May 2, 2014
Staying Compliant and Retaining Control – StorageVaults and StorageVaults Authentication
Information security is an elusive discipline. Purists look for the most secure mechanisms, and most others don’t care until it’s too late. In this dichotomous world, the security controls that get most widely adopted are the ones that have the least friction and provide reasonable protection. Username and passwords continue to be ubiquitous and PKI is barely visible.
With the advent of Cloud there are new concerns that have come to the forefront. It has become clear that information security has a lot to do with control – the ability to act without any dependence on the cloud provider. We see our customers looking for three specific capabilities for different but related reasons:
1. Data residency options
2. Physical control of content
3. Logical control of content
Data residency options are sought primarily for compliance with privacy laws. The government of the home country wants to retain sovereign rights on the data of its citizens and prevent foreign governments from issuing subpoenas for it. Data sovereignty is purely a function of the geographical location of the data. Syncplicity by Axway with Syncplicity by Axway StorageVaults addresses that concern directly by allowing our customers to pick and choose the type and location of their storage by content categories. Any provider that does not offer an in-country data storage option is not likely to be able to meet this requirement.
Customers want the ability to take a system offline in the face of any perceived or real risk. This again is best addressed by having physical access to the storage. A customer can isolate the system by powering down storage or disconnecting it from the network. Syncplicity by Axway StorageVaults addresses this concern, as customers can pick their storage in their data center as the target. Cloud providers cannot meet his requirement by offering an in-country data center because customers don’t have control over the physical infrastructure, and only on-premises storage can address this concern.
The final frontier of control is logical control of content. This is where customers seek to restrict access to only people they authenticate. Any outsiders, including government agency or cloud provider employees, should not be able to access customer data. This has been a hard problem. One solution that has been suggested is customer-controlled encryption keys. This is a solution that falls short—not because it fails to secure but because it breaks the functions that the application is supposed to deliver in the first place. If the cloud provider cannot decrypt the data, functions like sorting, adding, searching, subtracting, and any number of data manipulations just don’t work. There are myriad patch solutions that preserve format and/or some functionality, and there is at least one ambitious one namely, homomorphic encryption. But none of these solutions really address the problem for sync, share, and collaboration applications like Syncplicity by Axway.
What our engineers have come up with is an ingenious solution that applies the age old “two-man rule” to this problem. The two-man rule is a simple, elegant, and robust system that is still used to protect land-based US ICBMs. We reckon if it works for ICBMs, it should be good for customer content as well. We call our innovative application of the “two-man rule” StorageVault Authentication. At its core StorageVault Authentication requires two independent parties to authenticate the user before getting access to the system. With StorageVault Authentication (SVA), you, our customer, are one of those two parties. Hence SVA is an additional layer of authentication that users need to go through when accessing a specific storage device for the first time. This additional authentication is provisioned and managed by the customer and the authentication handshake happens directly between the client and storage layer. This ensures that the cloud provider has no control, and hence no way, to access customer content. There are many details that our engineers have refined while working closely with large enterprise customers to ensure that both security and UX goals are met.
We are very excited to make this capability available to our customers at EMC World 2014, and for customers who care about the three points above, we can assure you that no one else in the market delivers on them.
comments powered by