Data Encryption for VMware vcloud Hybrid Service

Similar documents
CloudLink SecureVM 3.1 for Microsoft Azure Deployment Guide

CloudLink SecureVM 3.1 for Microsoft Azure Deployment Guide

Secured by RSA Implementation Guide. Last Modified: August 2, 2013

CloudLink Amazon Web Services Deployment Guide

CloudLink SecureVM 3.3. Release Notes

Installing and Configuring vcloud Connector

Installing and Configuring vcloud Connector

VMware vcloud Air Accelerator Service

CloudLink SecureVM. Administration Guide. Version 4.0 P/N REV 01

CloudLink User Guide. Release 1.7 for CA AppLogic GA. April Version 1.0

vsphere Replication for Disaster Recovery to Cloud

VMware vcloud Air User's Guide

Customer Onboarding with VMware NSX L2VPN Service for VMware Cloud Providers

How to Use a Tomcat Stack on vcloud to Develop Optimized Web Applications. A VMware Cloud Evaluation Reference Document

Storage Considerations for VMware vcloud Director. VMware vcloud Director Version 1.0

vshield Administration Guide

Veeam Cloud Connect. Version 8.0. Administrator Guide

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 6.5

VMware Identity Manager Cloud Deployment. DEC 2017 VMware AirWatch 9.2 VMware Identity Manager

Deploying VMware Identity Manager in the DMZ. SEPT 2018 VMware Identity Manager 3.3

vsphere Replication for Disaster Recovery to Cloud

vsphere Replication for Disaster Recovery to Cloud vsphere Replication 8.1

Monitoring Hybrid Cloud Applications in VMware vcloud Air

Advanced Architecture Design for Cloud-Based Disaster Recovery WHITE PAPER

Deploying VMware Identity Manager in the DMZ. JULY 2018 VMware Identity Manager 3.2

VMware Identity Manager Cloud Deployment. Modified on 01 OCT 2017 VMware Identity Manager

What s New with VMware vcloud Director 8.0

Securing Containers Using a PNSC and a Cisco VSG

vshield Quick Start Guide

IaaS Integration for Multi- Machine Services. vrealize Automation 6.2

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: VMWARE IDENTITY MANAGER ARCHITECTURE

Securing Containers Using a PNSC and a Cisco VSG

VMware Identity Manager Connector Installation and Configuration (Legacy Mode)

Veeam ONE. Version 8.0. User Guide for VMware vsphere Environments

IaaS Integration for Multi-Machine Services

Dedicated Hosted Cloud with vcloud Director

Veritas Desktop and Laptop Option 9.1 Qualification Details with Cloud Service Providers (Microsoft Azure and Amazon Web Services)

vcloud Director Tenant Portal Guide 04 OCT 2018 vcloud Director 9.5

Basic Configuration Installation Guide

VMware vcloud Director Evaluator s Guide TECHNICAL WHITE PAPER

PUT DATA PROTECTION WHERE YOU NEED IT

VMware vsphere Data Protection Evaluation Guide REVISED APRIL 2015

VMware AirWatch Certificate Authentication for Cisco IPSec VPN

vcloud Air - Dedicated Disaster Recovery User's Guide

VMware Workspace ONE Quick Configuration Guide. VMware AirWatch 9.1

Version 2.3 User Guide

VMWARE HORIZON CLOUD WITH VMWARE IDENTITY MANAGER QUICK START GUIDE WHITE PAPER MARCH 2018

VMware vcloud Air. Enterprise IT Hybrid Data Center TECHNICAL MARKETING DOCUMENTATION

PCI DSS Compliance. White Paper Parallels Remote Application Server

VMware vcloud Architecture Toolkit Hybrid VMware vcloud Use Case

DISASTER RECOVERY- AS-A-SERVICE FOR VMWARE CLOUD PROVIDER PARTNERS WHITE PAPER - OCTOBER 2017

AT&T CLOUD SERVICES. AT&T Synaptic Compute as a Service SM. Using VMware vcloud Connector

VMware vsphere 4. The Best Platform for Building Cloud Infrastructures

White Paper BC/DR in the Cloud Era

vcloud Director Administrator's Guide

Nutanix InstantON for Citrix Cloud

Cloud Provider Pod Designer User Guide. November 2018 Cloud Provider Pod 1.0.1

WHITE PAPER SEPTEMBER 2017 VCLOUD DIRECTOR 9.0. What s New

ARCSERVE UDP CLOUD DIRECT DISASTER RECOVERY APPLIANCE VMWARE

REVISED 6 NOVEMBER 2018 COMPONENT DESIGN: UNIFIED ACCESS GATEWAY ARCHITECTURE

[MS10992]: Integrating On-Premises Core Infrastructure with Microsoft Azure

Using vrealize Operations Tenant App as a Service Provider

VMware vcloud Director for Service Providers

Basic Configuration Installation Guide

Using VMware vrealize Orchestrator with VMware vcloud Availability for vcloud Director Version 1.0 April 2017

Installing and Configuring VMware Identity Manager Connector (Windows) OCT 2018 VMware Identity Manager VMware Identity Manager 3.

vrealize Production Test Upgrade Assessment Guide

Dell EMC Ready System for VDI on XC Series

VMware Cloud Provider Pod Designer User Guide. October 2018 Cloud Provider Pod 1.0

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

VMware vshield Edge Design Guide

VMware Integrated OpenStack Quick Start Guide

vcloud Air - Virtual Private Cloud OnDemand User's Guide

Securing VMware NSX MAY 2014

vcenter Server Installation and Setup Modified on 11 MAY 2018 VMware vsphere 6.7 vcenter Server 6.7

vrealize Suite Lifecycle Manager 1.0 Installation and Management vrealize Suite 2017

VMware AirWatch Integration with RSA PKI Guide

Horizon DaaS Platform 6.1 Service Provider Installation - vcloud

Quest VROOM Quick Setup Guide for Quest Rapid Recovery for Windows and Quest Foglight vapp Installers

What s New in VMware vcloud Director 8.20

Deploying the Cisco ASA 1000V

Ordering and deleting Single-node Trial for VMware vcenter Server on IBM Cloud instances

Introducing VMware Validated Designs for Software-Defined Data Center

vcloud Director User's Guide 04 OCT 2018 vcloud Director 9.5

Introducing VMware Validated Designs for Software-Defined Data Center

vcloud Director Administrator's Guide vcloud Director 8.10

vcloud Director User's Guide

Dell EMC Ready Architectures for VDI

HCI File Services Powered by ONTAP Select

Designing Windows Server 2008 Network and Applications Infrastructure

Table of Contents HOL-HBD-1301

VMware AirWatch Cloud Connector Guide ACC Installation and Integration

Dell EMC Ready System for VDI on VxRail

Dell EMC Extensions for VMware vrealize Automation


Running the vsan Witness Appliance in vcloud Air First Published On: Last Updated On:

What s New with VMware vcloud Director 9.1. Feature Overview

Introducing VMware Validated Designs for Software-Defined Data Center

AppController :21:56 UTC Citrix Systems, Inc. All rights reserved. Terms of Use Trademarks Privacy Statement

Managing the VMware Cloud on AWS Data Center. 7 MAR 2018 VMware Cloud on AWS

Transcription:

Data Encryption for VMware vcloud Hybrid Service VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA TECHNICAL SOLUTION GUIDE

The information furnished herein is believed to be accurate and reliable to the best of our knowledge. However, CloudLink Technologies assumes no responsibility for its use, or for any infringements of patents or other rights of third parties resulting from its use. CloudLink reserves the right to, without notice, modify all or part of this document and/or change product features or specifications and shall not be responsible for any loss, cost, or damage, including consequential damage, caused by reliance on these materials. If you are in any doubt as to whether this is the correct version of the manual for a particular release, contact CloudLink. Trademarks CloudLink is a registered trademark of CloudLink Technologies. All other brands or product names mentioned herein are for identification purposed only and may be trademarks and/or registered trademarks of their respective companies. VMware is a registered trademark or trademark of VMware, Inc. in the United States and/or other jurisdictions. All other marks and names mentioned herein may be trademarks of their respective companies. Copyright 2014 All Rights Reserved CloudLink Technologies 2680 Queensview Drive, Suite 150 Ottawa, Ontario, K2B 8J9, Canada Tel: (613) 224-5995 Fax: (613) 224-5410 Support Inquiries (866) 356-4060 support@cloudlinktech.com General Inquiries info@cloudlinktech.com Sales Inquiries sales@cloudlinktech.com VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 1

Table of Contents Introduction... 3 About CloudLink SecureVSA... 3 Technical Solution Overview... 4 Customer Challenge... 4 Solution Benefits... 5 Solution Overview... 6 CloudLink SecureVSA Components... 6 Deployment Scenarios... 7 Deployment and Management of CloudLink SecureVSA... 8 Key Store Prerequisites... 9 Deployment Scenario One: Standalone CloudLink Gateway Deployment in vcloud Hybrid Service... 10 Deployment Scenario One Considerations... 10 Deployment Scenario One Workflow... 11 Deployment Scenario Two: CloudLink Gateway and one or more CloudLink vnodes in vcloud Hybrid Service... 13 Deployment Scenario Two Considerations... 13 Deployment Scenario Two Workflow... 14 Deployment Scenario Three: CloudLink Gateway in the Private Data Center with one or more CloudLink vnodes in vcloud Hybrid Service... 16 Deployment Scenario Three Considerations... 17 Deployment Scenario Three Workflow... 17 CloudLink Management... 20 Encryption Key Management... 21 RSA Data Protection Manager Integration... 22 Microsoft Active Directory Integration... 25 Configuring Active Directory as a Key Store... 25 Conclusion... 26 References... 27 Appendix A: Deploying CloudLink SecureVSA... 28 VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 2

Introduction This Technical Solution Guide examines the security challenges encountered when deploying business applications in the public cloud, and presents the benefits associated with CloudLink SecureVSA to provide data encryption in vcloud Hybrid Service. This guide describes the associated architecture, deployment models, workflows and key management. This solution enables enterprises to leverage vcloud Hybrid Service while maintaining control of data residing there, allowing them to secure sensitive corporate information and helping to meet regulatory compliance requirements for data security. About CloudLink SecureVSA SecureVSA is a software-defined storage encryption solution designed to secure sensitive data in virtualized and multi-tenant cloud environments. It is delivered as a virtual storage appliance which can be deployed on a perapplication and tenant basis, and provides a software encryption layer between virtualized applications and physical storage. SecureVSA: Presents itself as a secure software storage appliance to virtual machines directly over Microsoft SMB, NFS or iscsi. Organizations can use this encrypted storage for sensitive information processed by applications on the virtual machines. Allows organizations to control the encryption keys and policies used to secure the storage. Encryption keys may be stored locally in the organization s private data center. Integrates with existing enterprise key management, such as RSA Data Protection Manager (DPM). Alternatively, organizations can store keys in Microsoft Active Directory. Key management options allow organizations to leverage existing key management investment and expertise. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 3

Technical Solution Overview Customer Challenge Cloud computing offers the promise of deployment flexibility, agility, reliability and cost-effective scalability. Specifically, hybrid cloud is the dominant deployment model as it provides the flexibility to choose the best cloud model for each application, tenant or business initiative, along with the ability to seamlessly burst or shift workloads as needs dictate. The RightScale 2014 State of the Cloud Survey shows that hybrid and multi-cloud implementations continue to be the end goal for enterprises. Despite the clear benefits, organizations often encounter significant challenges when trying to extend their business applications, virtual desktops, storage, back-up solutions and disaster recovery infrastructure into the public cloud. One of the chief barriers to cloud deployment is ensuring the security of applications and related data in shared, multi-tenant infrastructures. Successful cloud adoption requires addressing data privacy, regulatory compliance (HIPAA, PCI, and so on), as well as concerns about data remanence (residual data that may remain even after terminating a cloud relationship). Whether organizations process and store PII, PHI, credit card numbers, corporate financial data or intellectual property, it s critical to ensure that only authorized parties can access this sensitive information. Traditional data protection and security methods assume a clear perimeter between outsiders and insiders, and that all data to be protected are in an enterprisecontrolled data center behind multi-tier firewalls with enterprise security administrators in complete control of security policy. However, these traditional methods have proven insufficient in the cloud. Further complicating matters, organizations must contend with the fact that, in the cloud, their sensitive data reside in multi-tenant physical storage. Delegating responsibility for data security to cloud service providers not only leaves data exposed to cloud service provider administrators, but also, to court subpoenas ordering access to the physical storage to obtain other tenants data in compliance with legislation such as the USA PATRIOT Act. Data encryption in the cloud can help address these concerns with the behavior of service providers by putting the data owner in complete control of the keys used to encrypt the data. Once organizations address security concerns, they face the challenge of deploying and managing their applications in the cloud. Often, public cloud adoption means applications need to be modified to address cloud-specific characteristics. In addition, migrating to public clouds often means adopting new paradigms, tools and management interfaces that differ significantly from what organizations use in their own data centers. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 4

Ideally, organizations would leverage tools and management interfaces they already use to deploy and manage applications in the cloud without the need to re-architect. In addition, they would maintain control over sensitive data, no matter where it resides across the hybrid cloud, from a single management console where they define security policies and centrally monitor their deployments. Solution Benefits Together, SecureVSA and vcloud Hybrid Service offer organizations an effective way to enjoy the benefits offered by the public cloud while addressing concerns about placing their sensitive applications and data in multi-tenant infrastructures. SecureVSA provides industry-leading data encryption that s controlled and managed entirely by the organization owning the data. vcloud Hybrid Service offers cost-effective and dynamic infrastructure as a service (IaaS), managed with the same tools organizations already use in their private data centers. The combined solution offers the benefits of IaaS--including deployment flexibility, agility, reliability and cost-effective scalability--while maintaining security, regulatory compliance and allying concerns around cloud lock-in (data remanence), data theft and disclosure. SecureVSA seamlessly extends across the hybrid cloud for data security in both the private data center as well as vcloud Hybrid Service, all managed from a single CloudLink Center console. As an agentless solution, deployment is rapid and does not required applications to be modified to include software encryption agents. The solution is completely transparent to end-users. SecureVSA s flexible key management approach lets organizations choose where to store keys (on premise in the private data center, or in vcloud Hybrid Service) and whether to use Microsoft Active Directory or a third-party key manager such as RSA Data Protection Manager. Simple, flexible and built for hybrid cloud No change to workloads (agentless) Deploy with familiar VMware tools Encrypt on a per-vm basis rather than the entire VDC Flexible key management Single security management plan for your hybrid cloud VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 5

Solution Overview SecureVSA consists of three key components: CloudLink Gateway, CloudLink vnode, and CloudLink Center. These components can be distributed in a number of ways to meet specific deployment and security requirements in the service provider environment. CloudLink SecureVSA Components CloudLink Center: A web-service application delivered as part of the CloudLink Gateway that provides a user interface to configure and manage SecureVSA. CloudLink Center provides secure storage encryption management, deployment topology, network monitoring and testing, as well as audit trails of actions, alarms, and security events. Note: CloudLink Center is one of two management interfaces. The other is a low-level appliance console primarily used to deploy CloudLink vnodes and the CloudLink Gateway. CloudLink Gateway: A software appliance deployed in your private data center or as part of your virtual data center in vcloud Hybrid Service. The CloudLink Gateway hosts the CloudLink Center webservice application and may optionally be configured to provide encrypted storage. The CloudLink Gateway can be deployed as a standalone encryption appliance or connected to one or more CloudLink vnodes. The CloudLink Gateway communicates with CloudLink vnodes over secure network connections established with the CloudLink vnodes and controls the encryption keys used to secure the storage throughout the deployment, while monitoring the network Service Level Agreements (SLAs) and security of the deployment. Note: The CloudLink Gateway is not a traditional IT gateway. It s a component of SecureVSA to which CloudLink vnodes connect. CloudLink vnode: A software appliance deployed as part of your vcloud Hybrid Service virtual data center. CloudLink vnode is a virtual machine that provides encrypted storage for local workloads, an encrypted connection to the CloudLink Gateway for storage volume encryption key retrieval, and an extension of customers networks into a service provider s cloud. In addition, it monitors events in its cloud and provides data to the CloudLink Gateway for viewing using CloudLink Center. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 6

Other components supporting the system depend on where you plan to deploy SecureVSA and how you plan to use it. Some examples of these components include: An ESX management system vsphere network adapters One or more vsphere virtual switches Underlying (non-encrypted) physical storage A router Windows Active Directory Server and Domain Controller A key management system, such as RSA Data Protection Manager (DPM). See Encryption Key Management for details on key management options. Deployment Scenarios SecureVSA components can be distributed across your private data center and vcloud Hybrid Service to meet a variety of deployment scenarios. This guide describes three common SecureVSA deployment scenarios, as represented by Option 1, Option 2, and Option 3 in the following diagram. Each option illustrates a single virtual data center in vcloud Hybrid Service. In each case, SecureVSA provides encrypted storage for the VMs running in the vcloud Hybrid Service virtual data center. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 7

These three common deployment scenario options are described in this guide: Option 1: Standalone CloudLink Gateway in vcloud Hybrid Service A standalone CloudLink Gateway is hosted in vcloud Hybrid Service. You configure policy and control keys by opening the CloudLink Center interface (provided by the CloudLink Gateway) with a web browser. This option is suitable for setting up a trial of SecureVSA. It is also preferable if you do not have a private data center, or wish to avoid introducing infrastructure in your private data center and require encrypted storage in a single vapp. For information about this deployment scenario, see Deployment Scenario One: Standalone CloudLink Gateway Deployment in vcloud Hybrid Service. Option 2: CloudLink Gateway and one or more CloudLink vnodes in vcloud Hybrid Service Both the CloudLink Gateway and one or more CloudLink vnodes are hosted in vcloud Hybrid Service. You configure policy and control keys by opening the CloudLink Center interface (provided by the CloudLink Gateway) with a web browser. This option is preferable if you do not have a private data center, or wish to avoid introducing infrastructure in your private data center. It provides a scaled-out approach that allows you to deploy secure storage in multiple vapps, all controlled from a single CloudLink Center management interface hosted on the CloudLink Gateway. For information about this deployment scenario, see Deployment Scenario Two: CloudLink Gateway and one or more CloudLink vnodes in vcloud Hybrid Service. Option 3: CloudLink Gateway in private data center and one or more CloudLink vnodes in vcloud Hybrid Service One or more CloudLink vnodes are hosted in vcloud Hybrid Service. A separate CloudLink Gateway remains on premise in the private data center. The CloudLink vnodes and CloudLink Gateway establish a secure network connection which provides an SLA-monitored network extension from your private data center to your virtual data center in vcloud Hybrid Service. You configure policy and control keys by opening the CloudLink Center interface (provided by the on premise CloudLink Gateway) with a web browser. This option is preferable when deploying secure storage in multiple vapps in vcloud Hybrid Service while ensuring that CloudLink Center management and associated encryption key storage remain within your private data center, giving more control and oversight of your sensitive data. Although not explicitly discussed in this guide, you can deploy additional CloudLink vnodes in the private data center, all connected to the same CloudLink Gateway, providing encrypted storage across the hybrid cloud. For information about this deployment scenario, see Deployment Scenario Three: CloudLink Gateway in the Private Data Center with one or more CloudLink vnodes in vcloud Hybrid Service. Deployment and Management of CloudLink SecureVSA vcloud Hybrid Service interface is used to deploy and manage SecureVSA components in the cloud. Private data center components are deployed and managed using VMware vsphere. This guide references the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide for information about deploying CloudLink SecureVSA in the private data center. For information about deploying SecureVSA components in vcloud Hybrid Service, refer to Appendix A: Deploying CloudLink SecureVSA. For information about managing SecureVSA, see the CloudLink SecureVSA 3.0 CloudLink Center Administration Guide. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 8

Key Store Prerequisites SecureVSA supports both RSA Data Protection Manager (DPM) and Microsoft Active Directory as key stores. These must be configured and running before any SecureVSA deployment begins, and may be deployed either in the private data center or in vcloud Hybrid Service. Before configuring SecureVSA components, the key store must be available to receive encryption keys. Key store configuration is described later in this guide. For a description of how SecureVSA manages encryption keys, see Encryption Key Management. To configure RSA DPM as the SecureVSA key store, see RSA Data Protection Manager Integration. To configure Microsoft Active Directory as the SecureVSA key store, see Microsoft Active Directory Integration. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 9

Deployment Scenario One: Standalone CloudLink Gateway Deployment in vcloud Hybrid Service This deployment scenario offers data encryption for applications deployed in vcloud Hybrid Service with no need for private data center infrastructure. A standalone CloudLink Gateway is deployed within a single vapp in vcloud Hybrid Service and can be managed via web access to the CloudLink Center interface provided by the CloudLink Gateway. This section describes the Considerations for deploying CloudLink Gateway in vcloud Hybrid Service (see Deployment Scenario One Considerations). Workflow for deploying and configuring the CloudLink Gateway including topics in related guides that provide more information or procedures for each task (see Deployment Scenario One Workflow). Deployment Scenario One Considerations Ensure that you have created a vapp in vcloud Hybrid Service to contain your application VMs and the CloudLink Gateway. The vapp should have an Organization VDC Network as well as a vapp Network which allows VMs within the vapp to communicate with each other and the CloudLink Gateway. The following diagram illustrates a standalone CloudLink Gateway deployment providing encrypted storage for a single vapp. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 10

Deployment Scenario One Workflow This workflow assumes that the considerations for deployment have been reviewed. See Deployment Scenario One Considerations. The following table lists the tasks for a CloudLink Gateway deployment in vcloud Hybrid Service. For each task, a reference to the appropriate topic in the following is provided: Appendix A: Deploying CloudLink SecureVSA CloudLink SecureVSA 3.0 CloudLink Center Administration Guide DEPLOYMENT SCENARIO ONE WORKFLOW TASKS AND REFERENCES TASK Download the CloudLink Gateway template Upload the CloudLink Gateway OVF template to your vcloud Hybrid Service catalog Deploy the CloudLink Gateway OVF template Add a network adapter for the vapp network Add hard disks to the CloudLink Gateway Power on and configure the CloudLink Gateway Upload and assign storage license Merge disks (optional) Merge disks to present multiple disks as a single encrypted storage volume. Otherwise, each disk is presented as a separate encrypted storage volume. Configure the encryption key store Format secure storage REFERENCE To download the CloudLink SecureVSA template To add a CloudLink SecureVSA template to vcloud Hybrid Service organization catalog To deploy a CloudLink SecureVSA appliance in vcloud Hybrid Service To add a network adapter for CloudLink SecureVSA private interface To add storage to the CloudLink SecureVSA appliance To power on the CloudLink SecureVSA vapp To configure the CloudLink SecureVSA from the console Administration Guide Managing Storage Licenses: Uploading Storage Licenses Assigning Storage Licenses Administration Guide Managing Secure Storage, Merging Volumes Administration Guide Managing Secure Storage, Managing Encryption Key Stores Administration Guide Managing Secure Storage, Formatting Volumes VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 11

DEPLOYMENT SCENARIO ONE WORKFLOW TASKS AND REFERENCES TASK Configure access to secure storage REFERENCE Administration Guide Managing Secure Storage: Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 12

Deployment Scenario Two: CloudLink Gateway and one or more CloudLink vnodes in vcloud Hybrid Service This deployment scenario offers data encryption for applications deployed in multiple vapps within vcloud Hybrid Service with no need for private data center infrastructure. All SecureVSA components are deployed within vcloud Hybrid Service and everything can be managed by via web access to the CloudLink Center interface provided by the CloudLink Gateway. This section describes the Considerations for deploying SecureVSA components in vcloud Hybrid Service (see Deployment Scenario Two Considerations). Workflow for deploying and configuring the SecureVSA components including topics in related guides that provide more information or procedures for each task (see Deployment Scenario Two Workflow). Deployment Scenario Two Considerations You will deploy a separate CloudLink vnode for each vapp requiring encrypted storage. Note that you can deploy additional CloudLink vnodes later. Each \ SecureVSA appliance must reside in a separate vapp. Ensure that you have created a vapp in vcloud Hybrid Service to contain the CloudLink Gateway and one or more vapps to contain each CloudLink vnode and associated application. Each vapp must have an Organization VDC Network as well as a vapp Network which allows VMs within the vapp to communicate with each other. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 13

Deployment Scenario Two Workflow This workflow assumes that the considerations for deployment have been reviewed. See Deployment Scenario Two Considerations. The following table lists the tasks for a full SecureVSA deployment in vcloud Hybrid Service. For each task, a reference to the appropriate topic in the following is provided: Appendix A: Deploying CloudLink SecureVSA CloudLink SecureVSA 3.0 CloudLink Center Administration Guide DEPLOYMENT SCENARIO TWO WORKFLOW TASKS AND REFERENCES TASK Download the CloudLink Gateway template Upload the CloudLink Gateway OVF template to your vcloud Hybrid Service catalog Deploy the CloudLink Gateway OVF template Add a network adapter for the vapp network Power on and configure the CloudLink Gateway Download the CloudLink vnode template Upload the CloudLink vnode OVF template to your vcloud Hybrid Service catalog Deploy the CloudLink vnode OVF template Add a network adapter for the vapp network Add hard disks to the CloudLink vnode Power on and configure the CloudLink vnode Deploy additional CloudLink vnodes (optional) REFERENCE To download the CloudLink SecureVSA template To add a CloudLink SecureVSA template to vcloud Hybrid Service organization catalog To deploy a CloudLink SecureVSA appliance in vcloud Hybrid Service To add a network adapter for CloudLink SecureVSA private interface To power on the CloudLink SecureVSA vapp To configure the CloudLink SecureVSA from the console To download the CloudLink SecureVSA template To add a CloudLink SecureVSA template to vcloud Hybrid Service organization catalog To deploy a CloudLink SecureVSA appliance in vcloud Hybrid Service To add a network adapter for CloudLink SecureVSA private interface To add storage to the CloudLink SecureVSA appliance To power on the CloudLink SecureVSA vapp To configure the CloudLink SecureVSA from the console Repeat previous four steps for each additional CloudLink vnode to be deployed. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 14

DEPLOYMENT SCENARIO TWO WORKFLOW TASKS AND REFERENCES TASK Upload and assign storage license Merge disks (optional) Merge disks to present multiple disks as a single encrypted storage volume. Otherwise, each disk is presented as a separate encrypted storage volume. Configure the encryption key store Format secure storage Configure access to secure storage REFERENCE Administration Guide Managing Storage Licenses: Uploading Storage Licenses Assigning Storage Licenses Administration Guide Managing Secure Storage, Merging Volumes Administration Guide Managing Secure Storage, Managing Encryption Key Stores Administration Guide Managing Secure Storage, Formatting Volumes Administration Guide Managing Secure Storage: Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 15

Deployment Scenario Three: CloudLink Gateway in the Private Data Center with one or more CloudLink vnodes in vcloud Hybrid Service This deployment scenario offers data encryption for applications deployed in multiple vapps within vcloud Hybrid Service while keeping security management and key storage under your control in your own private data center. The CloudLink Gateway is deployed within your private data center and one or more CloudLink vnodes are deployed within vcloud Hybrid Service. The CloudLink Gateway establishes a secure network connection with each of the CloudLink vnodes. The secure connection provides your choice of Layer 2 or Layer 3 network extension from your data center into your vcloud Hybrid Service vapps, facilitating secure and easy network routing across the hybrid cloud. Both encrypted storage and secure network connections can be monitored and managed using web access to the CloudLink Center interface provided by the CloudLink Gateway. This section describes the Considerations for deploying SecureVSA components across the hybrid cloud (see Deployment Scenario Three Considerations). Workflow for deploying and configuring the SecureVSA components including topics in related guides that provide more information or procedures for each workflow task (see Deployment Scenario Three Workflow). VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 16

Deployment Scenario Three Considerations You will deploy a separate CloudLink vnode for each vapp requiring encrypted storage. Note that you can deploy additional CloudLink vnodes later. Each CloudLink vnode must reside in a separate vapp. Ensure that you have created one or more vapps to contain each CloudLink vnode and associated application. Each vapp must have an Organization VDC Network as well as a vapp Network which allows VMs within the vapp to communicate with each other. Also, ensure that you have established network routing between your private data center and your virtual data center in vcloud Hybrid Service. Deployment Scenario Three Workflow This workflow represents the tasks for a SecureVSA deployment across the hybrid cloud. The workflow consists of steps for deploying the CloudLink Gateway in VMware vsphere within the private data center and one or more CloudLink vnodes in vcloud Hybrid Service. In general, CloudLink Gateway deployment is described in the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide whereas CloudLink vnode deployment is described in Appendix A: Deploying CloudLink SecureVSA. This workflow assumes that the Considerations for deployment have been reviewed. See Deployment Scenario Three Considerations as well as the Deployment Considerations section in the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide. System requirements for the CloudLink Gateway have been met. See System Requirements in the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 17

Prerequisites for the CloudLink Gateway have been met. See Prerequisites for Scalable Encrypted Storage Overlay in the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide. We recommend that you complete the deployment worksheet provided in the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide. The following table lists the tasks for a deployment with CloudLink Gateway in the private data center and one or more CloudLink vnodes in vcloud Hybrid Service. For each task, a reference to the appropriate topic in the following is provided: CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide Appendix A: Deploying CloudLink SecureVSA CloudLink SecureVSA 3.0 CloudLink Center Administration Guide DEPLOYMENT SCENARIO THREE WORKFLOW TASKS AND REFERENCES TASK Deploy the CloudLink Gateway OVF template Add the private network interface for the CloudLink Gateway Configure the CloudLink Gateway Download the CloudLink vnode template Upload the CloudLink vnode OVF template to your vcloud Hybrid Service catalog Deploy the CloudLink vnode OVF template Add a network adapter for the vapp network Add hard disks to the CloudLink vnode Power on and configure the CloudLink vnode Deploy additional CloudLink vnodes (optional) REFERENCE Deployment Guide Scalable Encrypted Storage Overlay, Deploying the CloudLink Gateway OVF Template Deployment Guide Adding Components, Deploy a CloudLink Gateway with No Storage Deployment Guide Scalable Encrypted Storage Overlay, Configuring the CloudLink Gateway To download the CloudLink SecureVSA template To add a CloudLink SecureVSA template to vcloud Hybrid Service organization catalog To deploy a CloudLink SecureVSA appliance in vcloud Hybrid Service To add a network adapter for CloudLink SecureVSA private interface To add storage to the CloudLink SecureVSA appliance To power on the CloudLink SecureVSA vapp To configure the CloudLink SecureVSA from the console Repeat previous four steps for each additional CloudLink vnode to be deployed. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 18

DEPLOYMENT SCENARIO THREE WORKFLOW TASKS AND REFERENCES TASK Upload and assign storage license Merge disks (optional) Merge disks to present multiple disks as a single encrypted storage volume. Otherwise, each disk is presented as a separate encrypted storage volume. Configure the encryption key store Format secure storage Configure access to secure storage REFERENCE Administration Guide Managing Storage Licenses: Uploading Storage Licenses Assigning Storage Licenses Administration Guide Managing Secure Storage, Merging Volumes Administration Guide Managing Secure Storage, Managing Encryption Key Stores Administration Guide Managing Secure Storage, Formatting Volumes Administration Guide Managing Secure Storage: Configuring NFS/SMB Access to Secure Storage Configuring iscsi Access to Secure Storage VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 19

CloudLink SecureVSA Management CloudLink Center provides web-based management of encryption services, including: Key management configuration of key stores and key changing scheduling policies. Encrypted storage management merging disks, resizing the storage, and locking or unlocking encrypted storage volumes. Secure communication management between the CloudLink Gateway and CloudLink vnodes key delivery, VPN traffic and authentication status of CloudLink vnodes. Performance monitoring monitoring of storage and network performance. The performance data for the past 24 hours are reported and can be exported as a spreadsheet file. Security event and log management all security events and logs are displayed on CloudLink Center. They can be sent to external application using SNMP or consolidated on a central syslog server. CloudLink Center supports role based administration, which separates security management from infrastructure administration. There are three pre-defined roles in CloudLink Center: security administrator (secadmin), regular IT administrator (admin), and observer for monitoring. Each role has its own unique privilege set as defined in the following table. OPERATION SECADMIN ADMIN OBSERVER Control of keys for encrypted storage VPN configuration and control Network performance and SLA monitoring View VM security audit status View security events View actions View alarms and events Syslog/SNMP configuration VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 20

Encryption Key Management Each SecureVSA encrypted virtual storage volume has two associated encryption keys: The data encryption key (DEK) is generated by the CloudLink vnode on per volume basis to encrypt data at block level using AES-256. A Key Encryption Key (KEK) is used to encrypt the DEK and the encrypted DEK is stored on the disk with the data. Data security administrators have full control of the encryption keys and the KEKs can be updated regularly by the security administrators via CloudLink Center. Special care is taken to ensure that the enterprise-owned data are never stored in clear text, and can be promptly withdrawn by the enterprise at any time. Cloud administrators do not have access to DEKs and KEKs; therefore, cloud administrators, other tenants, or intruders cannot access the enterprise data in the cloud. KEKs are generated and managed by the CloudLink Gateway. They must be changed regularly according to key management policy, and kept in a safe place in order to ensure the safety of encrypted data. CloudLink supports three different key stores: RSA Data Protection Manager (DPM) provides a key store that is tamper proof and supports high availability. The RSA DPM client has been integrated into the CloudLink Gateway. Microsoft Active Directory provides an alternate encryption key store. This option allows an enterprise to leverage its existing Active Directory deployment and store cloud encryption keys. KEKs may also be stored within the CloudLink Gateway. This option is suitable for trials and testing, but is not recommended for production deployment. CloudLink Center is the entry point for SecureVSA key management. In each of the deployment scenarios discussed previously, key management is completely under the control of the enterprise data security administrators. Keys can be kept in key stores deployed in the private data center or in the vcloud Hybrid Server. Through CloudLink Center, the security administrator can monitor and control the availability of encrypted volumes by choosing whether KEKs are made available to the SecureVSA cipher. CloudLink Center s lock operation withdraws the KEK for an encrypted volume from the SecureVSA, preventing it from decrypting the volume s DEK and rendering the data stored on the volume unavailable. Conversely, the unlock operation provides the KEK for an encrypted volume to CloudLink SecureVSA, VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 21

which uses it to decrypt the volume s DEK and then uses the DEK to decrypt and make the data available. Using CloudLink Center, the security administrator can also perform key change operations, either on demand or on a scheduled policy basis. RSA Data Protection Manager Integration SecureVSA provides out-of-box integration with RSA Data Protection Manager (DPM). All storage key encryption keys (KEKs) created and managed by CloudLink SecureVSA can be stored securely in RSA DPM. RSA DPM provides centralized key vaulting, protection and recoverability of the keys. The keys are generated by CloudLink SecureVSA and provided to RSA DPM for safe storage. They are then retrieved by CloudLink Gateway and provided to CloudLink vnodes that must provide access to their encrypted storage volumes (that is, to unlock the volumes). At any time, a security administrator using CloudLink Center can instruct CloudLink SecureVSA to lock one or all of a node s encrypted volumes. CloudLink then issues a lock command to the node and the node destroys its cached version of the storage KEKs. RSA DPM is available in the following form: Hardware appliance Virtual appliance Software server deployable in customer software infrastructure. Both the hardware and virtual appliances come with a pre-packaged software stack that includes a web application server, enterprise class database, and access management. Client applications authenticate with the server using mutual SSL. A client application using an RSA DPM client for encryption and key management can operate with a local protected cache for keys. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 22

A typical deployment architecture for key management is comprised of at least two load-balanced RSA DPM nodes within the primary site for high availability, and more nodes in remote sites for scalability or disaster recovery purposes, all clustered together. All nodes in a cluster are active. RSA DPM appliances come with built-in replication to keep all the nodes in sync. RSA DPM virtual and hardware appliances can be deployed in the same way. To use RSA DPM to store CloudLink KEKs, ensure that the CloudLink Gateway can access an RSA DPM host (version 3.1 or later) through the CloudLink SecureVSA private LAN network. The CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide and CloudLink SecureVSA 3.0 CloudLink Center Administration Guide provide more information on deploying, configuring, and using CloudLink SecureVSA. To prepare RSA DPM for storage of CloudLink KEKs: 1. Log on to the RSA Data Protection Manager console. 2. Create an identity that belongs to a particular RSA DPM identity group: VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 23

3. Create a security class object with infinite duration that belongs to the same RSA DPM identity group: To configure CloudLink to use RSA DPM as its key store: 1. Open CloudLink Center using the secadmin user account. 2. Under the topology tree, select the CloudLink Gateway. 3. Click Security > Key Store tab. 4. To configure CloudLink Center to use RSA DPM for KEK storage, under Location, click RSA DPM. 5. Under RSA DPM Configuration (see figure below), specify the RSA DPM parameters Host - RSA DPM host IP address. Port - TCP port number configured on the RSA DPM host. (The default port is 443.) Security Class Name - Name of the security class configured on the RSA DPM host for the RSA DPM client. Trust Certificate - RSA DPM server certificate. Client Certificate - RSA DPM client certificate. Password - Password used during creation of the RSA DPM client certificate. 6. Click Apply. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 24

CloudLink Center displays the RSA DPM status as Accessible. It creates a new entry in the CloudLink Center Actions log, as shown above, and records a Key store change security event, as shown below. Microsoft Active Directory Integration As an alternative to RSA DPM, you can configure Microsoft Active Directory as a CloudLink key store. It is very important that the Active Directory server is properly backed up to ensure the safety of the encryption keys. Losing encryption keys will result in data loss. For high availability and disaster recovery, Active Directory servers acting as CloudLink key stores are deployed on both the production and disaster recovery sites. Configuring Active Directory as a Key Store To use Active Directory to store CloudLink encryption keys, deploy a Windows Server that is accessible by CloudLink Center from its private LAN network. During this procedure, you must provide the host name of the Windows Server, which requires that you have already set up a DNS server. To configure Active Directory for the CloudLink encryption key store on Windows 2003 or 2008 Server that is configured as a domain controller, the following high-level steps are required. 1. Set up an organization unit on Windows Server. 2. Create a bind user. 3. Add the bind user to the security group. 4. Record the DN of CloudLink. 5. Apply the domain controller in CloudLink. 6. For detailed configuration instructions, refer to the CloudLink SecureVSA 3.0 CloudLink Center Administration Guide. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 25

Conclusion SecureVSA is a powerful platform that s designed to meet a variety of deployment and security requirements for organizations who wish to realize the benefits of running their virtual applications in vcloud Hybrid Service. SecureVSA provides the: Opportunity to seamlessly extend into vcloud Hybrid Service while addressing concerns about encryption key control, security policy management, regulatory compliance, and data destruction obligations. Ease of using familiar VMware tools to manage your hybrid cloud. Flexibility to fully manage and control your encryption keys, leveraging what you already have. Transparency of an agentless encryption approach, requiring no installation or maintenance of client software in your application VMs. Oversight associated with monitoring and controlling the security of you application data across the hybrid cloud from a single CloudLink Center management console. The three deployment scenarios described in this guide demonstrate the ease with which SecureVSA can be deployed and configured. SecureVSA components can be distributed completely in vcloud Hybrid Service. Just as easily, SecureVSA can be deployed across your organization s hybrid cloud, consisting of your private data center and vcloud Hybrid Service. CloudLink Technologies provides SecureVSA to customers world-wide. For more information about how SecureVSA can benefit your cloud environment, contact us: Phone +1 (613) 224-5994 Email sales@cloudlinktech.com Click cloudlinktech.com VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 26

References For more information, see the following documents: CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide CloudLink SecureVSA 3.0 CloudLink Center Administration Guide These documents are available from CloudLink by contacting Support at: support@cloudlinktech.com VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 27

Appendix A: Deploying CloudLink SecureVSA Deploying SecureVSA manually in vcloud Hybrid Service involves the following tasks: 1. Download the appropriate CloudLink SecureVSA template. 2. Add the CloudLink SecureVSA template to the vcloud Hybrid Service organization catalog. 3. Deploy the CloudLink SecureVSA appliance in vcloud Hybrid Service. 4. Add a network interface. 5. Add storage volumes. 6. Power on the CloudLink SecureVSA vapp. 7. Configure the CloudLink SecureVSA appliance using the console. To download the CloudLink SecureVSA template: 1. Decide whether you will deploy a CloudLink Gateway or CloudLink vnode in vcloud Hybrid Service. 2. Download the appropriate template from CloudLink. To register for a SecureVSA trial, visit: http://www.cloudlinktech.com/vchs-trial. To add a CloudLink SecureVSA template to the vcloud Hybrid Service organization catalog: 1. Log into vcloud Hybrid Service using your account credentials: https://vchs.vmware.com/login 2. From the Dashboard tab, click the virtual data center in which you wish to deploy CloudLink SecureVSA. 3. In the Virtual Data Center Details page, click Manage Catalogs in vcloud Director. 4. On the Catalogs tab, do one of the following: If the organization catalog where you want to add a CloudLink SecureVSA template exists, select the catalog. If the organization catalog does not exist, create a new organization catalog and open it. 5. Select Upload. 6. Browse to the CloudLink SecureVSA template you downloaded. 7. Provide a name and description for the template. 8. Click OK to complete the import. When the import is complete, the CloudLink SecureVSA template appears in your organization catalog. To deploy a CloudLink SecureVSA appliance in vcloud Hybrid Service: 1. On the My Cloud tab, select the vapp into which you wish to deploy the CloudLink SecureVSA appliance. 2. From the Virtual Machines tab, Select Add VM Tip: Find the green plus sign in the menu bar. 3. In Look in list, select My organization Catalogs. 4. Select the CloudLink SecureVSA template and click Add to add it to the list of virtual machines. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 28

5. Click Next to proceed with the Deployment wizard. 6. On the Configure Resources screen, select a Storage Policy and click Next. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 29

7. On the Configure Virtual Machines screen, assign the Organization VDC Network to the CloudLink SecureVSA appliance and select how you want an IP address to be assigned from the IP Assignment drop-down menu. Click Next. 8. On the Configure Networking screen, click Next. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 30

9. Review your selections on the Ready to Complete screen and click Finish to complete the CloudLink SecureVSA appliance deployment. When the deployment is complete, a new CloudLink SecureVSA VM appears in the vapp you selected. The CloudLink SecureVSA VM is in the Powered Off state. To add a network adapter for CloudLink SecureVSA private interface: 1. Go to My Cloud VMs screen. 2. Select the CloudLink SecureVSA VM, right-click and select Properties. 3. Select the Hardware tab. 4. In the NICs section, click +Add. A new network adapter appears. 5. In the Network drop-down menu, ensure the vapp Network is selected. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 31

6. Select an IP Mode. 7. Click OK. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 32

To add storage to the CloudLink SecureVSA appliance: 1. Go to My Cloud VMs. 2. Select the CloudLink SecureVSA VM, right-click and select Properties. 3. Select the Hardware tab. 4. In the Hard Disks section, click +Add. A new network adapter appears. 5. Select the storage disk size. 6. For the Bus Type, select Paravirtual (SCSI). 7. Click OK. 8. Repeat Steps 4 to 7 to add more storage volumes, if desired. To power on the CloudLink SecureVSA vapp: 1. Go to My Cloud vapps. 2. Select the vapp into which you deployed CloudLink SecureVSA, right-click and select Start. When the operation is complete, the vapp state is Running and the CloudLink SecureVSA VM state is Powered On. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 33

To configure the CloudLink SecureVSA from the console: 1. Go to My Cloud VMs. 2. Double-click the CloudLink SecureVSA VM. The CloudLink SecureVSA console screen appears. 3. Proceed with normal CloudLink SecureVSA console configuration as described in the CloudLink SecureVSA 3.0 VMware vsphere Deployment Guide. VMWARE VCLOUD HYBRID SERVICE AND CLOUDLINK SECUREVSA 34

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback