Introduction
Transparent Cloud Tiering (TCT) is available as an add-on feature in IBM Spectrum Scale (Advanced Edition). It provides a native cloud storage tier as an external storage pool. TCT leverages the existing Information Lifecycle Management (ILM) policy infrastructure that is available in Scale today that allows Scale administrators to define ILM policies, to tier the data to cloud storage. Cloud storage tier should be used to store cooler data from Scale file system (to store infrequently accessed data).
For performance reasons, it is recommended not to tier any active/hot data to the cloud storage pool, as it can cause access delays that lead to problems like application timeouts.
Use case
Tiering of file data from Scale file system to Cloud Object Storage (storage efficiency and cost reduction - free up primary storage and move it to low-cost object tier). A storage administrator can place data on IBM Cloud Object Storage, SoftLayer object storage, or Amazon S3 with the same ease with which they choose a local disk array.
Securing data in flight as well as rest
Security is one of the main component of TCT. TCT supports encryption of data on the client side. This means the data is encrypted before it is pushed to Cloud Object Storage (On-prem or Off-prem). Data will be protected in motion and rest on object storage layer as well. Data will be protected in motion using TLS.
TCT uses symmetric key encryption mechanism using AES algorithm and 256-bit key length which is NIST approved encryption mechanism.
Data moved to the cloud will be encrypted using the secret key stored in ISKLM and TCT specific secret key using JVM specific encryption methods.
Encryption of TCT objects is hierarchical: a master key encrypts a number of object keys, and such object key encrypts each of the objects. Object keys are chosen independently for each object.
TCT Daemon Secure Incoming Communications
The TCT daemon process runs as root and listens on a TCP port. Incoming requests are authenticated using an authentication based on HMACs. The HMAC is computed with a key which is derived in a secure way from the cluster's private key.
Security of TCT Commands
Only root users are allowed to invoke any TCT commands, to prevent possible attempts to restore another user's file under a user's own permissions, thus using TCT to bypass file system's ACLs.
Data Integrity Protection
TCT enforces integrity protection of the outsourced data using the so-called 'etag' which is received from the cloud provider, using a hash function specified by the cloud provider. Integrity protection relies on trusting the cloud storage provider.
Securing the keys that are used to protect the data
TCT supports two types of Encryption Key Management Providers such as IBM Security Key Lifecycle Manager(ISKLM) and Java Key Store, to store the keys used for data encryption.
IBM Security Key Lifecycle Manager is an external key management provider. IBM Security Key Lifecycle Manager helps customers meet regulations and standards such as the Payment Card Industry Data Security Standard (PCI DSS), Sarbanes-Oxley and the Health Insurance Portability and Accountability Act (HIPAA) by providing centralized control and management of encryption keys.
TCT configured with IBM Security Key Lifecycle Manager is preferred for production environment and is consistent with how Spectrum Scale uses ISKLM for file system level encryption.
By default, TCT supports Local Key Management using Java Cryptography Extension KeyStore. This is ideal for test and non-production use cases.
Security consideration during configuration of a cloud object storage
During configuration of a cloud object storage account using Transparent Cloud Tiering, the following security considerations are handled.
- Account credentials such as access key (In case of Amazon S3 and IBM Cloud Object Storage) or password (In case of Soft Layer Object Storage) will be validated.
- TCT validates whether an Account user has proper permission to create a storage container under the object storage provider.
Configuring TCT with External Key Manager: ISKLM
Pre-requisites
- ISKLM server is installed. For more information on ISKLM, see Preparation for encryption.
- A cloud storage account is created. For more information, see Creating a cloud storage tier.
To configure Transparent Cloud Tiering with IBM® Security Key Lifecycle Manager (ISKLM), do the following steps:
- Perform SKLM configuration by issuing a command according to this syntax:
mmcloudgateway config set --cloud-nodeclass
where,
- PasswordFile is the file containing the password. It points to a temporary file location that contains the administrator password.
- The above Command will generate a New device group (For example: M_
- The above Command also generates a New encryption Key under the device group.
- Restart the Transparent Cloud Tiering service by issuing a command according to this syntax:
mmcloudgateway service start -N NodeClass
- Encryption key generated in step3 will be used for encrypting the data during migration and decrypting the data during recall operation.
Rotate key with ISKLM
TCT also supports rotation of encryption keys. The key rotation process creates a new encryption key. All the new data which is going to be stored in Cloud Object Storage will be encrypted with the new encryption key. Note – old key is never deleted from the key store on rotate key operation, to allow recalling migrated data from cloud. If the old key needs to be permanently removed from the key store for any reason, administrator needs to take extra care, by manually recalling all migrated data, so as not to lose it permanently.
To perform rotate key operation with ISKLM follow below steps:
- Perform Rotate Key with ISKLM issuing a command according to this syntax:
mmcloudgateway config set --cloud-nodeclass
- The above command will automatically create a new encryption key under the configured device group in ISKLM.
- Restart the Transparent Cloud Tiering service by issuing a command according to this syntax:
mmcloudgateway service start -N NodeClass
#IBMSpectrumScale#Softwaredefinedstorage