Transcription
White PaperSimpliVity OmniStack withVormetric Transparent EncryptionPage 1 of 12www.SimpliVity.com
White PaperTable of ContentsExecutive Summary. 3Audience. 3Solution Overview. 3Simplivity Introduction. 3Why Simplivity For Virtualized Environments?. 5Vormetric Technology. 6Vormetric Transparent Encryption. 6Solution Overview. 7Customer Benefits. 7Solution Architecture. 8Topology. 8Testing Infrastructure. 8Technical Details. 9Testing Methodology. 9Vdbench Performance Test. 9Simplivity Operations And Feature Test. 10Vormetric Operation Test. 10Test Results. 11Vdbench. 11Simplivity Operation Results. 11Vormetric Operation Test Setup & Execution. 12Best Practices. 12Conclusion. 12Page 2 of 12www.SimpliVity.com
White PaperExecutive SummaryThis solution guide introduces SimpliVity OmniStack technology and Vormetric Transparent Encryption, as a combinedsolution that reduces security risks and helps to ensure compliance with regulatory requirements, while still deliveringsuperior application performance. It discusses the interoperability of both technologies through testing conducted bySimpliVity, in collaboration with Vormetric, and provides best practices and recommendations for implementing the solution.AudienceThis document is intended for IT administrators who want to implement a VM encryption solution running on SimpliVityOmniStack systems within their IT datacenter.Solution OverviewSimpliVity IntroductionSimpliVity’s hyperconverged infrastructure solution transforms the data center by virtualizing data and incorporating all ITinfrastructure and services below the hypervisor into standard x86 building blocks. With 3X total cost of ownership (TCO)reduction, SimpliVity OmniStack software-defined hyperconverged infrastructure delivers the best of both worlds: theenterprise-class performance, protection and resiliency that today’s organizations require, with the cloud economics businesses demand.Designed to work with any hypervisor or industry-standard x86 server platform, the SimpliVity solution provides a single,shared resource pool across the entire IT stack, eliminating point products and inefficient siloed IT architectures. The solution is distinguished from other converged infrastructure solutions by three unique attributes: accelerated data efficiency,built-in data protection functionality and global unified management capabilities. Accelerated Data Efficiency: OmniStack performs inline data deduplication, compression and optimization on all data atinception across all phases of the data lifecycle, all handled with fine data granularity of just 4KB-8KB. On average, SimpliVity customers achieve 40:1 data efficiency while simultaneously increasing application performance. Built-In Data Protection: OmniStack includes native data protection functionality, enabling business continuity anddisaster recovery for critical applications and data, while eliminating the need for special-purpose backup and recovery hardware or software. OmniStack’s inherent data efficiencies minimize I/O and WAN traffic, reducing backup andrestore times from hours to minutes. Global Unified Management: OmniStack’s VM-centric approach to management eliminates manually intensive, errorprone administrative tasks. System administrators are no longer required to manage LUNs and volumes; instead, theycan manage all resources and workloads centrally, using familiar interfaces such as VMware vCenter and VMwarevRealize Automation.SimpliVity packages OmniStack on popular x86 platforms—either on 2U servers marketed as OmniCube, or with partnersystems such as Cisco and Lenovo, marketed as OmniStack Integrated with Cisco UCS and OmniStack Solution withLenovo System x, respectively.Page 3 of 12www.SimpliVity.com
White PaperAn individual OmniStack node includes: A compact hardware platform - a 2U industry-standard virtualized x86 platform containing compute, memory, performance-optimized SSDs and capacity-optimized HDDs protected in hardware RAID configurations, and 10GbE networkinterfaces A hypervisor such as VMware vSphere/ESXi OmniStack virtual controller software running on the hypervisor An OmniStack Accelerator Card – a special-purpose PCIe card with an FPGA, flash, and DRAM, protected with supercapacitors; the accelerator card offloads CPU-intensive functions such as data compression, deduplication and optimization from the x86 processors.(4) Servers VMwareStorage Switch(2) HA Shared StorageBackup & Dedupe OneBuilding BlockTCO Savings Global Unified Management Operational EfficiencyWAN Optimization 3xCloud GatewaySSD ArrayStorage CachingEnterpriseCapabilitiesData Protection AppsCloudSimplicity &EconomicsFigure 1 – Legacy ComparisonPage 4 of 12www.SimpliVity.com
White PaperWhy SimpliVity for Virtualized Environments?OmniStack was specifically designed to meet the stringent price-performance, scalability, agility and resiliency demandsof today’s data-intensive, highly virtualized IT environments. Key benefits and advantages include: Simplicity and superior economics: OmniStack eliminates infrastructure cost and complexity by consolidating avariety of IT functions (compute, storage, network switching, replication, backup, etc.) onto commodity virtualized x86hardware, with global unified management. The solution contains CAPEX by eliminating IT silos, converging technology stacks, and optimizing storage capacity; and it reduces OPEX by containing power, cooling, rack space and systemadministration expenses. Linear scalability: The SimpliVity solution features a scale-out architecture that minimizes upfront investments and provides a high degree of flexibility and extensibility. OmniStack nodes are installed in an incremental fashion to accommodate growth, enable new applications or extend system availability. Two or more OmniStack nodes can be federated to create a massively scalable pool of shared resources that is administered as a cohesive system, with a singleadministrative interface. VM-centric design: OmniStack was designed from the ground up with virtualization in mind. The solution abstractsdata from the underlying hardware; virtual machine files are mapped directly to blocks on storage. All data storage,management, and protection functions are inherently optimized for virtualization. And all administrative tasks including managing data protection policies, analyzing performance and troubleshooting problems are all performed at theVM level. From an administrative perspective, a datastore is simply a logical construct, decoupled from the underlyingphysical infrastructure. Concepts like LUNs, volumes, shares, and disk groups simply don’t apply with SimpliVity. Accelerated IT service agility: OmniStack’s inherent data efficiencies and VM-centric management capabilities dramatically simplify operations and boost IT service agility. With OmniStack, system administrators can spin up IT servicesand clone VMs in just seconds with two or three mouse clicks. High resiliency: The SimpliVity solution is designed to be highly resilient, with no single point of failure. The solutionsupports both RAID (redundant array of independent disks) for disk-level resiliency and RAIN (redundant array of independent nodes) for node-level resiliency. In a high availability RAIN implementation, the complete set of data associated with a VM is simultaneously written to two distinct nodes, protecting data in the event of disk or node failures.Public CloudFigure 2 – An OmniStack FederationPage 5 of 12www.SimpliVity.com
White PaperVormetric TechnologyThe Vormetric Data Security Platform makes it efficient to manage data-at-rest security across an entire organization. Builton an extensible architecture, Vormetric Data Security Platform products can be deployed individually, while sharing efficient, centralized key management. With the platform’s comprehensive, unified capabilities, an organization can efficientlyscale to address expanding security and compliance requirements, while significantly reducing total cost of ownership.The Vormetric Data Security Platform delivers capabilities for transparent file-level encryption, application-layer encryption, tokenization, dynamic data masking, cloud encryption gateway, integrated key management, privileged user accesscontrol and security intelligence.With the solution, organizations can address security policies and compliance mandates across databases, files and bigdata nodes—whether assets are located in cloud, virtualized or traditional environments.Vormetric Transparent EncryptionThe Transparent Encryption solution involves the Vormetric Data Security Manager and transparent encryption agents.The Data Security Manager represents the central component of the Vormetric Data Security Platform, enabling the management of multiple Vormetric products. The software appliance offers centralized capabilities for storing and managinghost encryption keys, data access policies, administrative domains and administrator profiles.Vormetric Transparent Encryption features an agent that runs in the file system to provide high-performance encryption and least-privileged access controls for files, directories and volumes. This enables encryption of both structureddatabases and unstructured files. Unlike other encryption solutions, protection does not end after the encryption key isapplied. Vormetric continues to enforce least-privileged user policies to protect against unauthorized access by users andprocesses, and it continues to log access. With these capabilities, you can ensure continuous protection and control ofyour data.The product enforces granular, least-privileged user access policies that protect data from misuse by privileged users andadvanced persistent threat (APT) attacks. Granular policies can be applied by user (including for administrators with rootprivileges), process, file type, time of day, and other parameters. Enforcement options are very granular; they can be usedto control not only permission to access clear-text data, but which file-system commands are available to a user.The platform logs all permitted, denied and restricted access attempts from users, applications and processes. These logsare all captured in the Data Security Manager, enabling administrators to get detailed insights and to efficiently track security status. This also enables easy integration with security information and event management (SIEM) systems.Page 6 of 12www.SimpliVity.com
White PaperThe following diagram shows Vormetric Transparent Encryption architecture in a normal production environment.Solution OverviewCustomer BenefitsSimpliVity is simplifying IT by providing a virtual computing infrastructure solution that seamlessly combines all data centerinfrastructure and services below the hypervisor. Delivered on x86 building blocks to create one shared resource pool forcompute, primary storage and backup storage that expands by adding nodes within or across data centers.The combined SimpliVity/Vormetric solution provides enterprise performance, supporting business critical applicationswhile ensuring security across the data life cycle. Benefits of the combined solution include: Scales and grows with your requirements: SimpliVity OmniStack enables you to scale your environment easily by adding nodes to the SimpliVity Federation. With Vormetric transparent encryption, organizations can easily expand protection of files and data as new business requirements arise across physical, virtual, cloud or big data environments. Transparent deployment: No downtime or changes are required to existing infrastructure or applications whendeploying Vormetric transparent encryption on SimpliVity OmniStack systems. Supports compliance and contractual mandates: Vormetric software satisfies mandates around data encryption, fileencryption, least privileged access, monitoring, and encryption key management. The broadest heterogeneous operating system and application support: Vormetric Transparent Encryption agentssupport Windows, Linux and Unix platforms running as VMs on SimpliVity OmniStack systems as well as most databasesand all unstructured file types. Privileged user access controls: In addition to encryption and key management, the agent can enforce very granular,privileged user access policies, enabling protection of data from misuse by privileged users and APT attacks. Granularpolicies can be applied by user (including for administrators with root privileges), process, file type, time of day, andother parameters. Enforcement options are also very detailed; they can be used to control not only whether users canaccess clear-text data, but which file system commands are available.Page 7 of 12www.SimpliVity.com
White PaperSolution ArchitectureTopologyThe following diagram shows the topology of the environment that was tested for this solution guide.Encrypted enterServerProductionVM-22 CloneVM-43 RestoredInfrastructure1Gbe10GbeTest & DevTesting InfrastructureHardware ModelOmniStack CN-2200OmniStack VersionOmniStack 3.0.8HypervisorvSphere 6.0Vdbench5.04.03Guest Operating SystemWindows Server 2012 R2HyTrust DataControl Version5.2.3.1530Page 8 of 12www.SimpliVity.com
White PaperTechnical DetailsThe test environment included three distinct “pods,” as shown in the diagram above.Infrastructure: All resources needed to support operations within the test bed, including Data Control components werehosted here. These components are: DC/Active Directory/DNS: Windows components used to manage servers running Windows operating systems,assign IP’s etc. DSM: Data security manager software appliance that performs encryption and management SQL Server: Database for the vCenter Server vCenter Server: Management interface for Virtual MachinesProduction: This pod hosted all the virtual machines that were tested in this solution. The test consisted of running a sustained load on the virtual machines and validation of SimpliVity operations as well as Vormetric features.Test & Dev: This pod was used to validate that VMs remained encrypted when HA functionality of SimpliVity OmniStacksystems is used.Testing MethodologyVdbench Performance TestVdbench is a command line utility tool that is used to measure application and storage performance. A sustained load wasrun on 50 virtual machines and the baseline performance was measured. After, 20% of the VMs were encrypted and thesame sustained load was run and performance was measured.The following profiles were used for Vdbench testing: VM Profile--2vCPU--2GB RAM--100GB Storage (50GB data drive) Load Profile--70:30 Read/Write--8K Random IO--40 IOPS per VMSignificanceThis test was run to measure the impact of encryption on the performance of the virtual machines under sustained loadthat resembled a production environment closely.Page 9 of 12www.SimpliVity.com
White PaperSimpliVity Operations and Feature TestThe following SimpliVity operations were tested and observed: VM Clone VM Backups VM Restore VM Move Deduplication CompressionSignificanceThese tests are intended to validate that SimpliVity OmniStack VM-centric data protection operations normally whenencrypted using Vormetric.Vormetric Operation testVormetric transparent encryption was installed and configured to test both the encryption of data as well as to test thecapabilities of access control. Data was first encrypted and then guard points and policies were configured to enable theaccess control of who could encrypt/decrypt data in the guard point.SignificanceThe capabilities of the Vormetric transparent encryption were put to the test to verify that encryption takes place and thatthe access control policies worked as intended. Organizations worldwide have several compliance requirements as well asthe need to protect their data. Vormetric offers the ability to meet both objectives and in a way that does not affect performance negatively.Page 10 of 12www.SimpliVity.com
White PaperTest ResultsVdbenchThe following graph shows the IOPS and latency for the Vdbench testing. Latency is shown for the baseline test and theencrypted test.In the graph, looking at the baseline latency of 50 VMs and latency when 20% (10 VMs) are encrypted, applying a constantload of 2000 IOPS on average across both tests, we can infer that encryption adds some overhead to
SimpliVity packages OmniStack on popular x86 platforms—either on 2U servers marketed as OmniCube, or with partner . OmniStack eliminates infrastructure cost and complexity by consolidating a variety of IT functions (compute, storage, network switching, replication, backup, etc.) onto commodity virtualized x86 . SimpliVity is simplifying .
