Security

Every component in Wise Cluster is designed with security implications in mind. That includes the best practices for all of the services as well as the data itself.

As the amount of data we collect and use increased, so did the number and variety of cyberthreats. Since a lot of those threats are about the data, measures against them are especially important for a system like distributed object storage. Security just cannot be an after-thought. Any solution, from the start, should design how to protect the data in transit as well as at rest. And it should go beyond the usual encryption practices in the world where ransomware is a reality.

On the other hand, a distributed data storage system contains lots of different services for data access, administration, monitoring, and maintenance so securing only the data is not enough. You might have secured the data but it doesn’t add up to much when the services that provide access to the system are compromised. They should always be aware of external threats like DoS and necessary precautions should always be taken even in closed networks.

Access Control

lock

Wise Cluster O3 uses S3 API which already has a strong user account access control mechanism. All stored objects are private by-default, meaning only the owner can access them. And they will stay that way until the owner explicitly shares them or makes them public.

HTTPS everywhere

Protection for the data in transit is provided with widely known best practices like restricting access to HTTPS only. That way any API call along with enclosed data is encrypted at client side and only decrypted on the server. But it doesn’t end there for a distributed data storage system. Second part of the journey is when the service contacts the storage cluster and relays the data to the devices. This part is also fully encrypted and integrity checked using AES-GCM stream cipher.

Encryption

encryption

Data at rest protection is achieved through encrypting the drives using the well-known LUKS (linux unified key setup) specification. Data related partitions in the drives are configured to be encrypted during initialization and all the data going from the storage services to the physical drives are encrypted directly in the linux kernel.

If all that is not enough, each bucket or object can be individually encrypted with different keys using the built-in server side encryption services. The system is largely compatible with SSE-KMS except parts relating to AWS KMS.

All Built-in

All that is designed and placed for you to create a secure data storage environment without relying on probably very expensive additional hardware. But securing your storage with known methods is only the first step. They can only do so much when your access credentials are compromised using other methods like phishing or social engineering. For those scenarios, object locking in Wise Cluster O3 will help you design your write-once-read-many scenario, protecting you against the destructive attacks.

Last but not the least, when you need to know the exact records of activities leading to a specific operation or event, service access logs will have the necessary information to provide an audit trail. But that doesn’t mean you’ll need to read and sort through them on your own. Wise Cluster contains an easy-to-use UI for you to search and filter the necessary event or user within your time-frame.

Another security issue you're worrying about?

Contact now to get them resolved!