Going All The Way (with WekaFS™ Encryption)
Andy Watson. October 27, 2019
Andy Watson, Chief Technology Officer at WekaIO, shares his thoughts on encryption as a WekaIO differentiator in this blog titled “Going All The Way (with WekaFS™ Encryption)”.
Data privacy has always been important. For as long as we’ve had computer systems with a “login”, we’ve used passwords to keep intruders out of our … stuff. Even with strong passwords, that obviously ain’t good enough anymore, and it hasn’t been for decades. Malware continually finds new ways to subvert system-level security mechanisms to access data. And that’s why an additional layer of protection is not merely a good idea — it should be the law. Buckle up, it’s the 21st century and bad actors move fast, so your data security needs to move faster.
Encrypt your data.
Well, that’s easily said but not always a straightforward proposition, depending on how you store it. If you already have a big investment in some legacy storage infrastructure it might not offer encryption as a built-in feature. And adding it “aftermarket” adds cumbersome complexity and can devastate your storage performance.
Many on-premises storage platforms only provide encryption via a limited subset of disk drive or SSD devices that are encryption-enabled. Such hardware encryption adds cost and limits the range of possible deployment options, typically to only the most critical data. Hardware-encrypted disks or flash devices are also inherently flawed, only protecting the data at-rest. But for any environment where data crosses the network, encrypting the data in-flight is obviously critical — in fact, arguably more important than making it secure on the fileservers safely locked away inside datacenters. All those half-measure platforms in the storage market which rely solely on hardware-encrypted drives are a bit like locking the back door of your house while leaving the front door wide open.
The public cloud vendors have been far more proactive at protecting data, ironically in part driven by the demands of on-premises customers to protect their data in the public cloud. Yes, there is some performance overhead that varies based on which cloud and how you have it configured. But the sheer scale of the cloud amortizes the overhead to such an extent that for most applications, the performance is still acceptable. In fact, for many years encryption has been a de facto standard associated with cloud-based object storage. And in recent years, “best practices” recommend that users should leverage a KMS (Key Management Service — e.g., Vault) to encrypt with unique keys for each object. That way, even in a worst-case scenario wherein a breach occurs, the theft of your data will be slowed down dramatically, and ideally thwarted almost entirely beyond perhaps the loss of a single item of data.
At WekaIO, we have modeled our file data encryption strategy in line with the demands of cloud customers. Our data storage platform is available both on-premises and on AWS, providing software-based encryption (i.e., no dependency on hardware-encrypted drives). Here are a few more details about our design:
- our encryption is very strong, based on industry-standard XTS-AES with a 512-bit key (which effectively achieves 256-bit security)
- integration with KMS is supported, for any KMIPS-compliant KMS
- all policies are determined on a per-filesystem basis, including a policy of “no encryption”
- WekaFS supports up to 1,024 filesystems per cluster, with each filesystem independently interacting with the KMS
- Full end-to-end encryption from the compute clients, across the LAN or WAN, all the way to data tiered on the object storage data lake.
How do we accomplish this? You see, our WekaFS filesystem includes a POSIX-compliant client installed on application servers (running in user space with a minimal footprint) such that the scope of our software encryption reaches all the way from the application to the storage. Unlike alternatives offered by other vendors that only encrypt data “at-rest” on their file server, WekaIO encrypts data both “in-flight” and “at-rest”. That’s worth repeating because, so far as I know, we are the only data storage platform to go all the way from the application server, across the wire, to the safely-stored (checksummed, erasure-code-protected) NVMe flash media and down to tiered data in the object storage based data lake.
All of our end-to-end encryption is done consistently and with KMS integration for simplicity of implementation that leads to success. If (as you read this) you’re thinking that there are other ways to cobble together encryption in-flight+at-rest solutions using NFS or SMB, you aren’t totally wrong, but you’re overlooking staggering implementation and administration complexity that characteristically leads to frustrating outcomes. In the end, you’d still have tradeoffs like extra steps of decrypting followed by re-encrypting (because you’d have two separate encryption mechanisms — one for in-flight and another for at-rest), no KMS integration, and greater performance overhead, often with weaker effective protection (i.e., shorter key lengths). This is why so very few sites have gone down the lonely path of Secure NFS, and why so many sys admins have war stories about Kerberos.
The bottom line is: if you really want to protect your data, use our software to encrypt it consistently both in-flight and at-rest, from the client to the storage cluster (and back again, as needed).
The investment in going all the way (with WekaIO encryption) will give you privacy and data protection that is unique and unprecedented among storage vendors.
Click here to read the press release announcing our security enhancements.