1. A Government
Bloombase® Spitfire StoreSafe™
CUSTOMER SPOTLIGHT
Security Control Storage Security Server
Bloombase® Spitfire StoreSafe™
Organization Lite Storage Security API
Bloombase® Spitfire KeyCastle™
Key Management Server
Sensitive departmental information interchange and storage data of govern-
ment security organization are encrypted using Bloombase® Spitfire Store-
Safe™ storage encryption solution achieving end-to-end data in-flight and
AT A GLANCE data at-rest security
ABOUT THE CUSTOMER physical plain originals and copies are Overview
allowed
• Government security control organiza- • Interoperable with IBM WebSphere
A municipal security control organization dynamically allocates
tion application server and IBM DB2 Univer-
sal Database (UDB) server their task forces and automatically reacts to potential incidents
• Employees: More than 10,000
• Encrypted archives on backup tapes based on a self-developed intelligence information system. Hun-
SUMMARY • High performance encryption and dreds or even thousands of information feeds including weather
decryption forecast and reports, local news, foreign news, traffic reports,
To protect privacy of sensitive data border and coastal data, calendar events, etc are collected from
interchange information submitted from PROJECT OBJECTIVES hundreds of data sources every minute. These real time informa-
various trusted data providers and tion, structured and/or unstructured, in form of flat files, are
secure contents in storage sub-systems • Protects in-flight data submitted from
third parties by HTTP form posts parsed, extracted and aggregated before they are loaded into a
and backup tapes from secret data
exposure to unauthorized parties caused • Protects filesystem objects, relational central data warehouse.
by physical or electronic theft databases and backup media
• Encrypts dynamic database data stored Based on various pre-defined data mining rules, real time secu-
in storage area network (SAN) rity data are analyzed to generate reports, milestones and alerts
KEY CHALLENGES
to proactively monitor potential hazards and risks. With response
• Support heterogeneous host operating
SOLUTIONS AND SERVICES
to these possible outcomes closely monitored and tracked by the
systems including Microsoft Windows, 24x7 operation unit, the bureau dynamically reacts and allocates
IBM AIX, etc • Spitfire KeyCastle™ key management
server resources and task forces to combat such potential incidents,
• No change to end user, administrator
and operator workflow • Spitfire StoreSafe™ Lite storage secu- better control the worsening situation, if any, or even suppress
• No coding or second development rity API outbreak of the incidents.
required • Spitfire StoreSafe™ enterprise storage
• Sensitive information are physically security server
Among these incoming information feeds, data warehouse and
stored encrypted at all times and no reports repository are extremely sensitive and are under airtight
political and security privacy regulatory. In application’s perspec-

2. tive, security measures limit access to the sys-
tem to authorized personnel only, protecting WHY BLOOMBASE SOLUTIONS tion
from unauthorized access. Network communica-
• All in one solution to achieve data in-flight and HARDWARE
tions of these controlled information are secured at-rest security
by secure socket layer (SSL) powered by AES 256 • Platform independence • IBM x-Series servers
-bit strong encryption with industry proven • NIST FIPS-140-2 level-3 tamper proof and • IBM p-Series servers
secure key exchange, thus, sensitive data expo- tamper resistant key protection • IBM TotalStorage DS4100 SAN storage
sure due to eavesdropping is eliminated. Physi- • Full lifecycle key management • IBM tape library
• Sun Microsystems Sun Fire X2100 servers
cal access to the computing hardware, whether
at primary data center or disaster recovery (DR)
IMPLEMENTATION HIGHLIGHTS
OPERATING SYSTEM
site, are securely isolated and under strict physi- First customer to practice both data-in-flight
cal access control, blocking possible physical and data-at-rest protection for end-to-end • Microsoft Windows Server 2003
tampering and data/hardware theft. security of highly available sensitive business • IBM AIX 5.3
data interchange and persistence • Novell SUSE Linux Enterprise 9
With all these security measures in place which
are generally considered border or perimeter KEY BENEFITS SOFTWARE
protection, the data system is vulnerable to core
• No client user
training required for third party • IBM WebSphere application server
attacks, unknown attacks and outbound threats data providers • IBM DB2 Universal Database
such as operator/insider attacks, spyware at- • Application transparency • IBM Lotus Domino messaging server
tacks and viral outbreaks, etc. • High encryption performance • IBM Tivoli Storage Manager (TSM)
• Highly available and fault-tolerant • Symantec Storage Foundation
• Tamper proof and tamper resistant key protec-
The Mission Critical Encryp-
tion After a three-months evaluation process, end DS4100 SAN in form of flat file. A job is sched-
customer selected Bloombase® Spitfire™ enter- uled to run every other minute at an IBM Web-
To cope with these challenges and meet national
prise security solution over rivals taking kernel- Sphere application server to scan for latest
data privacy requirements, end customer needs
based, database column-based, and hardware information feeds, access of ciphered incoming
to implement effective data encryption to secure
appliance-based encryption approaches. files via Spitfire™ StoreSafe security server
information exchange with various data provid-
provides a virtual plain view of sensitive con-
ers, protect data repository storage, data ware-
Deployment of Bloombase® Spitfire™ KeyCastle tents to be extracted and bulk imported into a
house and backup archives at both primary and
key management servers and Spitfire™ Store- data warehouse powered by IBM DB2 UDB.
disaster recovery systems.
Safe storage security servers completed within 3 Read/write access of DB2 UDB is made via a
days whereas initial data migration of incoming highly available Spitfire™ StoreSafe server
Implementing encryption on this mission critical
information feed repository, IBM DB2 UDB data cluster. Thus, during bulk import of information,
system is full of constraints, baseline require-
files and report storage area took merely another sensitive information are first encrypted on-the-
ments being data in-flight and at-rest are se-
surprisingly 2 days. fly by Spitfire™ StoreSafe before they are per-
curely encrypted by AES 256-bit cryptographic
sisted onto SAN, vice versa, on execution of data
cipher, high availability ready and fault-tolerant,
An active self executing component is deployed -mining procedures, ciphered data warehouse
tamper proof and tamper resistant key protec-
at every data providers’ internal network to poll data are deciphered at real time on demand prior
tion and management. On the other hand, the
for latest news and information. These sensitive to actual query reads. Analysis results in form of
encryption solution has to fit perfectly into end
information feeds are encrypted automatically as data records and large binary objects are stored
customer’s three-tier architecture at zero
they are uploaded to the intelligence system by in another DB2 UDB instance which is also pro-
change, no application change, no database
Spitfire™ StoreSafe Lite storage security API with tected by Spitfire™ StoreSafe storage encryption
object change and last but not least, to be fully
channel further protected by SSL. The ciphered servers. Again, only when these sensitive mile-
transparent to applications, administrators,
information feed is temporarily stored at a stag- stones are accessed and presented to author-
operators and users.
ing area physically located at IBM TotalStorage ized personnel will the private information be
deciphered at wire-speed by Spit-
fire™ StoreSafe. Ciphered block
based SAN storage updates are
automatically synchronized from
primary site to DR site via a virtual
private lease line to be further
reconstructed and applied to the
DR SAN sub-system. Further,
backup archives are created di-
rectly from ciphered physical stor-
age system and stored on magnetic
tape cartridges for backup and sent
offsite for safe storage.
The entire life-cycle of sensitive
incident information is secured by
Spitfire™ StoreSafe at complete
application transparency. Highly
regulated digital data in form of
files, disk data blocks, database
entries and tape are privately
locked down onto generic enter-
prise storage infrastructure by
strong encryption at all times,
effectively forbidding possible core
attacks that might lead to serious
private data exposure at the mini-
mal costs and risks of implementa-
tion.
© 2006 Bloombase Technologies. All rights reserved. Bloombase, Spitfire, Keyparc, StoreSafe, and other Bloombase products and services mentioned herein as well as their
respective logos are trademarks or registered trademarks of Bloombase Technologies Ltd in United States, Hong Kong, China and in several other countries all over the world. All
other product and service names mentioned are the trademarks of their respective companies.
The information contained herein is subject to change without notice. The only warranties for Bloombase products and services are set forth in the express warranty statements
accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. Bloombase shall not be liable for technical or editorial errors
or omissions contained herein.
4AA0-0696AAC 09/2006