With any new technology, especially one that’s cloud-based, security is always a concern. Before companies migrate information to any new service, they must be satisfied that the service is safe, secure, and available for their data.
In order to confirm these levels of security in multitenant cloud environments, IT pros can ask the below questions about vendors’ and service providers’ services and company policies:
- How do you keep my company’s data secure when it’s in flight and at rest?
- How do you ensure my company’s data is isolated from other customers that use the platform?
- What controls do your staff members follow when they need to access your platform for customer support and software updates?
Data domains that need to be secured
Another way to ensure the security of a new service or vendor technology is to closely monitor three distinct data domains, all of which need to be protected in different ways and isolated from each other:
- Customer data – The actual data that applications generate and consume.
- Metadata that describes the customer’s data – ClearSky Data generates and uses this metadata to organize customer data and allocate it to the optimum cache layers
- Configuration and management data – The customer-specific configuration and management data, generated when a service is provisioned.
Building security into the ClearSky service
ClearSky Data uses multiple mechanisms and layers of protection to ensure security, integrity and separation of customer data in transit and at rest. All customer data is protected using AES256 encryption when it first enters the ClearSky service, and remains encrypted throughout all elements of the service. Data is decrypted using the same encryption keys upon egress.
Customers have exclusive control over encryption keys. Encryption and decryption are functions of ClearSky’s Edge Cache, which physically resides in our customers’ data centers.
ClearSky enforces security pass-phrase strength used to encrypt/decrypt the encryption keys. It also enables periodic rotation of the pass-phrase. ClearSky has no access to either security pass-phase or the encryption keys, so it’s important those security pass-phrases are retained in a secure location.
In addition to data encryption, ClearSky has security measures optimized for the multitenant environment in our points of presence (PoPs), Backing Cloud and all network connections in between. Separation of customer data is further achieved through the generation of logical instances (containers) configured across the platform that map to individual customer configurations.
Protecting customer data and metadata
The ClearSky Backing Cloud uses a well-defined bucket and folder structure for each customer to increase protection. Only ClearSky Data application program interface (API) calls, which originate from our platform and are specific to each customer’s configuration, are permitted to access customer data. Data read from the backing cloud retraces the same path they followed on ingress – exiting the service via Edge Cache, which is physically located in the customer data center.
Customer data (and metadata) are protected in transit using Transport Layer Security (TLS), a standard protocol that runs over the dedicated private circuits we’ve provisioned between all caching layers and the Backing Cloud. These private circuits help avoid the performance and security challenges associated with public Internet circuits.
Storage operators configure and manage the ClearSky service via the secure customer portal. Storage managers and other role-based functions accessible from the portal have no access to customer data — the configuration and management plane and the customer data plane are logically “ships in the night,” and separate at all times.
ClearSky provides each customer with an Edge Cache, which is physically located within the customer’s data center under their security domain. Edge Cache is configured with enterprise-class self-encrypting drives (SED) to further protect the customer’s data in the unlikely event the physical drives are compromised.
Addressing evolving security concerns
Finally, ClearSky has processes and policies in place that ensure a secure environment in all aspects of our operations, and compliance with industry and government standards. The service maintains tight controls over who can access the platform, how they access it and what activities they can perform.
When the cloud emerged, it sparked security concerns about a new, unfamiliar environment. After just a few years, the cloud has become mainstream, used for thousands of companies for running workloads of all kinds. ClearSky extends the cloud revolution to enterprise storage using the security mechanisms and policies defined above. Companies can confidently plug in to the ClearSky service and take advantage of the simplicity, agility and cost savings that comes with it, with the same level of security, or better, as their own data center.