External key management on stream store analytics:
Stream stores are overlaid on Tier 2 storage where the
assumption is that the latter takes care of securing data at rest. Tier 2 such
as object storage has always supported Data at Rest Encryption(D@RE) by
maintaining a set of encryption keys in the system. These include Data
Encryption Keys (DeKs) and Key Encryption Keys (KeKs). Certain object storage
even supports external key management (EKM) by providing integration with
Gemalto Key Secure servers for industry best practice. With the help of
external keys, there is reduced risk when there is a compromise against a
single instance of an application. Keys are rotated periodically, and this
integration helps with performing the re-encryption on storage artifacts. Products
that combine analytics over stream stores have at least two levels of data
transfers – one involving the analytical application and the stream store and
another involving stream store and tier 2 which may either be a nfs file system
or a blob store. They can also occur side by side if the product allows storage
independent of streams or with a virtualizer that involves a storage class
provisioner or finally with an abstraction that syncs between hybrid stores. In
these cases, there is replicated data often without protection. When the product
supports the ability to use the same key to secure all parts of the data and
their copies along with the ability to rotate the keys, an external key manager
comes useful to safeguard the keys both old and new.  
Data is organized in containers and hierarchy specific to
the store and encryption can be applied at each hierarchical level. All the
data is at the lowest level and have their own DeK per container while the higher-level
containers have their own KeKs. A master KeK is available for the overall store.
When the stores are multiple and hybrid the masters become different, but it
can be treated as just another intermediary level as long as the stores are
registered at an abstraction layer.
 
No comments:
Post a Comment