Assureon File System Watcher FAQ

Document Sample
Assureon File System Watcher FAQ Powered By Docstoc
					NEXSAN TECHNOLOGIES                                         CONFIDENTIAL

                   Assureon Technical FAQ version 6.0

Q: What does Assureon do?
A: Assureon is an easily managed, scalable storage appliance which
provides numerous services associated with data redundancy, security,
authenticity, immutability, and disposition.

Q: What do you mean by “appliance”?
A: We mean that the product is sold as an integrated unit, with all the
processors, storage, switches, and software installed and configured into a
system. The customer merely attaches the appliance to his network and
hooks up AC power, and is ready to go. Internally, the appliance may be as
simple as a single 1U server node attached to a 1U RAID box, or as
complex as many dozens of servers attached to redundant SAN switches
and numerous RAID boxes, with maintenance gear such as a KVM and rack
mounted monitor/keyboard.

Q: What are the management features?
A: Assureon has a web-based GUI which allows the administrator to
remotely configure the agents that Assureon uses to gather files from
remote systems. On each system, there may be multiple watched
directories, which can have individual retention policies and metadata.
Also from the GUI, files may be searched, transaction logs examined,
disposition behavior configured, and files or groups of files may be copied
to remote systems. No user configuration of storage space or cluster
behavior is required as that is all automatic. Comprehensive and
extensible reporting tools are provided.

Q: What are the data security features?
A: Some of the key data security features include:
   • Authentication - Assureon integrates to your existing Active
     Directory if you have it, to assure that only authorized users store
     and retrieve data. If you do not have AD, it can be configured to
     recognize various other authentication techniques such as digital
     certificates or passwords.
   • Encryption - AES 256 bit encryption is available for data records.
   • IPSec-3DES is available for network security.
   • Each file has an individual AES 256 key, which is managed
     automatically by a multiply-redundant, remote, Key Server as well as
     a local Key Manager which caches unused keys and manages a local
     repository of keys which are being used to protect files.
   • Cleartext keys are never transmitted nor stored on internal or
     external media.
   • Smartcard tokens can be used to secure administrator access to the

NEXSAN TECHNOLOGIES                                         CONFIDENTIAL
NEXSAN TECHNOLOGIES                                         CONFIDENTIAL

   •   Administrator-level access is not required for routine configuration
       and maintenance tasks, and in certain regulatory regimes the end
       customer will not have possession of the administrator tokens.
   •   All accesses to the assets are logged, providing an audit trail.
   •   Optionally, Assureon may be configured to perform a 7 pass
       overwrite of deleted data files (including temporary queuing and
       buffer files), based on the requirements of DoD 5220.22-M.
   •   The built-in RAID sub-systems have special firmware which prevent
       the deletion of volumes or RAID sets, and can be locked such that
       they will only respond to authenticated I/O from the Assureon cluster.
   •   FIPS PUB 140-2 certified cryptography is used internally.
   •   The underlying operating system, Windows 2003 Server, is certified
       to Common Criteria security level EAL4, and all unnecessary
       services have been removed or disabled.
   •   Only the necessary networking protocols are enabled; the remainder
       are firewalled.
   •   Clusters with four or more nodes are separated into front-end and
       back-end nodes. Front-end nodes handle all I/O into the customer’s
       network, while back-end nodes will only communicate with
       authenticated processes on front-end nodes. There is a separate,
       private network which connects the front-end and back-end nodes.
       Front-end nodes are not connected directly to the RAID storage.
   •   Numerous confidential internal checks are performed to detect
       attempts to tamper with the software or data.
   •   Encryption is supported for customers who copy their assets to
       removable media such as optical or tape.

Q: What are the fault-tolerance and high-availability features?
A: The amount of fault-tolerance and HA depends upon the configuration.
Entry level units have only a single processor and RAID shelf, while bigger
installations have a variety of fault-tolerance features:
   • All configurations have at a minimum, RAID 5 protection of the data.
       RAID 6 is the default level, which prevents data loss even if two
       drives in a RAID set fail.
   • All configurations have at a minimum, two complete replicated
       copies of each asset. (In some applications this is overkill and can
       be disabled during installation.)
   • All configurations have redundant power supplies and cooling.
   • All configurations have a very secure cryptographic hash on each
       asset which is checked on every read or write operation, as well as
       during periodic audits. Any discrepancy is logged, and
       defective/tampered files are automatically replaced with the
       redundant copy.
   • Configurations of 4 nodes or larger can withstand the failure of at
       least one node.

NEXSAN TECHNOLOGIES                                         CONFIDENTIAL
NEXSAN TECHNOLOGIES                                               CONFIDENTIAL

   •   Configurations of 4 nodes or larger have at least two separate
       external RAID shelves, with the duplicate copies of assets split
       between the boxes.
   •   At least six redundant copies of the administrator smartcard token
       are produced, and stored in separate secure locations.
   •   At least six redundant, geographically remote, copies of the key
       database are stored (they are encrypted by the monthly master key,
       which is also stored in multiple geographic locations).
   •   The remote Key Servers are themselves redundant, and located at
       two widely-separated secure collocation facilities. [ed note: only one
       site is running now, but a second is planned] Larger customers may
       elect to host their own Key Servers at remote sites.
   •   Assureon will continue to accept new data for a number of days
       without access to the remote Key Server, and can retrieve stored
       assets even if access to the Key Server is lost permanently (because
       the repository of “in-use” keys are stored in an encrypted format on
       the local storage).
   •   A standard feature of Assureon is support for automatic replication
       of assets to duplicate Assureon systems at one or more remote
   •   An optional feature for Assureon is support for external tape or
       optical devices, and/or support for common enterprise backup
       packages. Since Assureon is based on the Windows 2003 Server
       platform, there is a built-in level of support for many tape
       technologies and it has an adequate backup package which can be
       used to copy the repository to tape for DR purposes. Optical
       support, such as using optical disks instead of RAID disks for
       storing digital assets, can be supported at an extra cost (we integrate
       a 3rd party software package called Pegasus that handles the low-
       level management).

Q: What are the authenticity and immutability features?
A: Key to the value of Assureon is the confidence it will give you in the
privacy and integrity of your information, and in the confidence that 3rd
parties such as courts and regulatory agencies will have that information
you provide them is genuine and complete. Assureon is designed such
that even with administrator-level access to the system and detailed
understanding of its inner workings, it is not feasible to add, delete, or
modify data without at least being detected and in all likelihood being
completely thwarted in this attempt. Some of the ways this is
accomplished include:
   • When an asset is placed into management, a secure digital
       fingerprint (called a uFID) consisting of a MD5 hash, a SHA-1 hash,
       and the file length is created. It is highly unlikely that a different file
       will ever be found that has the same uFID, and implausible that a

NEXSAN TECHNOLOGIES                                               CONFIDENTIAL
NEXSAN TECHNOLOGIES                                           CONFIDENTIAL

      criminal could deliberately modify a document in such a way that the
      uFID remained unchanged.
  •   Each new asset is given a globally-unique sequential serial number.
  •   The uFID is used to calculate a storage address for the asset (this
      methodology is commonly called Content Addressed Storage).
  •   The uFID and various other data about a file such as its name, date
      of creation, retention policy, asset serial number, encryption key
      serial number, and source path, are combined into a metadata record
      which is digitally signed and bound to the asset.
  •   During every retrieval of a file, and periodically as a background task,
      the contents of the metadata is checked for internal consistency and
      then the stored uFID is compared to the actual uFID re-calculated on
      the asset. Discrepancies are logged and the defective asset is
      replaced with one of the redundant copies.
  •   Every five minutes, a “manifest” is created with contains a list of the
      uFID of all new files placed in management, their serial numbers, and
      the serial number of the encryption key used for the file, if applicable.
      This manifest is digitally signed and sent to the remote Key Servers
      for storage, establishing a third party which can attest to the time
      and date of creation of files and by virtue of having the serial
      numbers and uFID’s, has the ability to confirm that a purported set of
      files from that timeframe are not only complete, but also unmodified.
      The manifest file is itself stored back into the cluster, becoming the
      first file listed in the next manifest sent five minutes later. This
      establishes a cryptographic chain – manifests cannot undetectably
      be inserted or modified without modifying all subsequent manifests
      on every replicated site and all backups (in other words, impossible).
      Note that the assets themselves are not sent to the remote Key
      Servers – just the uFID’s and serial numbers so there is no privacy
  •   Overall, the Assureon provides a WORM emulation in that assets
      may not be modified ever, and may not be deleted until the document
      expiry date has been reached and then only if no deletion inhibit
      flags have been set (e.g. in response to a discovery motion).
  •   File deletion at the end of the retention period requires confirmation
      by a human operator.
  •   Since each file has a unique encryption key, and since at the end of
      the retention period we destroy all copies of this key, all copies of
      the file including copies held on removable media are effectively
      deleted. This is often called “crypto shredding” but in contrast to
      some competitors who claim this feature, Assureon can do it to
      individual files rather than whole tapes or directories.
  •   Assureon produces frequent audit reports to provide confidence that
      the security and integrity features are working properly for all assets.

NEXSAN TECHNOLOGIES                                           CONFIDENTIAL
NEXSAN TECHNOLOGIES                                          CONFIDENTIAL

Q: Can the system administrator reduce the retention period of an asset?
A: First of all, normally the customer will not truly have “administrator”
level access to Assureon. The customer will have what we call an
“AssureonAdmin” account which allows the on-site admin to do routine
tasks such as add or delete users or change which directories are being
watched. When logged in as AssureonAdmin, new retention policies may
be created which apply to new files, and existing retention policies may be
lengthened, but no mechanism is provided to reduce the retention time as
this would be contrary to most regulations. Even an engineer with root
access on the box itself cannot “hack” the retention time without triggering
all the safeguards described above.

Q: What if I want to have some administrator flexibility as to when a file is
A: Many environments do not have the inflexible retention requirements of,
for example, SEC 17a-4. For these, a retention rule may be configured to
have a minimum retention period and an “initial” retention period. Files
cannot be deleted before the minimum retention period, but unless the
retention time is adjusted they will be deleted in the routine course of
operation once the “initial” retention period expires. It is possible to set
the minimum to zero, meaning that the administrator can always delete a
file or group of files when desired. Additionally, a rule may be specified
such that only a certain number of the most recent versions of a given file
are retained. Note that actual deletion of any file under any rule only takes
place once the administrator has reviewed and approved the list of
disposition candidates, and has not elected to inhibit disposition.

Q: How do I set the retention date or policy?
A: Several modes are supported. The most common is to configure the
desired policy when setting up a FSW watch on a particular folder. For
convenience, corporate-wide retention policies are defined on a special
GUI screen and given convenient names (such as SarbanesOxley7year) so
that they can be quickly applied to a given FSW watch. A special retention
rule allows the document expiry date to be specified by the application, by
the simple expedient of setting the “last accessed date” to some time in the
future. Lastly, the user’s application software or a simple script may
construct an XML fragment specifying the location of a file to be archived,
its retention rules, and any other desired metadata, and then calling the
FSW service which takes over from that point.,

Q: What does an Assureon look like? What’s inside the cabinet?
A: In a 4 node Assureon, for example, you will see four 1U servers with
mirrored local drives, a pair of Ethernet switches, a KVM and monitor for
maintenance, and two hardened SATABoy RAID units. In larger
configurations there will be more servers, larger storage units such as
hardened SATABeasts, possibly a pair of Fibre Channel switches, and

NEXSAN TECHNOLOGIES                                          CONFIDENTIAL
NEXSAN TECHNOLOGIES                                            CONFIDENTIAL

specialized security hardware which is not disclosed in public documents.
In general, it’s helpful to think of Assureon as a cluster of front-end servers
networked to a cluster of back-end servers which are in turn connected to
an internal SAN which interconnects the RAID units.

Q: So can I attach any RAID system I want to the Assureon?
A: Normally Nexsan does not permit this. The Assureon cluster is licensed
only for the capacity sold. Exceptionally, Nexsan will negotiate a fee for
Professional Services to install Assureon in front of legacy storage. There
are a few pitfalls to this which should be understood:
   • Nexsan will not support the back-end storage
   • Maintenance resulting from failure of the storage is not covered
       under the Assureon maintenance contract and is subject to a PS fee.
   • Nexsan will have to install, test, and burn-in Assureon at the
       customer site, which will take several billable days at a minimum
   • Nexsan storage is very inexpensive and it is unlikely that using
       legacy storage is going to save money on a TCO basis
   • Nexsan storage supports a special lock-down mode which prevents
       the deletion or modification of RAID Sets, LUNs, and other critical
       controller settings once the Assureon installation is put into
       production. Conventional RAID systems do not have this capability,
       and thus the entire archive is at risk if the RAID admin accidentally or
       deliberately changes the RAID or virtualization configuration, or if
       the RAID GUI is hacked.
   • Many legacy storage products do not support RAID 6, which means
       data stored for a period of years is at a significantly higher risk of
       data loss as compared to Nexsan storage.
   • Assureon’s event capturing system is only programmed to monitor
       Nexsan-brand storage and thus the user would be on his own to
       ensure that problems with the storage subsystems receive prompt

Q: Whose clustering technology do you use? Is it active/active?
A: We developed our own clustering technology. Every module of the
software was developed with an abstracted inter-process communication
technology which understands there being any number of instances of any
module spread across multiple servers. It is more than “active/active” in
that every node contributes to a fraction of the overall workload, and
performance degrades only by that fraction when a node fails.

Q: Do you have load balancing?
A: Yes. Every module distributes its output in a round-robin fashion to the
next available recipient. The net result is an overall load balancing, plus
the use of CAS storage technology spreads files evenly over the available

NEXSAN TECHNOLOGIES                                            CONFIDENTIAL
NEXSAN TECHNOLOGIES                                           CONFIDENTIAL

Q: What is the maximum capacity of an Assureon?
A: The system is architected to have no pre-determined limit to the
theoretical capacity. Installations of many petabytes are possible with the
standard architecture.

Q: Can storage be added to Assureon non-disruptively?
A: Within reason, yes. The exception is when extremely large additions to
the storage will probably necessitate a brief period of downtime while the
SAN infrastructure is tweaked. The storage installation will be performed
by a specially trained technician from Nexsan or select VAR’s.

Q: How fast is Assureon?
A: Since this is an archive of a finite size, and since assets tend to have
retention periods measured in years, for most applications an extremely
fast write performance is not useful as the unit would simply be filled up in
hours or days. Having said that, the performance is faster than the leading
competitors. A four node Assureon can sustain writes at about 20 MB/s.
Reads are faster than writes. If faster write performance is required, one
can add more processing nodes.

Q: What’s the maximum number of nodes in an Assureon cluster?
A: The architecture supports hundreds of nodes. However, to ensure a
quality product, only certain combinations of nodes and storage capacities
are going to be offered in the short term so that we can limit the number of
combinations that require qualification testing.

Q: Can maintenance be done while Assureon is operating?
A: We have designed it to support replacement of FRU’s without disruption.
Replaced components are brought back on-line automatically and
synchronized as necessary. If one of the redundant SQL databases goes
down, a straightforward manual procedure must be performed by a trained
technician to re-synchronize the databases. In the event that both
databases and all their backups somehow get destroyed, the database can
be re-constructed by extracting the necessary metadata information from
the repository of assets or from the periodic database snapshots which are
automatically created.

Q: Is there some kind of API integration required to use applications with
A: Usually not. If the application stores files in a disk directory, Assureon
can archive them. If the application stores its data in a live database, there
must either be a mechanism for storing the individual assets as files in a
directory, or the author of the software can work with Nexsan to integrate
the application with our proprietary API. It is our goal, however, to support
as many applications as possible using the features of FSW rather than
relying on an API.

NEXSAN TECHNOLOGIES                                           CONFIDENTIAL
NEXSAN TECHNOLOGIES                                             CONFIDENTIAL

Q: What is a Key Server?
A: The Key Server is a remote and highly redundant system which
generates and archives encryption keys used by the local Assureon. It
also receives and archives periodic file “manifests” from the local
Assureon, which contain a listing of file serial numbers and their digital
fingerprint. It has other responsibilities associated with authenticating the
time of day and preventing unauthorized deletion of files by tampering with
the local clocks. Normally the Key Server is hosted by Nexsan at a secure
co-location facility.

Q: Can I host my own Key Server?
A: This is not practical for most customers. In the future we may offer Key
Servers for customer integration at remote sites, primarily as a means to
satisfy the extreme security requirements of national security installations.

Q: What if it’s impossible for me to permit access to a remote Key Server?
A: You have the option of not using the encryption feature for files at rest
(files in transit are always encrypted but this does not involve the remote
Key Server), or we can pre-generate a large number of keys and store them
on your system (with a backup copy on DVD-R or Blu-Ray media to be
stored in a safe). Note that these approaches do not provide the
advantages of cryptographic revocation of individual files as there is no
way to “surgically” delete a single key from the DVD-R or Blu-Ray media.

Q: What is FSW?
A: FSW is an agent which runs on any Windows 2000, 2003, XP, Linux, or
Solaris server, desktop computer, or laptop. It monitors directories
according to policies established by the system administrator, and when
files are added or changed in these directories, FSW sends them to the
Assureon cluster for long term archiving. FSW also has a mode where it
synchronizes the data held in the cluster with the client machine on a
defined schedule.

Q: Do you have FSW for Linux, Solaris, AIX, HP-UX, MacOS, or other
operating systems?
A: We have ported FSW to Linux and Solaris, and over time will be porting
it to other unix-like operating systems.

Q: So if I can’t or won’t use an FSW agent on my system, how do I use
A: We can expose CIFS mount points on the Assureon cluster which your
application can write files to. In this case, the FSW agent is actually
running inside the Assureon cluster. Retention and encryption policy is
either set implicitly according to which directory the files are stored into, or
encoded explicitly into the Last Access time/date field in the file being

NEXSAN TECHNOLOGIES                                             CONFIDENTIAL
NEXSAN TECHNOLOGIES                                          CONFIDENTIAL

stored. Alternately, a server somewhere on the network may have an FSW
instance loaded on it, such that it monitors one or more folders on the
target system (obviously it needs the right permissions to see the folders).
It is important to note that transferring files via CIFS is slower than using
FSW, and may not be acceptable in many cases. Your requirements should
be discussed in detail with a Nexsan engineer.

Q: Do I have to order a special part number to get the CIFS access
capability and does it cost extra?
A: Your Nexsan representative will discuss your capacity and performance
requirements with you to see if our standard hardware configuration will be
sufficient. In the unlikely event that it is not, we will happily modify the
system configuration as needed to add extra processing power and/or
storage to fit your requirements. Any such additional cost is likely to be
very modest.

Q: What if I have both Windows boxes and Solaris boxes?
A: We can simultaneously support CIFS as well as any number of instances
of FSW running on Windows boxes and other supported operating systems.

Q: Why don’t I just use the same CIFS approach on my Windows boxes?
What advantages does FSW have over CIFS?
A: The primary advantage of FSW is it allows you to refer to the managed
files simply by accessing your local hard drive, which is likely to be faster
that retrieving the file using CIFS across a network. This is only important
if the files are frequently accessed and FSW is configured to leave them in
place (as opposed to migrating them to the Assureon cluster). Secondarily,
FSW incorporates fault-tolerance and load-balancing features which allow
it to communicate with any operational Assureon node. Such load
balancing and fault-tolerance features are more complex to achieve with a
CIFS mount point. Lastly, FSW consolidates network activity into efficient
bundles which may improve overall network efficiency.

Q: What is Sync-FSW?
A: This is a module which is loaded on user systems like FSW, but instead
of grabbing files immediately, it synchronizes on a defined schedule. This
is similar to D2D software such as rsync, in the sense that the O/S journal
is examined to see what files have changed since the last sync and only
changed files are transmitted to the Assureon cluster. At present, Sync-
FSW is only offered for Windows clients; a version for Linux/Unix clients is

Q: So, if I’m running Exchange on one Windows box, and running a huge
SQL database on another Windows box, then I just load FSW onto these

NEXSAN TECHNOLOGIES                                          CONFIDENTIAL
NEXSAN TECHNOLOGIES                                          CONFIDENTIAL

systems and by magic all my records get transferred to the Assureon
A: FSW does not automatically grab open files such as active SQL
databases or Exchange databases. For these types of applications you
would normally perform a “snapshot” and then archive the snapshot using
FSW or the CIFS mount. FSW will be extended in the future to make this
kind of operation easier. Note that in most cases, customers should be
archiving individual objects rather than whole databases, as individual
objects typically have unique retention dates. For database snapshots,
Sync-FSW can be used to periodically move these copies to the Assureon
cluster, and in most cases the versions feature will be invoked such that
only a certain number of snapshots are kept.

Q: What email or other applications specific archiving software for
Exchange is compatible with FSW?
A: We have been tested and shown to be compatible with ZipLip and
Messaging Architect, and are willing to test other configurations based
upon customer demand.

Q: What file sizes are supported by FSW?
A: FSW and Assureon work together to efficiently store files of any size.
There is about 800 bytes of overhead with each file stored, so storing large
numbers of very small files is somewhat wasteful of disk space. There is
no upper limit on file size except that the entire file must not consume more
than half of the available disk space on the front end Assureon node, which
in the standard configuration means that the largest supported file would
be on the order of 100 GB. By special order, we can easily architect a
system with an upper limit in the hundreds of terabytes.

Q: We are not running Active Directory, so how do we establish security
A: During the initial consulting period, a Nexsan engineer will work with
your security administrator to set up the appropriate protocols. The
Assureon cluster can be configured to support any of the popular user
authentication techniques. However, there may be a considerable
consulting fee associated with non-AD environments.

Q: I don’t want unauthorized people reading encrypted files that have been
stored in the Assureon. How can you handle this?
A: When a user attempts to read a file, Assureon checks to see if the user
is a member of an Active Directory group which has been given permission
to read files belonging to the applicable asset classification and
subclassification. If this check is successful, the file is transparently
decrypted on-the-fly before it is returned to the user. Assureon also allows

NEXSAN TECHNOLOGIES                                          CONFIDENTIAL
NEXSAN TECHNOLOGIES                                         CONFIDENTIAL

the administrator to inhibit reads on a file or collection of files, even to
authorized users. Routine changes to file access rights are handled via the
Active Directory Users and Groups interface which most administrators are
very familiar with.

Q: Where is the AES256 encryption performed?
A: Inside the Assureon cluster.

Q: Does that mean you are sending my files in the clear over the network
from the FSW clients to the Assureon?
A: We support and encourage the use of IPSec-3DES to protect the network
traffic between the Assureon and the rest of user network including
CIFS/NFS clients and instances of FSW. This is the highest level of
network encryption that is commonly available today. We will support
IPSec-AES once support for it becomes more common. It is useful to point
out that the AES256 encryption is provided mainly to protect the repository
and any backup tapes or discs from disclosure, and to help enforce
deletion of records after expiry. In general, Assureon’s encryption does
not attempt to safeguard information while it is being used in workstations
and other clients, nor does it claim to be an enterprise-wide security
solution. However, using Assureon as the principal repository for sensitive
information in the enterprise is certainly going to improve its overall
security posture as many traditional vulnerabilities either disappear or
become minimized.

NEXSAN TECHNOLOGIES                                         CONFIDENTIAL