White Paper Nasuni enterprise file services ensures unstructured data security and privacy, enabling IT organizations to safely leverage cloud storage while meeting stringent governance and compliance requirements.
Executive Summary Storing data in a public cloud or as-a-service offering presents new and exciting capabilities for enterprises. This modern approach also changes the risk profile for data storage. Done right, cloud storage can actually improve data security. Nasuni is a cloud-native enterprise file services solution designed to leverage cloud object storage as an infinitely scalable, geo-redundant repository for unstructured data. To ensure the security of the data stored in the Nasuni platform, Nasuni has developed a robust security model that combines strong encryption and local authentication with the native capabilities of top-tier cloud storage providers. As a result, enterprises can store, protect, collaborate on, and manage their file data across multiple global locations through a single, scalable storage solution at unprecedented scale, without compromising on security. Managing the Security of Data in the Cloud Managing and protecting the security of shared critical data is a time-consuming, costly, and complex challenge. User authentication and access, together with data security in transit and at rest, are some of the biggest information security obstacles to any storage project, never mind one that is cloud-based. Today, even small enterprises maintain a presence in multiple countries, often on multiple continents. IT organizations must securely provide file sharing services to users in all locations and do so from afar while ensuring rapid access to the most up-to-date versions of files. This challenge is compounded by the nearexponential growth of the data itself and the complexity of secure office-to-office communication. Nasuni addresses the challenges of global access to shared data with a platform designed to leverage the unlimited capacity of cloud object storage. Powered by Nasuni UniFS, the first global file system that resides in the cloud, Nasuni offers primary storage (NAS), archive storage, backup, disaster recovery, and global file access in a single hybrid cloud solution. Nasuni has also designed in security technologies and practices to ensure data remains safe in transit and at rest in the cloud, in many ways improving upon the security models used in most traditional on-premises NAS deployments. Nasuni s Security Technology As a hybrid cloud solution, Nasuni must address the risks associated with both onpremises storage and cloud storage. Nasuni secures on-premises data with standard features such as role-based access control, proxy support, and firewalls to limit unauthorized access. This white paper delves into the unique security requirements of Nasuni s hybrid cloud platform, which incorporates:
Strong data encryption Top tier cloud storage datacenters Active Directory and LDAP integration Hardened appliances Rapid software releases Strong Data Encryption Nasuni s data security model begins with a solid foundation of strong encryption. The Nasuni Edge Appliances that send file data to the cloud while caching the active data locally for NAS-like access use encryption keys generated by our customers. Encryption with customer-controlled keys ensures that data can never be viewed or used by anyone outside the organization. Neither Nasuni nor the cloud provider (e.g. AWS, Azure, IBM, Dell EMC, etc.) can see the data. Each Nasuni Edge Appliance performs the encryption on-premises before sending the data off-premises, so the data is always encrypted both in transit and at rest. Figure 1: Nasuni s encryption model secures data at rest within on-premises Nasuni Edge Appliances, as well as in transit as data is being sent to the cloud Nasuni employs the non-proprietary OpenPGP protocol for public-key-based encryption and decryption. OpenPGP establishes a framework for how to combine widely available security algorithms into a secure system. OpenPGP s open standard and source code are continually enhanced through an extensive and thorough review process. OpenPGP combines symmetric and asymmetric encryption technologies that not only protect the data, but do so without compromising performance. Using fast symmetric encryption to encrypt the data and slower asymmetric encryption to encrypt the keys enables data to be encrypted efficiently and at a high level of granularity. OpenPGP also specifies several important details, including proper salting (inputting random bits to a one-way cryptographic hash function) and cipher modes. OpenPGP s cipher feedback (CFB) mode also avoids the drawbacks of less secure techniques, such as Electronic Codebook (ECB).
Along with OpenPGP, Nasuni employs the AES-256 standard for symmetric encryption. AES is the first publicly accessible and open encryption standard approved by the US National Security Agency (NSA) for top-secret information. In addition to encrypting the data itself, Nasuni Edge Appliances also encrypt metadata, both in transit and at rest. This means no identifiable information not even file names or timestamps is decipherable once it leaves customer premises. Encrypted file metadata includes the file name, file size, timestamps, access control information and location within the directory tree. Nasuni s encryption technology also includes: Random session keys that eliminate the possibility of detecting patterns and reverse-engineering the encryption keys. Transport Layer Security (TLS) that provides end-to-end confirmation of data security and integrity. Built-in tamper alarms based on OpenPGP s Modification Detection Code (MDC), to detect any attempted tampering with data. Top Tier Cloud Storage Datacenters Nasuni integrates with the premier providers of public and private cloud storage, including Microsoft Azure, Amazon Web Services (AWS), IBM Cloud Object Storage, and Dell EMC ECS. These cloud leaders have invested billions in their datacenters to ensure data reliability, performance, availability, and accessibility. Microsoft has invested $15 billion (USD) in its Azure global datacenter infrastructure. AWS Cloud operates 44 Availability Zones within 16 geographic Regions around the world. IBM has more than 55 global cloud data centers in 19 countries spanning 6 continents. Because of these investments, Nasuni s cloud storage partners offer georedundant storage with the highest levels of data durability and the highest industry security and compliance certifications. As a cloud-native solution, Nasuni inherits the capabilities of its cloud partners. In addition, Nasuni cloud services constantly monitor the object stores to ensure the availability and performance of Nasuni enterprise file services. Active Directory and LDAP integration As a hybrid cloud solution with on-premises components, Nasuni augments the security features of its cloud partners with strong on-premises security. Nasuni Edge Appliances join Active Directory and LDAP domains to leverage each customer s existing authentication and access control procedures. Data is accessed just as it would through a Windows File Server or any traditional NAS device using existing credentials and identities. All identity and user controls
already in place still apply. Existing ACLs can be migrated in with the data, or the migration to Nasuni can be used as an opportunity to clean up polluted ACL structures. Hardened Appliances Each Nasuni Edge Appliance is hardened using a default-deny approach. No ports are opened except the management port required to configure it. Once configured, no ports are opened beyond the ones needed to serve the configuration. For example, if no NFS mounts are defined, no NFS traffic will be accepted. In addition, the appliances include configurable on-board traffic partitioning, firewall and antivirus features. Rapid Software Releases A critical component of any strong security model is a commitment to rapid software updates and improvements. All Nasuni customers with an active subscription receive Nasuni updates. Nasuni proactively scans every release of its software and proactively monitors all licensed and open source components for security vulnerabilities. Vulnerabilities are rated using a four-tier scale of Critical, Important, Moderate, and Low impact. Critical vulnerabilities are prioritized for immediate attention, with fixes targeted for release within 3 business days or less through normal signed software update channels. The other classes of vulnerabilities are triaged and evaluated for remediation based on other roadmap priorities and customer impact. A Deeper Look at Compliance Nasuni has a two-pronged approach to compliance and certification. First, Nasuni adheres to its own security model: Customers generate and hold their own encryption keys. Nasuni and its employees never have access to customer data because it is transmitted and stored in encrypted form. Customers use their own cloud credentials, preventing Nasuni from being able to even access the encrypted cloud store. Communication between the Nasuni Management Console (NMC) and Nasuni Edge Appliances uses cloud message queuing, which is also encrypted using customer-controlled keys. Nasuni Edge Appliances only communicate with cloud storage and Nasuni services running in secure, compliant cloud datacenters. Second, the datacenters of Nasuni s cloud partners meet the highest industry compliance certifications and audit requirements, including: ISO 27001 certification for standardized management of information security
AIPCA SOC 1 and SOC 2 CSA STAR Certification including an available CAIQ PCI DSS (Payment Card Industry Data Security Standard) Level 1 compliance, required for handling credit cardholder personal information HIPAA-compliant applications involving health-related and other personally identifiable information (PII) as well as HITRUST FDA CFR Title 21 Part 11 Nasuni cloud storage partners provide detailed documentation of compliance as required by each compliance regime. If required, Nasuni can help obtain this documentation. Conclusion The rampant growth of unstructured file data and the need to share and collaborate on files globally have outpaced the capabilities of traditional onpremises NAS and file server infrastructures. Enterprises are running out of space, failing to meet business requirements, spending too much of their IT budgets, and, in some cases, compromising on security as they attempt to keep up. Cloud object storage is the new disk that, when combined with a cloud-native global file system like Nasuni UniFS, offers infinite capacity, advanced recovery points and recovery times, built-in disaster recovery, and global file access from any location. Nasuni enterprise file services builds on Nasuni UniFS and cloud storage to offer a modern, hybrid cloud solution for enterprises that need to store, protect, access, and manage fast-growing file data. As a hybrid cloud solution, Nasuni offers a unique combination of on-premises, intransit, and in-cloud security capabilities that enable IT organizations to safely leverage cloud storage while meeting stringent governance and compliance requirements. About Nasuni Nasuni ( NAS Unified ) is the leading provider of cloud-scale enterprise file services. Powered by Nasuni UniFS, the first global file system that resides in private and public cloud object storage, the Nasuni hybrid cloud platform transforms the way enterprises store, protect, share, and manage unstructured file data. By using Nasuni and their preferred cloud provider for Network Attached Storage (NAS) replacement, multi-site file collaboration, archiving, and data analytics, Nasuni customers are meeting global growth, workforce productivity, and cloud-first objectives, while also realizing massive IT cost savings. Nasuni is a privately held company based in Boston, Mass. For more information, visit.