Computational Storage and Data Security for Private Clouds

The RSA Conference was held earlier this month at the Moscone Center in San Francisco. One of the focus areas in the presentations and keynotes was a concept called “zero trust”, which is a very hot topic in the cloud computing environment. The idea behind zero trust is that you don’t trust any users on the cloud (even if they are inside the network perimeter), and maintain strict access control to each and every data set and compute resource. Zero trust is complimentary to the concept of micro-segmentation, where hundreds or thousands of secure zones are created in a network, and access to each zone is strictly controlled. In both cases, the overall goal is to limit the ability of attackers that gain access to a segment of the network or compute resources from gaining further access through lateral infiltration.

Zero trust is a great concept for keeping the bad guys out, or to keep malicious cloud users in their own sandbox. However, how do you keep bad actors inside the organization from accessing the data of “cloud users”? This is a particularly nasty problem for private clouds, where “inside jobs” by administrators or IT contactors constitute a significant portion of all breaches. Encryption of data at rest (a continuous theme of past RSA Conferences) keeps the data safe on storage devices (and encryption of data in flight can do the same for data on the network), but what about when the data is on the server for analysis? This data can be extremely valuable for cybercriminals. Think real-time analytics for an e-retail operation – the data on the server likely contains user names, zip codes, addresses, phone numbers, and possibly more. How do you secure this data?

The best way is to avoid moving the entire data set to the server in the first place. In most cases, the desired result of an analytics workload is either metadata on usage patterns, or data on a small set of customers. Computational storage offers an ideal means to avoid the issue of unencrypted data on the server. By keeping the data that is accessible from the outside encrypted while analyzing the unencrypted data inside the storage device, computational storage can provide the bulk of the real-time analysis required, and only return either the metadata or a much smaller set of data. In either case, the amount of data that is put at risk is significantly reduced. By reducing the amount of data transferred from storage devices to server memory, computational storage also provides significant improvements in performance for petabyte-scale real-time analytics. If you would like to find out more about our Newport real-time computational storage devices, visit our website or contact me. Thanks!