The document describes the Bloombase Spitfire data-at-rest encryption solution for EMC Celerra storage systems. It provides turnkey encryption that requires minimal changes and enables immediate compliance with standards like HIPAA and PCI DSS. Encryption is performed on data 'at rest' in the EMC Celerra storage using Bloombase Spitfire StoreSafe servers with minimal performance degradation. The solution supports both block and file-based storage on the Celerra through a single Bloombase product.

1. BLOOMBASE TURNKEY DATA-AT-REST
SECURITY COMPLIANCE SOLUTION
FOR EMC CELERRA
EMC CELERRA WITH BLOOMBASE SPITFIRE STORESAFE
ESSENTIALS
Electronic business data represents an invaluable core asset of today’s enterprises and
organizations. Enterprise customers are concerned about being able to manage and use
• Bloombase Spitfire StoreSafe is an sensitive information to optimize day-to-day business operations, while protecting it and
industry-proven solution for immediate
satisfying information privacy compliance needs—without the expense of drastic system
security compliance of various standards
including HIPAA, PCI DSS, SB 1386, SOX, change and performance degradation.
and more The Bloombase Spitfire data-at-rest solution offers advanced security capabilities for a reliable,
• Bundled Spitfire KeyCastle enables application-transparent, cipher-text information storage infrastructure. Its tamper-proof
automated initial migration of EMC Celerra hardware encryption key security module ensures confidentiality and integrity throughout
contents, rekey, and full lifecycle
its whole lifecycle. Bloombase Spitfire Cryptographic Module is NIST FIPS 140-2 certified
management of cryptographic keys
providing FIPS-approved RSA and AES cryptographic algorithms, together with non-FIPS
• A web-based management console,
ciphers including Camellia, SEED, 3DES, Twofish, Blowfish, etc.
command line interface console, and
SNMP offer total, simplified management Sensitive persistent data is stored as cipher-text securely stored in EMC® Celerra®. The
• Unlike proprietary dedicated hardware encryption and un-encryption processes are automated by re-routing storage paths via
with a high entry price, Bloombase Spitfire Bloombase Spitfire StoreSafe Security Server cluster providing virtual plain contents to
assumes a pay-as-you-go licensing model
authorized hosts and applications.
to help reduce your initial investment
• To maximize ROI, a single Bloombase EMC Celerra storage targets are accessed by iSCSI, CIFS, and/or NFS storage protocols via
Spitfire StoreSafe product: Bloombase Spitfire StoreSafe Security Servers. Ciphered sensitive information is stored in
– Enables multiple storage hosts and the EMC Celerra storage system for centralized management. Only authorized access of
applications to produce and consume virtual-plain information, by trusted applications and systems, per access rules and security
secured at-rest data profiles governed by Bloombase Spitfire StoreSafe encryptors is permitted. Application data
– Supports multiple EMC Celerra LUNs, file files, directories, and storage volumes are protected by strong encryption offered by
servers, and shares Bloombase Spitfire StoreSafe virtual storages, enabling application servers to achieve
– Supports both file- and block-based various information privacy compliance standards immediately and effectively.
protection for CIFS, NFS, and/or iSCSI
EMC Celerra storage resources
SOLUTION ARCHITECTURE
The Bloombase Spitfire data-at-rest encryption solution offers wire-speed, on-the-fly
encryption and un-encryption of storage data in an EMC Celerra network-attached storage
(NAS) system. It requires minimum change in the application tier by dropping-in Spitfire
StoreSafe security servers in the storage paths.
The Bloombase Spitfire High Availability Suite brings together dual Spitfire security servers
as a cluster so when active node fails, backup node picks up and maintains non-stop,
mission-critical service at complete storage and host transparency, requiring minimal
operator attention. Extending to the disaster recovery infrastructure, storage cipher-texts at
the primary site are replicated in their natural encrypted form over a private network to a
backup storage system at a secondary site, and secured by a replica of Bloombase Spitfire
SOLUTION OVERVIEW

2. StoreSafe and KeyCastle servers. As storage contents reside on EMC Celerra in their native
ciphered form, data backup done over the physical storage resources is inherently
encrypted, immediately satisfying secure archival needs.
The easy-to-manage Bloombase Spitfire storage security solution helps organizational cus-
tomers enforce data confidentiality for storage, which improves overall system security,
enables fast key rotation, reduces user workflows, segregates data ownership from adminis-
tration and operation, and enhances efficiency and internal controls.
Figure 1.
RESULTS
• A TPC-C-based database benchmarking test is carried out on a sample database stored in
an EMC Celerra secured by a Bloombase Spitfire StoreSafe storage security solution.
• TPC-C-like queries (with EMC Celerra read, Bloombase Spitfire unencryption) and updates
(with Celerra write, Bloombase Spitfire encryption) are generated and applied to simulate
workload on the EMC Celerra/Bloombase Spitfire setup.
Figure 2. TPC-C queries
• For TPC-C queries, Bloombase Spitfire StoreSafe encrypted database server stored in EMC
Celerra recorded a nine percent drop in throughput, compared to 31 percent for host-based
and 64 percent for column-based.

3. Figure 3. TPC-C inserts and update
• For TPC-C inserts and updates, Bloombase Spitfire StoreSafe encrypted database stored in
EMC Celerra recorded a 12 percent drop in throughput, compared to 53 percent for host-
based and 59 percent for column-based.
CONCLUSIONS
• Wire-speed encryption performance with least degradation in storage I/O and throughput
• Turnkey and proven solution for immediate compliance to stringent information confidenti-
ality regulatory requirements, no application change or second development needed
• Fast deployment and automated migration versus alternatives’ manual script-based migra-
tion approach
• iSCSI block-based and CIFS file-based encryption in a single solution
• Highly secure NIST FIPS 140-2 level 3 total key management
• Highly available and fault-tolerant
• Low total cost of ownership
ABOUT BLOOMBASE
Bloombase develops and markets Spitfire and Keyparc information security compliance solu-
tions for enterprises and organizations to address data-at-rest and in-flight threats. Focused
on solving the problem of securing enterprise transit and storage data, Bloombase has pio-
neered the use of encryption and authentication technologies that fit transparently into any
enterprise IT environment. For more information, please refer to http://www.bloombase.com.
CONTACT US ABOUT EMC
To learn how EMC products, services, and EMC Corporation is the world’s leading developer and provider of information infrastructure
solutions can help solve your business and technology and solutions that enable organizations of all sizes to transform the way they
IT challenges, contact your local representative compete and create value from their information. Information about EMC’s products and
or authorized reseller—or visit us at services can be found at www.EMC.com.
www.EMC.com.
EMC2, EMC, Celerra, the EMC logo, and where information lives are registered trademarks or trademarks of EMC Corporation in the
United States and other countries. All other trademarks used herein are the property of their respective owners. © Copyright 2011
EMC Corporation. All rights reserved. Published in the USA. 01/11 Solution Overview H8568
EMC Corporation
Hopkinton, Massachusetts 01748-9103
1-508-435-1000 In North America 1-866-464-7381
www.EMC.com