Cloudian HyperStore Data Security Features
Data Immutability / Ransomware Protection
Protect your data from deletion or encryption with S3 Object Lock / WORM (write once, read many) functionality. Once Object Lock is enabled, your data is made immutable and cannot be altered or deleted until the policy-defined retention period is met. Ransomware cannot encrypt the data. This is a hardened solution, verified in government testing, and is certified compliant with the non-rewritable, non-erasable storage requirements of SEC Rule 17a-4(f).
Cloudian offers the most complete array of security certifications found in object storage.
Common Criteria Certification with EAL2 designation: Validates that HyperStore meets the stringent testing and technical requirements for security mandated by the U.S. National Security Agency (NSA) along with 25 other governments worldwide. HyperStore is one of only two object storage platforms to achieve this.
FIPS 140-2 Data Encryption Validation: NIST awarded Cloudian’s FIPS 140-2 Level 1 validation, signifying that HyperStore data encryption methods have been independently reviewed and tested.
HyperStore is also certified to meet the requirements of SEC Rule 17a-4(f), CFTC 17 C.F.R. § 1.31, FINRA 4511c, IDW PS 880 (German) and OR §§ 957ff (Swiss) regulations, and meets the data sanitization standards specified by NIST 800-88.
Securely share a single storage environment among multiple users with multi-tenancy. HyperStore’s advanced identity and access-management features allow system administrators to provision and manage groups and users, define service classes, and configure billing and charge-back policies. Multiple credentials per user are also supported. Ensure that service levels are met with group and user-level quality of service (QoS) controls.
Data Encryption: Data-at-Rest
To protect stored data, HyperStore employs AES-256 encryption, the specification established by the U.S. National Institute of Standards and Technology. HyperStore can perform granular encryption at a bucket or object level using a system-generated encryption key (regular SSE) or a customer-provided and managed encryption key (SSE-C). The object upload and download requests are securely submitted using HTTPS, and the system does not store a copy of the encryption key. You may also employ a third-party Key Management System to generate and manage keys (KMS).
Data Encryption: Data-in-Flight
The HyperStore system supports the TLS 1.2 and 1.3 protocols, standards established by the Internet Engineering Task Force. These allow for encrypted communications between HyperStore and S3 clients. HyperStore employs HTTPS connections with either a 3rd party CA certificate or a self-signed certificate.
Active Directory /LDAP Authentication
HyperStore supports integration with one or more external Active Directory (AD) or Lightweight Directory Access Protocol (LDAP) systems to remotely authenticate and allow access to the Cloudian Management Console. Support can be enabled on a per-group basis, with the ability to use different groups and multiple AD or LDAP servers for authentication, or all LDAP-enabled groups leveraging the same LDAP server.
Identity Access Management (IAM)
HyperStore provides selective support for the Amazon Identity and Access Management (IAM) API. This support enables each HyperStore user to create IAM groups and IAM users within their own account. The user can then grant IAM user permissions for specific actions (i.e. reading or writing objects in a bucket or buckets). All S3 object data created by IAM users belong to the parent HyperStore (root) user account. The HyperStore parent user can delete IAM users without deleting any S3 object data.
Data Spill Protection
Cloudian HyperStore Secure Delete handles data spills while exceeding the NIST Special Publication 800-88-r1. Secure Delete can be set for “always-on” or “always off.” When a delete occurs, Secure Delete overwrites all blocks on all nodes that contain the object — with a method that exceeds the NIST 800-88 mandate of 0’s written three times — and then the file is deleted from disk. The Secure Delete process can be audited and verified by examining delete transactions in cloudian-hyperstore-request-info.log.
Try Cloudian free in your data center for 45 days, and see how easy it is to build your own private cloud.
Download the full-featured free trial of Cloudian® software and install it on any commodity hardware to build and test a public, private, or hybrid cloud solution.
Free Trial includes:
- HyperStore – Enterprise Object Storage
- HyperIQ – Observability and Analytics
Put the power of S3-compatible storage technology to work in your data center. And experience the simplicity of next-generation observability and analytics.