Periodically, we turn over control of the CenturyLink Cloud blog to members of our certified technology ecosystem to share how they leverage our platform to enable customer success. This week’s guest author from the Cloud Marketplace Provider Program is data encryption provider Vormetric.
Enterprises have been concerned about data security long before the advent of the cloud. Throwing cloud to the mix has added fuel to the fire; yet "companies of all sizes and industries, including some of the most regulated, are finding that enterprise cloud service providers offer security that is superior to what they can provide in-house." A combination of deeply-embedded security principles and ecosystem partnerships with best-in-class security companies makes this possible.
CenturyLink and Vormetric have partnered to deliver data-at-rest security solutions for enterprises using the CenturyLink Cloud. Now you can encrypt your sensitive data, own your own encryption keys, and create a data protection policy that gives only authorized users, groups, and applications the ability to decrypt that data, thus creating a highly secure cloud environment. Vormetric applies the least privileged principle enabling system administrators to continue managing servers, backups, and replication services without changing their workflow. They're able to view encrypted data in clear text.
Here are the steps required to implement a Vormetric Data Security Solution that secures your sensitive structured and unstructured data assets. We've chosen a typical HR use case to demonstrate how it works. An HR department has determined HR reports need to be encrypted on the Linux Server and only HR users should be able to access them. Vormetric products allow CenturyLink server administrators to conduct their managed services operations, such as server administration and backups, without having access to the protected data. This can be accomplished in three simple steps:
- Set up the Vormetric Data Security Manager (DSM).
- Install the Vormetric Transparent Encryption (VTE) Agents on the CenturyLink Cloud host servers.
- Create and apply the encryption key and data access policy in the Vormetric DSM.
Let's start by reviewing the Vormetric Data Security components needed and the CenturyLink Cloud Blueprint. The Vormetric Data Security Solution has two components:
- DSM - This virtual appliance provides a web interface to customers, enabling them to create and manage encryption keys, define data protection policies, and store security intelligence logs which records any data access attempts in the DSM. The DSM is completely owned and managed by the enterprise. The CenturyLink team has no access to see or change any of the data security configurations.
- VTE Agent - The agent consists of software installed on the server that accesses and processes sensitive data from the storage systems. Based on the data security configuration received from the DSM, the agent encrypts/decrypts data, enforces access control policies, and generates security intelligence logs.
Step 1: Setup the DSM
The DSM can be configured with just a few clicks as described here.
Step 2: Install the VTE Agent using the CenturyLink Cloud Blueprint
Install the VTE Agent on the Linux HR server containing the sensitive HR reports cited in our example.
Vormetric has developed a CenturyLink Cloud Blueprint to simplify the installation of agents on their servers with just a couple of mouse clicks. See "Getting Started with Vormetric Encryption Agent Deployment - Blueprints".
You can also find this Blueprint by searching for "Vormetric" under the CenturyLink Cloud Blueprints Library and select "Install Vormetric Data Security Transparent Encryption Agent" as shown below.
Click the Blueprint and enter the required information:
- FQDN (host name) for the DSM
- IP address or FQDN of the server where you are to install the Vormetric Agent
Click "Next Step" to review the information you entered on previous screen. Then, click "Deploy."
The Blueprint installs the VTE Agent on the server and registers it with the DSM so it can receive encryption keys and detailed access policy information to determine which data is to be protected and who can access it. A Vormetric DSM and VTE Agent is now installed and configured in the CenturyLink Cloud.
Step 3: Create the key and data access control policy in the Vormetric DSM
Next, using the DSM Web Console, we create an encryption key and data protection policy. Then, we apply it to sensitive data on the Linux HR server in order to enforce the data access controls on the sensitive data.
1) Create an Encryption Key - In the DSM Web Console, under the "Keys" menu, complete the web form to enter the (key) Name. Select an Algorithm key for the HR Report data shown below. (We chose AES256.)
2) Create a Policy - In the DSM Web Console you create a data access policy. Below, we created the "HR-Reports-Policy" that dictates who can access and decrypt the HR Reports. The policy has the following three rules:
Rule 1 - Allow HR-Users to access and decrypt data.
Rule 2 - Allow Server Administrators to see the root and the metadata, but not the content of the protected data.
Rule 3 - Deny everyone else access to the data and audit this event.
The HR_Report_AES256-Key (created above) is associated to the policy to encrypt/decrypt data.
3) Apply the policy to the location of the sensitive data - Apply "HR-Reports-Policy" to the /HR_Reports directory on the Linux HR Server. This action establishes a Vormetric GuardPoint. A GuardPoint is a location in the file system hierarchy where everything underneath has the policy applied to it.
At this point, the Vormetric data-at-rest security solution is actively working to protect your sensitive data in the CenturyLink Cloud. Any attempts to access data in the /HR_reports directory are enforced using the "HR-Reports-Policy access control rules. Any new data is encrypted with the HR_Report-AES256-Key" encryption key. All data access attempts are logged in the DSM event logs, which can be uploaded to Security Information Event Managers (SIEM) for additional event analysis, alerts, and reports. (Note: If you have existing data in the directory, you need to encrypt the data first by using the Dataxform utility provided by Vormetric. Contact Vormetric if you need more information.)
Now let's see what happens when this protected data is accessed by various users. When user "Mary" (who is part of HR-Users) attempts to access data, she is able to see data in clear text. The encryption/decryption process is also completely transparent to her so that she doesn't have to change the way she accesses the protected data.
When user "root" (this user is part of the Linux Admin group) attempts to access data, the user is able to perform all operations, e.g., copy, move, or backup by using the metadata. However, sensitive data content remains encrypted for the protected data/files.
Even if the "root" user logs in as "Mary" and takes the identity of "Mary", the VTE Agent recognizes the user as "root." The user isn't able to access the data in clear text.
The "root" user behavior is captured in the security intelligence logs and stored in the DSM. Further analysis can determine whether this was a mistake, attempted abuse, or the actions of an Advanced Persistent Threat (APT) by uploading the DSM event logs information to SIEMs. The appropriate course of action can then be taken. Most importantly, the data in question remains completely protected throughout the process.
CenturyLink and Vormetric have dramatically simplified the process of deploying data encryption on the CenturyLink Cloud to protect sensitive data against advanced security threats. Additionally, CenturyLink users maintain data access controls and encryption key ownership.