A Government
                                                                                                 Bloombase® S...
tive, security measures limit access to the sys-
              tem to authorized personnel only, protecting               ...
Upcoming SlideShare
Loading in …5

Customer Success - A Government Organization


Published on

Published in: Technology
  • Be the first to comment

  • Be the first to like this

No Downloads
Total views
On SlideShare
From Embeds
Number of Embeds
Embeds 0
No embeds

No notes for slide

Customer Success - A Government Organization

  1. 1. A Government Bloombase® Spitfire StoreSafe™ CUSTOMER SPOTLIGHT Security Control Storage Security Server Bloombase® Spitfire StoreSafe™ Organization Lite Storage Security API Bloombase® Spitfire KeyCastle™ Key Management Server Sensitive departmental information interchange and storage data of govern- ment security organization are encrypted using Bloombase® Spitfire Store- Safe™ storage encryption solution achieving end-to-end data in-flight and AT A GLANCE data at-rest security ABOUT THE CUSTOMER physical plain originals and copies are Overview allowed • Government security control organiza- • Interoperable with IBM WebSphere A municipal security control organization dynamically allocates tion application server and IBM DB2 Univer- sal Database (UDB) server their task forces and automatically reacts to potential incidents • Employees: More than 10,000 • Encrypted archives on backup tapes based on a self-developed intelligence information system. Hun- SUMMARY • High performance encryption and dreds or even thousands of information feeds including weather decryption forecast and reports, local news, foreign news, traffic reports, To protect privacy of sensitive data border and coastal data, calendar events, etc are collected from interchange information submitted from PROJECT OBJECTIVES hundreds of data sources every minute. These real time informa- various trusted data providers and tion, structured and/or unstructured, in form of flat files, are secure contents in storage sub-systems • Protects in-flight data submitted from third parties by HTTP form posts parsed, extracted and aggregated before they are loaded into a and backup tapes from secret data exposure to unauthorized parties caused • Protects filesystem objects, relational central data warehouse. by physical or electronic theft databases and backup media • Encrypts dynamic database data stored Based on various pre-defined data mining rules, real time secu- in storage area network (SAN) rity data are analyzed to generate reports, milestones and alerts KEY CHALLENGES to proactively monitor potential hazards and risks. With response • Support heterogeneous host operating SOLUTIONS AND SERVICES to these possible outcomes closely monitored and tracked by the systems including Microsoft Windows, 24x7 operation unit, the bureau dynamically reacts and allocates IBM AIX, etc • Spitfire KeyCastle™ key management server resources and task forces to combat such potential incidents, • No change to end user, administrator and operator workflow • Spitfire StoreSafe™ Lite storage secu- better control the worsening situation, if any, or even suppress • No coding or second development rity API outbreak of the incidents. required • Spitfire StoreSafe™ enterprise storage • Sensitive information are physically security server Among these incoming information feeds, data warehouse and stored encrypted at all times and no reports repository are extremely sensitive and are under airtight political and security privacy regulatory. In application’s perspec-
  2. 2. tive, security measures limit access to the sys- tem to authorized personnel only, protecting WHY BLOOMBASE SOLUTIONS tion from unauthorized access. Network communica- • All in one solution to achieve data in-flight and HARDWARE tions of these controlled information are secured at-rest security by secure socket layer (SSL) powered by AES 256 • Platform independence • IBM x-Series servers -bit strong encryption with industry proven • NIST FIPS-140-2 level-3 tamper proof and • IBM p-Series servers secure key exchange, thus, sensitive data expo- tamper resistant key protection • IBM TotalStorage DS4100 SAN storage sure due to eavesdropping is eliminated. Physi- • Full lifecycle key management • IBM tape library • Sun Microsystems Sun Fire X2100 servers cal access to the computing hardware, whether at primary data center or disaster recovery (DR) IMPLEMENTATION HIGHLIGHTS OPERATING SYSTEM site, are securely isolated and under strict physi- First customer to practice both data-in-flight cal access control, blocking possible physical and data-at-rest protection for end-to-end • Microsoft Windows Server 2003 tampering and data/hardware theft. security of highly available sensitive business • IBM AIX 5.3 data interchange and persistence • Novell SUSE Linux Enterprise 9 With all these security measures in place which are generally considered border or perimeter KEY BENEFITS SOFTWARE protection, the data system is vulnerable to core • No client user training required for third party • IBM WebSphere application server attacks, unknown attacks and outbound threats data providers • IBM DB2 Universal Database such as operator/insider attacks, spyware at- • Application transparency • IBM Lotus Domino messaging server tacks and viral outbreaks, etc. • High encryption performance • IBM Tivoli Storage Manager (TSM) • Highly available and fault-tolerant • Symantec Storage Foundation • Tamper proof and tamper resistant key protec- The Mission Critical Encryp- tion After a three-months evaluation process, end DS4100 SAN in form of flat file. A job is sched- customer selected Bloombase® Spitfire™ enter- uled to run every other minute at an IBM Web- To cope with these challenges and meet national prise security solution over rivals taking kernel- Sphere application server to scan for latest data privacy requirements, end customer needs based, database column-based, and hardware information feeds, access of ciphered incoming to implement effective data encryption to secure appliance-based encryption approaches. files via Spitfire™ StoreSafe security server information exchange with various data provid- provides a virtual plain view of sensitive con- ers, protect data repository storage, data ware- Deployment of Bloombase® Spitfire™ KeyCastle tents to be extracted and bulk imported into a house and backup archives at both primary and key management servers and Spitfire™ Store- data warehouse powered by IBM DB2 UDB. disaster recovery systems. Safe storage security servers completed within 3 Read/write access of DB2 UDB is made via a days whereas initial data migration of incoming highly available Spitfire™ StoreSafe server Implementing encryption on this mission critical information feed repository, IBM DB2 UDB data cluster. Thus, during bulk import of information, system is full of constraints, baseline require- files and report storage area took merely another sensitive information are first encrypted on-the- ments being data in-flight and at-rest are se- surprisingly 2 days. fly by Spitfire™ StoreSafe before they are per- curely encrypted by AES 256-bit cryptographic sisted onto SAN, vice versa, on execution of data cipher, high availability ready and fault-tolerant, An active self executing component is deployed -mining procedures, ciphered data warehouse tamper proof and tamper resistant key protec- at every data providers’ internal network to poll data are deciphered at real time on demand prior tion and management. On the other hand, the for latest news and information. These sensitive to actual query reads. Analysis results in form of encryption solution has to fit perfectly into end information feeds are encrypted automatically as data records and large binary objects are stored customer’s three-tier architecture at zero they are uploaded to the intelligence system by in another DB2 UDB instance which is also pro- change, no application change, no database Spitfire™ StoreSafe Lite storage security API with tected by Spitfire™ StoreSafe storage encryption object change and last but not least, to be fully channel further protected by SSL. The ciphered servers. Again, only when these sensitive mile- transparent to applications, administrators, information feed is temporarily stored at a stag- stones are accessed and presented to author- operators and users. ing area physically located at IBM TotalStorage ized personnel will the private information be deciphered at wire-speed by Spit- fire™ StoreSafe. Ciphered block based SAN storage updates are automatically synchronized from primary site to DR site via a virtual private lease line to be further reconstructed and applied to the DR SAN sub-system. Further, backup archives are created di- rectly from ciphered physical stor- age system and stored on magnetic tape cartridges for backup and sent offsite for safe storage. The entire life-cycle of sensitive incident information is secured by Spitfire™ StoreSafe at complete application transparency. Highly regulated digital data in form of files, disk data blocks, database entries and tape are privately locked down onto generic enter- prise storage infrastructure by strong encryption at all times, effectively forbidding possible core attacks that might lead to serious private data exposure at the mini- mal costs and risks of implementa- tion. © 2006 Bloombase Technologies. All rights reserved. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their respective logos are trademarks or registered trademarks of Bloombase Technologies Ltd in United States, Hong Kong, China and in several other countries all over the world. All other product and service names mentioned are the trademarks of their respective companies. The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors or omissions contained herein. 4AA0-0696AAC 09/2006