1. BLOOMBASE TURNKEY DATA-AT-REST
SECURITY COMPLIANCE SOLUTION
FOR EMC VNX/VNXe
ESSENTIALS
Bloombase StoreSafe is an industryproven solution for immediate security
compliance of various standards including HIPAA, PCI DSS, SB 1386, SOX,
and more
Bundled Bloombase KeyCastle enables
automated initial migration of EMC
VNX contents, rekey, and full lifecycle
management of cryptographic keys
Web-based management console,
command line interface console, and
SNMP offer total, simplified management
Unlike proprietary hardware with high
entry price, Bloombase StoreSafe offers a pay-as-you-go licensing model
to help reduce your initial investment
To maximize ROI, Bloombase
StoreSafe:
Enables multiple storage hosts and
applications to produce and consume
secured data at-rest
EMC VNX/VNXe WITH BLOOMBASE STORESAFE
Electronic business data represents an invaluable core asset of today’s enterprises and organizations. Enterprise customers are concerned about being able to manage and use sensitive information to optimize day-to-day business operations, while protecting it and fulfilling information
privacy compliance needs—with the expense of drastic infrastructure change and performance
degradation.
Bloombase StoreSafe data at-rest security solution offers advanced security capabilities for a
reliable, application-transparent, cipher-text data storage infrastructure. Its tamper-proof hardware encryption key security module ensures confidentiality and integrity throughout its whole
lifecycle. Bloombase Cryptographic Module is NIST FIPS 140-2 certified providing FIPS-approved
RSA and AES cryptographic algorithms, along with non-FIPS ciphers including Camellia, SEED,
ARIA, Twofish, Blowfish, etc.
Sensitive persistent data is stored as cipher-text securely stored in EMC VNX. The encryption and
un-encryption processes are automated by re-routing storage paths via Bloombase StoreSafe
software appliance delivering virtual plain contents to authorized hosts and applications.
EMC VNX storage targets are accessed by FCP, iSCSI, CIFS and/or NFS storage protocols via
Bloombase StoreSafe. Ciphered sensitive information is stored in EMC VNX storage system for
centralized management. Only authorized access of virtual-plain information, by trusted applications and systems, per access rules and security profiles secured by Bloombase StoreSafe is
Bloombase KeyCastle
operator smart-token
Active cluster
Bloombase KeyCastle
Key Management
Server Cluster
Supports multiple EMC VNX LUNs, file
service resources, and shares
Microsoft SQL Server on
Microsoft Windows Server 2003
On i386 appliance
Primary site
Bloombase StoreSafe
Security Server Cluster
Supports both file– and block-based
protection for CIFS, NFS, iSCSI, FCP
EMC VNX storage resources
Microsoft Exchange on
Microsoft Windows Server 2003
On i386 appliance
Switch (active)
Standby cluster
Microsoft SQL Server on
Microsoft Windows Server 2003
On i386 appliance
Microsoft Exchange on
Microsoft Windows Server 2003
On i386 appliance
X&*^2
3#$(+
EMC VNX storing
Microsoft SQLServer database and
application data files
Switch (standby)
X&*^2
3#$(+
VTL
Secondary site
VPN
Microsoft SQL Server on
Microsoft Windows Server 2003
On i386 appliance
X&*^2
3#$(+
Microsoft Exchange on
Microsoft Windows Server 2003
On i386 appliance
EMC VNX storing
Microsoft SQLServer database and
application data files
Bloombase KeyCastle
operator smart-token
Bloombase StoreSafe
Security Server Cluster
Ethernet Network
Storage Network
Bloombase KeyCastle
Key Management
Server Cluster
SOLUTION OVERVIEW
2. permitted. Application data files, shares, and storage volumes are
protected by strong encryption offered by Bloombase StoreSafe virtual storages, enabling application servers to achieve various information privacy compliance standards immediately and costeffectively.
SOLUTION ARCHITECTURE
Bloombase StoreSafe data at-rest encryption solution offers wirespeed, on-the-fly encryption and un-encryption of storage data in EMC
VNX network-attached storage (NAS) system. It requires minimum
change in application tier by dropping-in Bloombase StoreSafe software appliances in the storage paths.
Bloombase High Availability brings together multiple nodes of Bloombase software appliances as a cluster so when master node fails,
slave nodes pick up and maintain non-stop, mission-critical service at
complete storage host transparency, requiring minimal operator attention. Extending to disaster recovery infrastructure, storage ciphertexts at the primary site are replicated in their natural encryption form
over private network to backup storage system at secondary site, and
secured by a replica of Bloombase StoreSafe and KeyCastle clusters.
As storage contents reside on EMC VNX in their native ciphered form,
data backup done over physical storage resources is inherently encrypted, satisfying secure archival needs immediately.
The easy-to-manage Bloombase StoreSafe storage encryption solution helps organizational customers enforce data confidentiality for
storage, which improves overall system security, enables fast key
rotation, reduces user workflows, segregates data ownership from
administration and operation, and enhances efficiency and internal
controls.
RESULTS
For TPC-C queries, Bloombase StoreSafe-encrypted database server stored in EMC VNX recorded a 9 percent drop in throughput,
compared to 31 percent for host-based and 64 percent for data
column-level
For TPC-C inserts and updates, Bloombase StoreSafe encrypted
database stored in EMC VNX recorded a 12 percent drop in
throughput, compared to 53 percent for host-based and 59 percent
for column-level
CONCLUSION
Write-speed encryption performance with least degradation in
storage I/O and throughput
Turnkey and proven solution for immediate compliance to stringent
information confidentiality regulatory compliance requirements
No application change or second development needed
Fast deployment and automated migration versus alternatives’
manual script-based migration approach
FCP/iSCSI block-based and NFS/CIFS file-based encryption in a
single solution
Highly secure NIST FIPS 140-2 and IEEE 1619 standard
High availability and fault-tolerant
Low total cost of ownership (TCO)
ABOUT BLOOMBASE
Bloombase is a worldwide provider and leading innovator in Next
Generation Data Security from Physical/Virtual Datacenter, through
Big Data and to the Cloud. Bloombase provides turnkey, nondisruptive, defense in-depth data protection against dynamic cyber
threats while simplifying the IT security infrastructure. Bloombase is
the trusted standard for Global 500-scale organizations that have
zero tolerance policy for security breaches. For more information, visit
www.bloombase.com.
ABOUT EMC
A TPC-C-based database benchmark test is carried out on a sample
database stored in an EMC VNX secured by Bloombase StoreSafe
storage encryption software appliance
TPC-C-like queries (with EMC VNX read, Bloombase StoreSafe unencryption) and updates (with VNX write, Bloombase StoreSafe
encryption) are generated and applied to simulate workload on
EMC VNX/Bloombase StoreSafe setup
EMC Corporation is the world’s leading developer and provider of
information infrastructure technology and solutions that enable organizations of all sizes to transform the way they compete and create
value from their information. Information about EMC’s products and
services can be found at www.EMC.com.
EMC, VNX, the EMC logo, and where information lives are registered trademarks or trademakrs of EMC Corporation in the United States and other countries. All other trademarks used herein are the
property of their respective owners. Copyright 2011 EMC Corporation. All rights reserved. Published in the USA. 01/11 Solution Overview H8568
EMC Corporation
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.EMC.com