More Related Content
Similar to cloud Raid (20)
cloud Raid
- 1. www.neridio.com Copyright © 2022, Neridio Systems
August 2022
Zero Trust, Cloud Storage Architecture
– Towards No Single Point of Breach or Cyber Attacks
Overview
Public clouds have now become a part of every
organization’s IT infrastructure outsourcing strategy, even
Individuals cannot do without cloud-based storage services
for getting on with their daily lives. Public storage services
such as Amazon S3, Microsoft Azure or Google Cloud
enable organizations to manage data with zero capital
expenses.
These benefits also come with new challenges such as
security, lack of control, visibility, availability outages and
reliability. While cloud computing is a utility, cloud storage is
not. This white paper draws sharp lines between the two and
explains business case of avoiding single point of cyber-
attack, data breaches or lack of control.
Businesses using cloud services should find a way of
outsourcing storage without outsourcing control on their data.
If an organization is to depend solely on a single cloud
storage provider, it will find limitations and risks.
Secure Cloud Integration technology from Neridio Systems
makes use of the power of virtualization at cloud level, a
method of the landmark invention of Distributed Virtual
Cloud bringing the idea of RAID across clouds – also referred
as cloud-RAID in this white paper.
Powered by path-
breaking invention
on Distributed
Virtual Storage
Cloud
Towards Attack
and Breach proof
Cloud Storage
Experience
US Patent
Patent #9128626
(Granted in 2015)
Peter Chacko
Founding Inventor
peter@neridio.com
White
Paper
- 2. www.neridio.com Copyright © 2022, Neridio Systems
Business Case
for Multi-Cloud Storage Model – Virtual Cloud for Security in-Cloud
Major barriers to cloud adoption are the security and operational risks associated with
any cloud infrastructures, these risks include hardware failure, malicious attacks, software
bugs, power outages, malware, server configuration, cyber-threats and insider threats.
Such failure and attack vectors are not new, but their risk is amplified by the large-scale
nature of the cloud. They can even be disastrous when data loss and corruption, breaches
of data confidentiality and malicious tampering with data occur.
Strong protections beyond encryption are therefore a necessity for data outsourced to
the cloud. Other key concerns hindering migration into a public cloud is lack of
availability and reliability guarantees. Well-known cloud providers have experienced a
temporary lack of availability lasting at least several hours and striking loss of personal
customer data.
Sample Deployment Architecture
Referring to the architecture below, we have connected five cloud storage services with
the system implementing cloud-RAID; denoted as cloud1, cloud2, cloud3, cloud4 and
cloud5 and “cloud-RAID system” respectively. The three primary data systems shown as
Data source A, Data source B and Data source C are indicative data sources which can
be co-located or can come from different edge locations connected to the system running
the implementation of multi-cloud storage virtualization technology in the cloud-RAID
system. This is a case of 3 data devices and 2 coding devices with a total of 5 devices
with any two devices can be erased or unavailable without data loss.
- 3. www.neridio.com Copyright © 2022, Neridio Systems
With cloud-Raid, data is de-centralized with optional encryption or de-sensitization and
each erasure coded fragment is unintelligible and hack proof, information theoretically.
This means a Quantum computer cannot break the system because only partial, un-
intelligible data exists at any location; as it would otherwise happen when full data,
protected by encryption is available.
This intermediary layer of software, implementing cloud-RAID, can range from a simple
library receiving data from or rendering data to a single data source, to a multi-site,
multi-cloud storage gateway as a virtual appliance connecting multiple data sources;
abstracting all backend cloud storage services as a single, “virtual” cloud.
Optionally cloud-RAID module can be protected by High Availability service in case
cloud-RAID module is an appliance with metadata protection and related information
which is shown as RationalVault foundation in the diagram. This can also provide security
telemetry.
Business Benefits
1. Cyber-attack Immunity through NO-SINGLE-POINT-OF-ATTACK
With only an information-theoretic fragment of any data is stored in any location,
erasure or corruption of one piece of data infrastructure through a cyber-attack is
tolerated with zero data loss, by the very nature of erasure coded information
dispersal.
2. Hack-proof Cloud Storage with Information Theoretical Security –
Zero Trust, Cloud Storage Architecture for NO-SINGLE-POINT-OF-BREACH
As we encrypt the storage with erasure coding with flexible key management with
random keys which can be deduced from the original content or customer-supplied keys,
any data at a single cloud reveals no information and is unintelligible. An adversary has
to hack a minimum of 3 service providers (out of 5 cloud services as in the example) which
is much more difficult than hacking into any single cloud service. This makes the security
Information-Theoretical than Computational. This is a big deal for customers having
sensitive data.
- 4. www.neridio.com Copyright © 2022, Neridio Systems
3. True Freedom from Vendor Lock-in
Vendor Lock-in is a barrier to businesses adopting cloud services. Also, businesses who use
cloud storage service face the following challenges;
➢ What if the service vendor increases the service costs or reduces the service features
that were earlier offered free of cost?
➢ What if a vendor goes out of business? - remember the sudden demise of Nirvanix, a
popular cloud storage service giving little time to cloud storage customers to take back
their data.
➢ What if an established company stops a service? - remember, discontinuity of EMC
Atmos service.
All these above business events require any organization to build a layer of vendor
service availability insulation. Our Multi-cloud Storage Virtualization stack provides this
insulation layer and delivers this true freedom. This a big deal when it comes to relying
on a cloud storage service provider.
4. Finest Privacy Control on Storage Data with no Vendor Lock-in
As cloud-RAID is not dependent on any single cloud for data availability or security
guarantee, cloud-RAID completely eliminates vendor lock-in with full control on data
privacy. As no complete data is stored with any provider and also the stored data is just
a mathematical fragment with optional encryption. Data breach at a cloud service
provider data center or an insider attack event to the cloud provider will reveal no
information of the customer data. This provides true information-theoretical security, as
opposed to computational security.
5. Transparent Cloud Storage Migration - made easier
With a true virtualization layer available in the form of a software layer in between,
migrating data across cloud providers is now better automated. Every IT admin will face
a daunting day of executing a storage migration project when they decide to move the
infrequently accessed storage to the cloud or due to a data center consolidation or in
case of a new data center would want to migrate storage from the cloud provider back
to their own data center. IT needs a layer of data mobility automation, in between
various storage mediums. With Distributed Virtual Cloud Architecture, cloud storage
migration workflows are simply made easier.
- 5. www.neridio.com Copyright © 2022, Neridio Systems
6. Outsourcing Storage - but without outsourcing control
Cloud computing is popularly considered akin to electric utility and the industry also
equates cloud storage as a utility which is a fundamental misinterpretation. Cloud
storage is not a utility – it is the strategic asset of any digital business and is
distributed. The Virtual Cloud Storage Architecture provides the foundation of retaining
the full ownership, control, and privacy of customer-owned cloud storage assets to be
outsourced to various cloud storage provider, without the actual “control” being
outsourced, as there is a layer of insulation, abstraction at the cloud storage integration
layer. This is a huge imperative for any enterprise having important and private data in
the cloud for their competitive business. Multi-cloud Storage Virtualization layer provides
that control by software. Anything in software, once all bugs are removed, always works,
unlike hardware.
7. Most Secure Backup Target Experience and Safest Long Term Archiving
Target Experience
Cloud storage backup and archiving are now becoming popular. But when the underlying
cloud storage is not insulated from failures physically bound to cloud storage interface, or
service outages not protected from insider-attacks at the cloud provider infrastructure, or
data breaches at the cloud provider level, cloud backups are not safe. Long-term cloud
archiving is not possible when a cloud provider survival rate is not guaranteed for
decades. Like any service, any provider mortality has to be taken into account.
Distributed, Virtual Cloud Architecture provides the software abstraction that the customer
controls, and can now store data in the cloud long term for decades, as there are no
provider dependencies or cloud data leaks.
8. Truly available cloud service or business continuity at cloud level
Any leading cloud vendor distributes the storage resources across various data centers in
various geographies, built for failures. Subscribers can choose various regions level
redundancy at the API level. But there is always a slim possibility of a zero-day attack
that could affect a single system that in-turn affects the provider at a global scale (For
example, say DNS service or service routing components or the similar service that
distributes the subscriber requests). When service is virtualized at the cloud provider level
from the customer–controlled software layer, such failures are easily tolerated without
bringing any business outage to a subscriber as service failure is abstracted out, like a
single failed disk in a RAID allows the failure of any disk or multiple disks.
- 6. www.neridio.com Copyright © 2022, Neridio Systems
9. Availability
To calculate the Availability, we should introduce three new terms - MTBF, MTTR and
MTTF
Availability is calculated as ‘MTBF / (MTTF +MTTR)’
Availability is enhanced by parallel coupling with a hot standby. Say we have two
components having 90% availability. If it is serially coupled for load sharing of a service
then total availability is reduced (also, failure of one component can bring down the
service). As availability is yielded by the equation:
Any cloud service offers the availability of 99.9 at a minimum. As we couple all in
parallel, and allow 2 failures, we consider it as 3 components allowing the other two to
fail, yielding the equation,
1 – [ (1 – 99.9/100) * (1 – 99.9/100) ]
Which is more than 99.999, that is a market exclusive SLA metric !
MTTR - is the mean time
to recover, the average
amount of time for the
recovery process to
repair the outage.
MTTF - is the mean time
to fail, the average
amount of time to fail
after the previous repair.
Serially Coupled
Availability (total) = Avail (component 1) * Avail (component 2)
= 90/100 * 90/100
= 81/100
= 81%
Parallelly Coupled
Availability (total) = 1 - [ (1 – Avail component 1) * (1 – Avail component2)]
= 1 – [(1 – 90/100) * (1 – 90/100)]
= 99/100
= 99%
MTBF - is the mean time
between failures which is
the average amount of
unit time elapsed for the
successive failures.
- 7. www.neridio.com Copyright © 2022, Neridio Systems
10. Efficient Storage Replication
With cloud-RAID, storage overhead for redundancy is much less. For example, if total
devices are 3 instead of 5, we can tolerate 1 device failure offering a redundancy of
N+1. In this deployment, say we store a file of 1GB. Then 500MB each will go to two
data devices and 500MB will go to coding device allowing the failure of any device. In
this model, we have overhead of 500MB extra for the total 1000MB (1GB). Storage
overhead here is (1coding device/2 data devices) 50% as opposed to 100% in a
replication scenario.
Similarly, when we have 5 devices as shown in the model architecture, we can now
tolerate the failures of two cloud services out of 5, we get the equivalent of n+2
redundancy. As we allow two devices to fail for 3 data devices, storage overhead is only
2 coding devices/3 data device = 66%. We thus avoid triplication (making three copies
as in open stack) for n+2 redundancy. To put this into a perspective, think of storing 100
TB data in a cloud storage with n+2 redundancy. One typically will store this 100 TB
redundantly to two more cloud services, allowing the failures of two cloud services. So
total storage now maintained is 300TB. When using cloud-RAID, it only becomes 166.66
TB as 166.66 TB data is divided across 5 cloud services and still allowing two services to
fail.
Conclusion
Traditional reliability models for hardware make certain assumptions about failure
patterns (such as independence of failures among hard drives) that are not accurate in the
world of cloud computing. Zero Trust, Cloud Storage Architecture from Neridio makes use
of the power of virtualization at cloud level, a method of the landmark invention of
Distributed Virtual cloud, bringing the idea of RAID across clouds or cloud-of-clouds
paradigm to the world of storage clouds. This feature, which is referred to as cloud-RAID
in this white Paper, is quintessentially an extension of RAID. Cloud-RAID improves
availability, confidentiality, assures hack-proof storage experience, efficient replication
and reliability of data stored in the cloud storage service.
To achieve this objective, Neridio’s solution architecture compresses the data, encrypts, de-
sensitizes, de-duplicates, and then makes use of erasure codes to stripe data across
multiple cloud storage providers. Neridio’s suite of products uses cloud-RAID interface as
the storage foundation to public storage clouds or for internal, privately managed clouds.