On-prem storage users are used to the highest degree of security for the data they store, especially on NetApp AFF and FAS systems. These highly performant storage systems rely on trusted features including NetApp Volume Encryption (NVE) and NetApp Aggregate Encryption (NAE) to make sure data stored in the data center is safe, whether at rest or in transit. But there’s one thing that they may not be so sure about: can the cloud offer that same level of security?
This question is especially relevant for NetApp AFF and SSD-backed FAS users since both of those storage systems can now tier infrequently used data to inexpensive object storage in the cloud using NetApp Cloud Tiering service.
This post will take a deep dive into the kind of security measures that Cloud Tiering uses to make sure that data that originates in secure NetApp AFF and SSD-backed FAS systems remains secure when it is stored in Azure, AWS, or Google Cloud object storage.
To keep storage safe, your system needs to feature the latest version of encryption. NetApp AFF and SSD-backed FAS systems that use Cloud Tiering accomplish that with AES-256-GCM, the most secure encryption available.
The details of AES-256-GCM would take several articles to explain in depth, but one of its relevant features is that it makes it possible to encrypt blocks of data in parallel. What does parallel encryption mean? Usually, data encryption is performed serially block-by-block, making encryption only as fast as a single CPU core. With parallel encryption, on the other hand, it is possible to encrypt several blocks simultaneously, providing more throughput.
Behind Cloud Tiering is the ONTAP technology called FabricPool, which enables cold data to be tiered between the cloud and the data center, without application or infrastructure changes. It is ONTAP and FabricPool that provide data encryption for data-at-rest and data in-flight.
Data at rest means your data is not moving. The data could be saved to disk, saved to cloud object storage, or copied to USB/DVD storage, once saved, even if accessed or edited, then it is considered to be at rest.
FabricPool supports three methods of encryption for at-rest data on the local storage tier: NetApp Storage Encryption (NSE), NetApp Volume Encryption (NVE), and NetApp Aggregate Encryption (NAE), they are detailed below.
NSE uses Self-encrypting drive (SED) technology to encrypt the entire disk, which is called full disk encryption (FDE). The key used for encryption and decryption is stored in the firmware of the drive, which the host system cannot access, and ONTAP must authenticate itself to the disk before it can read any data. SED encryption levels are manufacturer dependent, but NetApp only uses AES-256 capable disks. NSE doesn't use any of ONTAP's CPU or memory resource for encryption or decryption, and NVE volumes can be placed on NSE drives, providing double encryption, an industry first.
NVE is software-based encryption that leverages an "offload" feature of Intel processors called Advanced Encryption Standard New Instructions (AES-NI). These new instructions accelerate encryption and decryption operations and prevent encryption from affecting non-encrypted volumes.
Each NVE volume has a unique XTS-AES-256 encryption key, stored in the internal ONTAP key manager or in an external key manager supporting the Key Management Interoperability Protocol (KMIP). An aggregate can contain a mix of NVE and non-NVE volumes. NVE has been FIPS 140-2 compliant since ONTAP 9.2.
NAE is an expansion of NVE, and uses AES-256 bit encryption as well, with the following differences:
Data inflight, also called data in transit, is data that is moving from one storage system to another over a network. As data is migrated to the cloud, it is in flight, files uploaded to or downloaded from cloud storage, web services, emails in transit, or even FTP are in flight when the data is transmitted. Even when you attach a file to an email in a web-based email service, that data is in flight as it is uploaded to the email service.
FabricPool manages the movement of data to the cloud and back, and ensures that TLS 1.2 with AES-256-GCM encryption is used, whether or not tiered volumes are encrypted. It is possible to disable in-flight encryption, but NetApp does not recommend this. Because TLS 1.2 is software-based, there may be some latency due to the object store encrypting and decrypting the data traveling over the wire.
Now that your cold data has been moved into cloud object storage, FabricPool ensures data at rest in the cloud tier is stored securely. If the volumes tiered to the cloud are not encrypted, or if only NSE encryption is used, then the cloud provider’s encryption is used. For example, Amazon S3 uses AES-256 encryption to encrypt data at rest. Also, when using the cloud provider’s encryption, the encryption keys are owned by the respective object store and stored in the provider's key manager.
When NVE/NAE volumes are tiered to cloud storage, cold data blocks are migrated to the cloud tier already encrypted. The object storage can be encrypted if that level of protection is required, but generally, ONTAP’s AES-256-GCM is appropriate for most use cases.
Any ONTAP storage efficiencies enabled on NAE and NVE volume are applied to the data before it is encrypted and tiered, and as cold blocks are tiered as is, storage efficiencies are preserved in the cloud. Therefore, reducing object storage capacity required and amount of data migrated into and out of the cloud tier, which reduces the costs of storage and cloud tier egress.
Data that is tiered from AFF and SSD-backed FAS systems to the cloud can be protected by ONTAP’s encryption, the cloud provider’s encryption, or both. The three leading cloud providers each support encrypted object storage, but they each vary in their configurations. Below, we briefly describe each vendor object storage encryption and summarise in a table.
Azure storage encrypts data at rest for all storage types by default with AES 256-bit encryption, and this encryption cannot be disabled. Keys are managed and stored by Azure, but there are options for user-managed keys and even user-supplied keys.
Like Azure, GCP Object Storage encrypts data at rest by default with AES 256-bit encryption, but there is an option for encryption to be disabled if it is not required. By default, encryption keys are stored and managed by GCP, and users can administer or even supply keys for encryption of objects.
By default, Amazon S3 does not encrypt objects. Object encryption can be enabled using AES 256-bit encryption with the keys managed by AWS, though options are available for users to maintain the encryption keys or supply their own.
|
Azure Blob |
AWS S3 |
GCP Object |
Encrypt by default |
Yes |
No |
Yes |
Can disable encryption |
No |
Yes |
Yes |
Encryption level |
AES 256 |
AES 256 |
AES 256 |
Making the decision to move your data from where you have full control and feel that it’s the safest—inside your data center—to a completely different repository owned and maintained by another company can be a big leap of faith. Using best-practice security measures and AES-256-GCM, the most secure encryption available, plus the built-in encryption options on Azure Blob, AWS S3, and Google Cloud Storage can help you with these fears by providing great levels of protection to your data.
NetApp works hard to keep your data safe, from end to end, whether it’s in your data center, in the cloud object storage of your cloud-tiered volumes, or while it’s migrating to and from the cloud. Cloud Tiering offers a secure way to lower your overall operating costs for data storage, avoiding running out of on-prem storage space, planning capacity for future data growth, all while ensuring your data remains safe.
Read more about the use cases for tiering data to the cloud from your data center here and try Cloud Tiering out now.