/audit.log) on the Supervisor server and can also be set to another location. The audit log file provides detailed information on the user, date and time, name of the action performed (e.g. list, retrieve, delete, modify), RING component (Supervisor, Connector, Storage Node) on which the action was performed, result of the action (successful or not), duration of the action, and the detailed error message if the action wasn’t successful. 4.2 Versioning and WORM As mentioned earlier in this paper, data integrity requirements are in place to ensure that information is not tampered or altered. The S3 connector for the RING supports the versioning features from the Amazon S3 API. If enabled, this feature will allow users to keep track of different versions of a file on the RING storage. Using the standard S3 API calls, organizations will have the ability to view the modification dates and times of each file and it’s checksum as well as the ability to download previous versions of a file. Versioning is not always enough to address compliance requirements so organizations look for solutions that support Write once read many (WORM) operations. If an organization uses a solution that supports WORM, they can be assured that data will be read only and can not be altered. To help address this compliance requirement, Scality created a joint solution with iTernity that can meet legal and industry-specific regulations to provide a compliant long-term archiving solution. For more information, please check out the link to the solution sheet with iTernity in Appendix A. 4.3 Checksums The Scality RING uses a built-in CRC-32 checksum mechanism to ensure that the data being read is the same that was originally written to the RING. Upon reading replicated or Erasure Coded chunks on the disks, the RING calculates a CRC-32 checksum for each of the chunks it has to read and compares it to the CRC-32 checksum that was calculated upon writing the chunk (and stored in metadata with the chunk). If any of the chunks are found to be corrupted, (meaning the checksums do not match), the RING does two things: 1. Uses another replica or EC chunk to serve the requested data 2. Launches a chunk repair operation to repair the corrupted chunk (basically to replace the replica chunk by another replica or recalculates an Erasure Coded chunk). 4.4 Data Encryption Encryption on the disk level can be done today from array controllers or with encrypted
  • 6. Data Security in the Scality RING 6 drives. The Scality S3 connector supports bucket level encryption via an API extension which is a customized HTTP header used when a file is uploaded. The files are encrypted using OpenSSL with the AES-256 standard and the RING uses an external Key Management Service (KMS) to manage the encryption keys. 4.5 Supervisor Security The Supervisor is the web-based GUI for managing, monitoring, and provisioning resources on the RING. The Supervisor has the following security mechanisms: 1. HTTPS with password authentication. 2. Role-based Access Control (RBAC). Summary This paper explained what it takes to have a compliant storage solution built for the enterprise and went over the impact of security regulations and common compliance requirements. The security mechanisms of the Scality RING architecture was explained in detail ranging from the application layer to the storage layer. We hope that you now have a better idea of the Scality RING architecture and how we implemented common compliance features and security. Figure 4. – Scality Ring Supervisor Ring Overview Figure 3. – Scality Ring Supervisor Login Screen
  • 7. © 2017 Scality. All rights reserved. Specifications are subject to change without notice. Scality, the Scality logo, Scality RING are trademarks of Scality in the United States and/or other countries. Follow us on Twitter @scality and visit us at www.scality.com to learn more WPSR1-1702 Appendix A A.1 Going beyond this White Paper 1. Information on Scality products and use cases can be found here: http://www.scality.com 2. For more information on the Scality Ring, please view the technical white paper: http://storage.scality.com/white-paper-scality-technical-wp.html 3. Get more information on the S3 Connector in the following white paper: http://storage.scality.com/white-paper-scality-ring-s3-connector.html 4. Get more information on the joint solution with iTernity: http://www.scality.com/partners/iternity/