PowerScale provides multiple security features to protect data while it's stored in a cluster and when it's in transit from one cluster to another. If a drive is removed from a cluster, self-encrypting drives in PowerScale protect the data. SyncIQ encryption protects data in transit against security vulnerabilities.
For more information on PowerScale Administration WebUI, see Dell Technologies Cloud PowerScale for Google Cloud: Overview and Solution Design Considerations.
Encryption of data at rest using self-encrypting drives
PowerScale clusters provide encryption of data at rest through self-encrypting drives (SED) and a key-management system. The data on SEDs is encrypted and the data can't be accessed in the event drives are stolen or removed from the cluster. The algorithm and key strength meet the National Institute of Standards and Technology (NIST) standard as well as FIPS compliance.
SEDs are a type of hard drive that provides full disk encryption through onboard drive hardware. Additional hardware external to the drive isn't required to encrypt drive data. As data is written to the drive, it's automatically encrypted. As data is read from the drive, it's automatically decrypted. A chipset within the drive controls encryption and decryption. An onboard chipset allows for a transparent encryption process that doesn't affect system performance, provides enhanced security, and eliminates dependencies on system software. At initial setup, SED creates a unique and random key for encrypting data during writes and decrypting data during reads. This data encryption key (DEK), ensures that data on the drive is always encrypted. Each time data is written or read, the DEK is required to encrypt and decrypt the data. If the DEK isn't available, data on the SED isn't accessible, making all data on the drive useless.
PowerScale also improves standard SED encryption. The DEK for each SED is wrapped in an authentication key. The AKs for each drive are placed in a key manager, stored securely in an encrypted key manager database (KMDB). The KMDB is encrypted with a 256-bit primary key (MK). The KMDB is stored in the node's NVRAM, and a copy is placed in the buddy node's NVRAM. PowerScale release 9.2 also supports an external key manager by storing the 256-bit MK in a Key Management Interoperability Protocol-compliant key manager server.
For more information about PowerScale self-encrypting drives and key management, see Dell EMC PowerScale OneFS Data-at-Rest Encryption.
The security certificates that are applicable for PowerScale for Google Cloud are as follows: - System and Organization Controls 2 (SOC 2) Type 2 - Health Insurance Portability and Accountability Act (HIPAA)
SOC 2 Type 2
Dell provides the essential infrastructure for organizations to build their digital future and protect their most important information by using the following security standards:
- Physical security
- Logical access
- Computer operations – Backups
- Computer operations – Availability
- Change control
- Data communications
Dell Technologies Managed Services has developed a health information security management program that incorporates the below safeguards to secure personal health information:
- Administrative safeguards
- Physical safeguards
- Technical safeguards
- Organizational safeguards and
- Breach notifications
Certificates and key-based authentication
For information about certificates and key-based authentication, see the PowerScale OneFS Security Configuration Guide.
For information about client and server authentication using TLS certificates, see the "Certificates" section in the General cluster administration chapter of the PowerScale OneFS Security Configuration Guide.
For information about the supported key-based authentication methods, see the Authentication chapter of the PowerScale OneFS Security Configuration Guide.
Data access policies
To prevent unauthorized client access for those protocols that you do support, limit access to only the clients who require it.
Data-access protocols best practices:
- Use a trusted network to protect files and authentication credentials that are sent in cleartext.
- Use compensating controls to protect authentication credentials that are sent in cleartext.
- Use compensating controls to protect files that are sent in cleartext.
- Use initial sequence numbers through TCP connections.
For information about data access protocols, see the "Data-access protocols best practices" section of the PowerScale OneFS Security Configuration Guide.