Internet Vaulting Security Overview
In the Data Storage Internet Vaulting solution architecture,
the DS Client application is responsible for initiating
backups; the storage vaults located in the Data Centers are
responsible for managing the data and keeping this data
secure. The following sections illustrate how Internet
Vaulting creates a secure environment for data transfer,
storage and manageability. The Internet Vaulting security
design was created with main components:
1.
Customer Location
§
Usernames and passwords
The software is configured upon install with a username and
password. This username and password must be entered each
time to gain access. The software can also be configured to
take advantage of a pre-defined user group located on the
Local Machine / Active Directory / NT 4.0. This feature
allows multiple user accounts to access the software with
multiple levels of permissions. This is a very useful
feature in a medium to larger corporation where various
people are responsible for backing up their departments data
on a regular basis.
§
Unique machine ID
Upon installation of the DS Client software on a client’s
network, a unique machine ID security cookie is
automatically created and registered with our Data Vaults
and tagged to the client’s account. This cookie contains a
snapshot of the machine we installed the software on from a
hardware (MAC address, processors, memory etc) and software
(OS) standpoint. This cookie is generated on-the-fly each
and every time a client tries to connect to one of our Data
Vaults. If the cookies do not match 100%, the connection is
denied. This process prohibits a rogue employee from
downloading or otherwise acquiring the software and using
its company’s account registration information to gain
unauthorized access to our Data Vaults.
2.
Data Transmission
§
Proprietary software format
All client data is transmitted in the Internet Vaulting
software format, as well as being compressed and encrypted.
Without a properly authorized DS Client installation, the
data is unreadable.
§
Encryption
To insure the security of our client’s data, the software
automatically encrypts every file it sends over the internet
with an encryption key provided by the client during the
installation process. Internet Vaulting utilizes government
approved AES encryption algorithms to generate its public
and private key pairs and supports an industry leading key
size up to 256 bits.
All clients’ files are stored and remain encrypted on our
secure Data Vaults at all times. The decryption
process occurs automatically during the restore operation by
our software. This ensures that all backup data
transferred and stored outside the client’s location is
always protected.
Note: For compliance and regulatory reasons Data Storage cannot reset
encryption keys, nor does Data Storage retain encryption
keys unless specifically instructed to do so by the client.
A lost encryption key will means that the stored data will
be inaccessible and that the backup set will need to be
re-seeded.
§
Block level changes
After the initial seed backup Data Storage creates a
customer specified number of generations based upon block
level changes. Block level changes refers to a review
process that is completed during each backup set that
recognizes and captures 4k block level changes to files
since the last backup. Only the changed blocks are
processed offsite for retention. In the event of a
restore Internet Vaulting instantly recompiles the block
level changes with the seed backup and restores a
point-in-time copy of the customer’s data.
Block level changes enhance security by only sending bits
and pieces of data to complete a daily full backup.
Complete files are not sent, only fragments of files which
would be unusable without the seed data.
3.
Internet Vaulting Data Centers
§
Physical security
All client data resides in its encrypted form behind the
Internet Vaulting firewall. In addition, the Data
Vaults reside in a secure state-of-the-art co-location
facility with redundant internet bandwidth, power, and
backup generators. Physical access to the Data Vaults is
guarded by three separate pass key entrances and each Data
Vault is located within a locked cabinet.
§
Facility redundancy
Complete redundancy for bandwidth and power are a mandatory
requirement for all facilities in which the Data Vaults are
located. For example: The primary Data Vault maintains
12 separate bandwidth providers for constant internet
availability and capacity. In addition, dual conduits
in to the building for both power and bandwidth are
utilized. Power is supported by UPS, battery backup
and diesel generators and utilizes an automatic transfer
switch to transfer power in the event of an emergency.
§
IP security
Upon request, Data Storage can lock client account to a
certain public IP range or even a single IP address. This
feature adds an additional level of security for Data
Storage clients and prevents someone from stealing the
machine with the DS Client software and trying to gain
access to the protected data from outside the company
network.
