vds quick startvormv0.4
TRANSCRIPT
-
8/21/2019 VDS Quick StartVormV0.4
1/100
VDS Quick-start Guide
Release 5
Version 5.2.1
M A Y 28 , 2 0 1 4
Vormetric Data Security Platform
50-1000000-01
-
8/21/2019 VDS Quick StartVormV0.4
2/100
ii
Vormetric Data Security
VDSQuick-startGuide
Release 5, Version 5.2.1
May 28,2014, Doc Document Draft Version 0.4
50-1000010-01
Produced in the United States of America
Copyright (C) 2009 - 2014 Vormetric, Inc. All rights reserved.
NOTICES, LICENSES, AND USE RESTRICTIONS
Vormetric is a registered trademark of Vormetric, Inc. in the United States (U.S.) and certain other countries.
Microsoft, Windows, Windows XP, Windows NT, SQL Server and the Windows logo are trademarks of Microsoft
Corporation in the U.S., other countries, or both.
UNIX is a registered trademark of The Open Group in the U.S. and other countries.
Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.
Java and all Java-based trademarks (including Java, JavaServer Pages, Javadoc, JavaMail, and JavaBeans) are logos and
trademarks or registered trademarks of Oracle, Inc., in the U.S. and other countries, and are used under license.
Oracle, Oracle ASM, Solaris, SPARC, Oracle Enterprise Linux and Java are registered trademarks of Oracle Corporation
and/or its affiliates.
IBM, IBM logo, ibm.com, AIX, DB2, PowerPC, DB2 Universal Database and Informix are trademarks of International
Business Machines Corporation in the U.S., other countries, or both.
Intel, Intel logo, Intel Xeon, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its
subsidiaries in the U.S. and other countries.HP-UX is registered trademark of Hewlett-Packard Company in the U.S., other countries, or both.
Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe
Systems Incorporated in the U.S., other countries, or both.
X Window System is a trademark of the Massachusetts Institute of Technology.
Red Hat and Red Hat Enterprise Linux, are trademarks of Red Hat, Inc., registered in the United States and other
countries.
SUSE and SLES are a registered Trademarks of Novell, Inc.All other products described in this document are trademarks
of their respective holders.
The Software and documentation contains confidential and proprietary information that is the property of Vormetric,Inc. The Software and documentation are furnished under Vormetric's Standard Master License Software Agreement
(Agreement) and may be used only in accordance with the terms of the Agreement. No part of the Software and
documentation may be reproduced, transmitted, translated, or reversed engineered, in any form or by any means,
electronic, mechanical, manual, optical, or otherwise.
Licensee shall comply with all applicable laws and regulations (including local laws of the country where the Software is
being used) pertaining to the Software including, without limitation, restrictions on use of products containing
encryption, import or export laws and regulations, and domestic and international laws and regulations pertaining to
privacy and the protection of financial, medical, or personally identifiable information. Without limiting the generality
of the foregoing, Licensee shall not export or re-export the Software, or allow access to the Software to any third party
including, without limitation, any customer of Licensee, in violation of U.S. laws and regulations, including, withoutlimitation, the Export Administration Act of 1979, as amended, and successor legislation, and the Export
Administration Regulations issued by the Department of Commerce.
Any provision of any Software to the U.S. Government is with "Restricted Rights" as follows: Use, duplication, or
disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical
Data and Computer Software clause at DFARS 252.277.7013, and in subparagraphs (a) through (d) of the Commercial
Computer-Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR Supplement, when
applicable. The Software is a "commercial item" as that term is defined at 48 CFR 2.101, consisting of "commercial
computer software" and "commercial computer software documentation", as such terms are used in 48 CFR 12.212
and is provided to the U.S. Government and all of its agencies only as a commercial end item. Consistent with 48 CFR
12.212 and DFARS 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the Software with only
those rights set forth herein. Any provision of Software to the U.S. Government is with Limited Rights. Vormetric is
Vormetric, Inc. at 2545 N 1st St., San Jose, CA, 95131-1003, (408) 433-6000.
VORMETRIC, INC., PROVIDES THIS SOFTWARE AND DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND,
EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR
FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND ANY WARRANTIES
-
8/21/2019 VDS Quick StartVormV0.4
3/100
Vormetric Data Security User Guide iii
ARISING OUT OF CONDUCT OR INDUSTRY PRACTICE. ACCORDINGLY, VORMETRIC DISCLAIMS ANY LIABILITY, AND SHALL
HAVE NO RESPONSIBILITY, ARISING OUT OF ANY FAILURE OF THE SOFTWARE TO OPERATE IN ANY ENVIRONMENT OR IN
CONNECTION WITH ANY HARDWARE OR TECHNOLOGY, INCLUDING, WITHOUT LIMITATION, ANY FAILURE OF DATA TO
BE PROPERLY PROCESSED OR TRANSFERRED TO, IN OR THROUGH LICENSEE'S COMPUTER ENVIRONMENT OR ANYFAILURE OF ANY TRANSMISSION HARDWARE, TECHNOLOGY, OR SYSTEM USED BY LICENSEE OR ANY LICENSEE
CUSTOMER. VORMETRIC SHALL HAVE NO LIABILITY FOR, AND LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD
VORMETRIC HARMLESS FROM AND AGAINST, ANY SHORTFALL IN PERFORMANCE OF THE SOFTWARE, OTHER
HARDWARE OR TECHNOLOGY, OR FOR ANY INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AS A
RESULT OF THE USE OF THE SOFTWARE IN ANY ENVIRONMENT. LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD
VORMETRIC HARMLESS FROM AND AGAINST ANY COSTS, CLAIMS, OR LIABILITIES ARISING OUT OF ANY AGREEMENT
BETWEEN LICENSEE AND ANY THIRD PARTY. NO PROVISION OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD
PARTY SHALL BE BINDING ON VORMETRIC.
Protected by U.S. patents:
6,678,828
6,931,530
7,143,288
7,283,538
7,334,124
Vormetric Data Security includes a restricted license to the embedded IBM DB2 database. That license stipulates that
the database may only be used in conjunction with the Vormetric Security Server. The license for the embedded DB2
database may not be transferred and does not authorize the use of IBM or 3rd party tools to access the database
directly.
-
8/21/2019 VDS Quick StartVormV0.4
4/100
iv
-
8/21/2019 VDS Quick StartVormV0.4
5/100
.
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide Contents
|v
.
.
.
..
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents
1 VDS Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What the VDS Platform does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1
What the VDS Platform is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1VDS Installation and Configuration Road Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
Prerequisites: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2
VDS Installation, Configuration and Operations Roadmap . . . . . . . . . . . . . . . 3
Management Console Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3
Access the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4
Install licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5
Allocate licenses and hours to a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Set system log preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6
2 VDS Administrators and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
VDS Administrator and Domain Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
VDS administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
To create VDS Platform administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Create a VDS administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11
Create a VDS Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
How to create a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
3 Host Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Protected Host Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Add the protected host names to the DSM database . . . . . . . . . . . . . . . . . . . . . . . . 15
Switch to the domain where you want to create the access policy . . . . . . . . 16
http://agent_ig_intro.pdf/ -
8/21/2019 VDS Quick StartVormV0.4
6/100Document Draft Version 0.4 VDS Quick-start Guide Contents
Adding host names to DSM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Install the Agent on the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
4 VDS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Policy creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Creating encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Creating the Basic Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Create policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Add an encryption key to the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Creating the initial operational policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Name Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Create Rule 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Create Rule 2 for the initial operational policy . . . . . . . . . . . . . . . . . . . . . . . . . 36
Add an encryption key to the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Creating GuardPoints: Applying policies to directories . . . . . . . . . . . . . . . . . . . . . . . 39
Apply a policy to folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
5 Data Encryption and Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Data Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Steps for protecting data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Determine encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Restore encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Copy encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45dataxform encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
How to decide what method to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Using the Copy or Restore encryption method on file systems . . . . . . . . . . . . . . . . 46
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Apply the Initial Operational Policy to folders . . . . . . . . . . . . . . . . . . . . . . . . . 47
Using the Copy or Restore encryption method on block devices . . . . . . . . . . . . . . . 48
Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Other information for block devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Apply Initial Operational Policy to block device . . . . . . . . . . . . . . . . . . . . . . . . 49
-
8/21/2019 VDS Quick StartVormV0.4
7/100
.
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide Contents
|vii
Using dataxform to encrypt your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
dataxform encryption method prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Create dataxform policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Apply the dataxform policy to the GuardPoints . . . . . . . . . . . . . . . . . . . . . . . . 56
Execute dataxform to start data encryptionin the GuardPoint . . . . . . . . . . . . 59
Remove the dataxform policy and apply Initial Operational Policy . . . . . . . . 60
Viewing the audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
View and Analyze Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Search audit records by keyword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Tune the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Policy tuning process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Creating the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Create Rule 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Add Rule 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Add Rule 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Add Rule 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Add an encryption key to the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
6 DSM Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
DSM Backup and Restore Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Create a Backup Encryption Wrapper Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
To create the wrapper key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76
Backup the DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
To backup the DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Restore the DSM from a Backup Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
To restore the DSM from a backup configuration . . . . . . . . . . . . . . . . . . . . . . 80Automatic Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80
Setting Automatic DSM Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81
A Clustering the DSM for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . 83
HA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Configuring a DSM for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configure the DSM to resolve hostnames . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
Add Failover DSM to Primary DSM cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84
-
8/21/2019 VDS Quick StartVormV0.4
8/100Document Draft Version 0.4 VDS Quick-start Guide Contents
Convert Failover DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Configure Replication from Primary DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
-
8/21/2019 VDS Quick StartVormV0.4
9/100
.
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide Preface
|v
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PREFACE
This guide describes:
1 How to set up and configure the Vormetric Data Security Platform (VDS Installation and
Configuration Road Map on page 4).
2 The essential features, concepts and high-level architecture of the VDS Platform.
3 Instructions for how to protect your data on a cloud or on-site host machine. (Data Encryption
and Protection on page 28).
4 How to set up automatic DSM backup (DSM Backup and Restore on page 52).
5 How to set up an HA cluster for DSM (Clustering the DSM for High Availability on page 60).
This book is intended to teach your how to quicklyuse the Vormetric Data Security Platform
(VDS Platform) to secure sensitive data. More detailed information is available in the Vormetric
Data Security User Guide.
SCOPE
This document describes the basic steps to get your VDS Platform up and running.
INTENDED AUDIENCEThe VDS Quick-start Guide is intended for security teams who are setting up the VDS Platform
for the first time.
Assumptions
This document assumes that you have the following:
Vormetric Data Security Manager (DSM)
Linux, UNIX or Windows hosts on which you wish install the Vormetric Transparent Encryption
Agent to protect your data
VDS documentation (see Related documents on page vi)
This documentation assumes knowledge of network configuration.
http://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdf -
8/21/2019 VDS Quick StartVormV0.4
10/100
.
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide Preface
|vi
RELATED DOCUMENTS
Vormetric Data Security Platform User GuideVormetric Data Security Manager Installation Guide
Vormetric Transparent Encryption Agent Installation and Configuration Guide
Vormetric Data Security Release Notes
TYPOGRAPHICAL CONVENTIONSThis section lists the common typographical conventions for Vormetric technical publications.
Typographical Conventions
Convention Usage Example
bold, Times New Roman
font
GUI labels, and options. Click the System tab and selectGeneralPreferences.
bold, fixed width(courier new)
commands
arguments
switches
options
variables
elements
properties, objects, parameters, events
session set
appname=
regular fixed width(courier new)
Command and code examples
XML examples
Example:
session start
iptarget=192.168.253.102
-
8/21/2019 VDS Quick StartVormV0.4
11/100
.
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide Preface
|vii
SERVICE UPDATES AND SUPPORT INFORMATION
Vormetric's Master Software License and Hardware Purchase Agreement (MSLA) defines
software updates and upgrades, support and services, and governs the terms under which they
are provided. Any statements made in this guide or collateral documents that conflict with the
definitions or terms in Vormetric's MSLA, shall be superseded by the definitions and terms of
the MSLA. Any references made to upgrades in this guide or collateral documentation canapply either to a software update or upgrade.
SALES AND SUPPORT
For support and troubleshooting issues:
help.vormetric.com
Email questions to [email protected] call 877-267-3247
italic regular font
GUI dialog box titles The General Preferences windowopens.
Non-literal symbols myport, Failover.Port
File names, paths, and directories /usr/bin/
URLs and names of protocols http://server.domain.com:90/
Text to be replaced
Emphasis Do not resize the page.
New terminology CDF (Carousel Definition Format)
quotes File extensionsAttribute values
Terms used in special senses
.js, .exttrue false, 0
1+1 hot standby failover
Typographical Conventions
Convention Usage Example
mailto:%[email protected]:%[email protected] -
8/21/2019 VDS Quick StartVormV0.4
12/100
.
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide Preface
|viii
For Vormetric Sales:
http://enterprise-encryption.vormetric.com/contact-sales.html
(888) 267-3732
-
8/21/2019 VDS Quick StartVormV0.4
13/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview
.
.
.
.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS PLATFORMOVERVIEW
1This chapter describes the features, components and high-level architecture of the Vormetric
Data Security Platform (VDS Platform). It also describes how to log on to the VDS Management
Console. This chapter consists of the following sections:
VDS Installation and Configuration Road Map on page 2
Product Overview on page 1
Management Console Overview on page 3
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PRODUCTOVERVIEW
What the VDS Platform does
The VDS Platform combines encryption, context-aware access control, and fine-grained audit
trails to create a data protection and encryption solution which is transparent to end users and
applications. With no changes to the existing infrastructure, the VDS Platform supportsseparation of duties between data owners, server administrators and security administrators.
The VDS Platform protects data at rest. The VDS Platform can protect data residing on locally
attached storage (DAS), Network area storage (NAS) or Storage area networks (SAN). This can
be a mapped drive or mounted disk as well as through UNC paths.
VDS Platform supports FIPS 140-2.
What the VDS Platform is
VDS consists of a Data Security Manager(DSM) and one or more Vormetric Transparent
Encryption (VTE) agents residing on your protected hosts. Protected hosts contain your
sensitive data, or, if connected to a NAS or SAN, have access to your sensitive data. Protected
hosts can be on-site, in the cloud, or a hybrid of both.
The DSM is the central component of VDS, storing and managing data encryption keys, data
access policies, administrative domains, and administrator profiles. The DSM can be either a
security-hardened hardware appliance or a virtual appliance. The agents communicate with the
DSM and implement the security policies on their protected host systems.
.V D S I N S T A L L A T I O N A N D C O N F I G U R AT I O N R O A D M A P |2
-
8/21/2019 VDS Quick StartVormV0.4
14/100
.
.
.
.
V D S I N S T A L L A T I O N A N D C O N F I G U R AT I O N R O A D M A P
Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview
|2
The architecture of VDS is shown below.
Figure 1: Vormetric Data Security Architecture
The circled Vsrepresent the Vormetric Transparent Encryption agents on protected hosts. VMis
virtual machines. Communication between agents and the DSM is encrypted and secure. The
VDS Administrators establish access and encryption policies through the Management Console,
a browser-based interface to the DSM.
The VDS Platform achieves security with complete transparency to end users and no sacrifice of
application performance. It requires no changes to your existing infrastructure and supports
separation of duties between data owners, system administrators and security administrators.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS INSTALLATIONANDCONFIGURATIONROADMAP
Use the following road map to install and configure your VDS system.
Prerequisites:
You have received from Vormetric:
DSM device(s)
.M A N A G E M E N T C O N S O L E O V E R V I E W |3
-
8/21/2019 VDS Quick StartVormV0.4
15/100
.
.
.
.
M A N A G E M E N T C O N S O L E O V E R V I E W
Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview
|3
Agent licenses. A default number of licenses are installed on the DSM devices. If you run out or
the licenses expire, contact Vormetric Customer Support to get more.
VDS documentation (DSM Installation Guide, VDS Users Guide, this VDS Quick-start Guide and
the Windows, UNIX and Linux Release Notes).
You have installed:
UNIX, Linux, or Windows hosts on which you would like to protect data. These hosts conform to
the support matrices in the VDS UNIX, Linux or Windows Release Notes, and they have network
connectivity to the DSM.
VDS Installation, Configuration and Operations Roadmap
To set up the VDS Platform to protect your hosts, the following steps are required:
1 Install and configure your DSM. See the DSM Installation Guide.
2 Configure log preferences (see Management Console Overview on page 3).
3 Create VDS administrators and domains in the DSM. See VDS Administrators and Domains onpage 5.
4 Add your protected host names or IP addresses to the DSM database. See Add the protected
host names to the DSM database on page 11.
5 Install VTE agents on your protected hosts and register them to the DSM. See Vormetric
Transparent Encryption Agent Installation and Configuration Guide. If you have obtained your
host from a third party, they will install the VTE agents and provide you with the host names.
6 If you are setting up a high availability configuration, add additional DSMs as necessary. See
Clustering the DSM for High Availability on page 60.
7 Backup your DSM (DSM Backup and Restore on page 52)
8 Optional: Setup your DSM for HA (Clustering the DSM for High Availability on page 60)
9 Set up GuardPoints (VDS protected directories) on your protected hosts and encrypted your
data.See VDS Policies on page 15and Data Encryption and Protection on page 28.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
MANAGEMENTCONSOLEOVERVIEW
The VDS Management Console is the primary interface to the security features of the VDS
Platform. VDS administrators perform almost all security work through the Management
Console. You can access the Management Console as soon as the DSM has been installed andconfigured (see the Data Security Manager Installation Guide). In this section you will do the
following:
.M A N A G E M E N T C O N S O L E O V E R V I E W |4
http://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdf -
8/21/2019 VDS Quick StartVormV0.4
16/100
.
.
.
.
M A N A G E M E N T C O N S O L E O V E R V I E W
Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview
|
Access the Management Console
Logging into the Management Console is the most common operation you will perform as a
VDS Platform administrator. Heres how to do it:
1 Open a browser and enter either the DSM URL. (This is either the hostname if configured in DNS,
or its IP over HTTPS of the DSM.) Example URL: https://dsm.vormetric.com
The Loginwindow displays.
2 Enter the default login and password. The default login is admin. The default password is
admin123.
Note: You will be asked to change the default password upon first log in. Remember this new
password or you will not be able to log in again!
The Dashboardwindow displays.
.M A N A G E M E N T C O N S O L E O V E R V I E W |5
-
8/21/2019 VDS Quick StartVormV0.4
17/100
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview
Install licenses
Upload a license file
1 Get the license file from Vormetric.
2 Log on to the Management Console on the primary server as an administrator of type System
Administrator or All.
3 Select System > Licensein the menu bar. The Licensewindow opens.
4 Click Upload License File. The Upload License Filewindow opens.
Note: If you are in a domain, the Upload License Filebutton is disabled. Click Domain > Exit
Domain.
5 In the License Filebox, enter the full path of the license file or click Browseto locate and select
the license file.
6 Click Ok.
Allocate licenses and hours to a domain
Use these procedures to control how many licenses (Term) or license hours (Hourly) can be
used in a domain under the Licensetab in the Edit Domainwindow.
1 Click Domains >Manage Domains. The Domainswindow lists all the domains available to the
current administrator.
2 Click the domain link in the Namecolumn. The Edit Domainwindow opens to the Generaltab.
3 Click the Licensetab. The fields under the License tab operate as follows:
Leave a field blank agents can be registered in the domain according to the number of
licenses available on the system.
Enter a zero no agents can be registered in this domain.
Enter a number in an Agent (Term) or Agent (Perpetual) field the domain is restricted to that
number of hosts registered with that type of license.
Enter a date in the Expiration Date (Term) field new hosts cannot register after the expiration
date. Active hosts continue to function until they are unregistered or rebooted.
Enter a number in the Core Hours (Hourly) field the domain is restricted to that number of
core CPU hours with that agent. Active hosts continue to function until they are unregistered or
rebooted.
.M A N A G E M E N T C O N S O L E O V E R V I E W |6
-
8/21/2019 VDS Quick StartVormV0.4
18/100
.
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview
Set system log preferences
1 ClickSystem > Log Preferences > FS Agent Log. The File System Log Preferenceswindow opens.
2 If not already done, make the following log preference changes:
Change Policy Evaluation/Levelto INFO, and check the Policy Evaluation/Log to File/Level
checkbox.
Click Applyand Ok. This is a more useful log preference setting.
-
8/21/2019 VDS Quick StartVormV0.4
19/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
.
.
.
.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS ADMINISTRATORSANDDOMAINS
2Once your DSM is installed and configured, you must 1) create VDS administrator accounts for
the administrators who will be responsible for data security, and 2) create VDS domains
containing the hosts that VDS administrators will protect. Once hosts are added to the
domains, VDS administrators can create encryption keys and policies, assign them to sensitive
data, and perform other data security operations through the Management Console.
This chapter describes Vormetric Data Security (VDS) administrators and domains--what they
are and how to create them. It contains the following sections:
VDS Administrator and Domain Overview on page 7
To create VDS Platform administrators on page 11
Create a VDS Domain on page 13
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
VDS ADMINISTRATORANDDOMAINOVERVIEW
VDS Platform administrators(or simply VDS administrators) manage VDS infrastructure and perform
various security operations to protect sensitive data on hosts. Vormetric recommends not to assign this role
to system administrators of protected hosts. System administrators generally have access to all the
data on all the machines that they administer. A VDS administrator should have no access to
data or user accounts on any protected host to enforce separation of duties. The VDS
administrators sole responsibility is to provide data access to those who need it and block data
access to those who don't need it--including system administrators.
The VDS platform allows to group one or more protected hosts and its associated encryption
keys and policies in a container called VDS domain. VDS domains allow horizontal separation
of DSM where different business units, application teams or geographical locations can share
DSM without having access to each others security configuration. The domain is a logical
entity that separates administrators and the data they access from other administrators.
Administrative tasks are performed in each domain based upon each administrators assigned
type. The benefits of administrative domains are:
Segregation of data for increased security
Separation of responsibilities
.
.V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |8
-
8/21/2019 VDS Quick StartVormV0.4
20/100
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
No one administrator has complete control over Vormetric Data Security and the data it
protects
Figure 2: Vormetric Data Security Domains
VDS administrators
VDS administrators protect data by establishing data access policies, encrypting data, andauditing data access attempts. VDS administrators are assigned to domains, which are a group
of one or more VDS-protected hosts sharing the same administrators and data security policies.
After initial DSM configuration, you can login with default VDS System Administrator account
admin. It is highly recommended that you use this account to log into DSM web console and
create other Administrator accounts. After this operation, you should not use admin account
and use these newly created accounts for any further configuration.
Five types of administrators are provided, each is allowed to perform specific administrative
tasks. The administrator types are:
.
.V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |9
-
8/21/2019 VDS Quick StartVormV0.4
21/100
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
By default, an administrator is assigned one administrative type and is allowed to perform the
tasks for that one administrative type only. This approach requires at least three administrators,
Role Permissions
System Administrator Add and delete all administrators
Reset passwords for all administrators
Add and delete all domains
Assign one Domain Administrator to each domain
Configure HA
Configure syslog server for system-level messages
Upgrade DSM software
Backup and restore DSM database
Install license file
Import 3.x configuration
Configure preferences
View logs
Domain Administrator Add and remove administrators (Domain, Security, All) to and from domains ConfigureSecurity Administrator roles (Audit, Key, Policy, Host, Challenge & Response)
Configure syslog server for application-level messages
View preferences
View logs
Security Administrator Configure signature sets
Configure keys and key groups
Configure online and offline policies
Configure hosts and host groups
Assign host passwords (manually or generated)
Apply GuardPoints
Share a host with another domain
Export the DSM public key
Import symmetric keys
View preferences
View logs
Domain and SecurityAdministrator
Domain Administrator and Security Administrators combined. Administrators of this typeare deleted from the DSM database upon switching from relaxed to strict domain mode.
All System, Domain, and Security Administrators combined. Administrators of type All aredeleted from the DSM database upon switching from relaxed to strict domain mode.
.
.V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |10
-
8/21/2019 VDS Quick StartVormV0.4
22/100
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
each assigned to a different type. Administrator type assignment can also be configured where
one administrator can perform the tasks of all three administrative types--System, Domain, and
Security administrators. This approach provides less control because one administrator can
administer the entire DSM. Also, a single administrator can be configured to perform the tasks
of a Domain Administrator and Security Administrator combined. The Domain and Security
Administrator can perform every task that is allowed a user from inside a domain. For example,
the Domain and Security Administrator can add users to the domains of which it is a member,
but it cannot create new users.
System Administrator type
The System Administrator type operates outside of domains. It creates domains and assigns
administrators of type Domain Administrator to the domains. Administrators of types Domain
Administrator and Security Administrator operate within those domains. Administrators of type
All can operate both inside and outside of domains. When an administrator of type All enters adomain, the administrator can perform Domain Administrator and Security Administrator
tasks. When an administrator of type All exits the domain, the administrator can perform
System Administrator tasks.
The default DSM administrator, admin, has a System Administrator type. In this type, the
adminadministrator creates additional administrators and domains, and then it assigns one
administrator of type Domain Administrator to each domain.
Domain Administrator type
The Domain Administrator adds additional Domain Administrators to each domain. One
Domain Administrator can be a member of multiple domains. If a Domain Administrator is a
member of multiple domains, it can easily switch between the domains. The Domain
Administrator also adds Security Administrators to a domain and assigns them roles (for
example,Audit, Key, Policy, Host, and/or Challenge & Response) that are applied only within
that domain.
The System Administrator creates domains but does not operate within them; however, all
tasks performed by the Domain Administrator and Security Administrator occur within
domains. The Domain Administrator and Security Administrator must always know what
domain they are in before performing any task. If you log in as a Domain Administrator or a
Security Administrator, and you notice that the administrator, host, or log data is wrong, you
are most likely in the wrong domain.
.
.T O C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |11
-
8/21/2019 VDS Quick StartVormV0.4
23/100
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
Security Administrator type
One Security Administrator can be assigned to multiple domains; however, the Security
Administrator has only the roles that were assigned when it was made a member of that
domain. That is, the same administrator can have different roles in different domains.
Roles are assigned by Domain Administrators when they assign a Security Administrator to a
domain. A brief description of the roles is described below. For detailed information see the
VDS Users Guide.
Audit. Allows the Security Administrator to view log data.
Key. Allows the Security Administrator to create, edit, and delete local key-pairs, public keys
only, and key groups. Can also view log data.
Policy. Allows the Security Administrator to create, edit, and delete policies. (Apolicyis a set of
rules that specify who can access which files with what executable during what times. Policies
are described in more detail later.) Can also view log data.
Host. Allows the Security Administrator to configure, modify, and delete hosts and host groups.
Can also view log data. The Challenge & Responserole is automatically selected when the Host
role is selected.
Challenge & Response. Allows a VDS Security Administrator to generate a temporary password
to give to a system user to decrypt cached on host encryption keys when there is no connection
to the DSM.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
TOCREATEVDS PLATFORMADMINISTRATORS
This section describes how to create VDS administrators. A default VDS Administrator called
adminis already created. Additional administrators are required to perform duties that admin
cannot.
Create a VDS administrator
1 Login to the Management Console as the DSM System Administrator admin.
.
.T O C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |12
-
8/21/2019 VDS Quick StartVormV0.4
24/100
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
2 Click Administrators.
TheAdministratorswindow opens listing all the administrators for this DSM.
adminis created by default and cannot be deleted.
3 Click Add. TheAdd Administratorwindow appears.
4 Enter your information into the corresponding text fields. Example:
Login:
Description: Admin of type All
Password: Temp123!
Confirm Password: Temp123!
User Type: All
.
.
.C R E A T E A V D S D O M A I N |13
-
8/21/2019 VDS Quick StartVormV0.4
25/100
.
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
Note: The first time you log in to the Management Console on a newly created VDS
Administrator account, you will be prompted to change its password. You will not be allowed to
use the same password that you enter here. If you have a specific password you want to use, do
not enter it here as you will have to change it at first login.
5 Click Ok. A new Vormetric Administrator is created.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CREATEAVDS DOMAIN
A VDS domain is a group of one or more VDS-protected hosts under the control of an assigned
VDS administrator. Before a protected host can be administered, it must placed in a domain.
How to create a domain
1 If you are already logged into the Management Console, log out and log in again as the DSM
System Administrator admin. Otherwise, just login as admin.
.
.
.C R E A T E A V D S D O M A I N |14
-
8/21/2019 VDS Quick StartVormV0.4
26/100
.
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains
2 On the menu bar click Domains > Manage Domainsto bring up Manage Domainswindow.
3 Click Addto bring up theAdd DomainWindow.
4 Under the Generaltab, fill in a Domain Name. For example, Marketing_Domain. The next two
fields are optional. Descriptionidentifies the domain. Help Desk Informationis the phone
number to call to get the response string for challenge-response authentication. If you leave this
box empty, the default message is Please contact a Security Server administrator for a
response.
5 Click Okto create the new domain.
6 Click the Assign Admintab to assign a VDS administrator. You can assign an administrator
anytime after the domain is created. Note that you will not be able to switch to, or access, the
domain until you assign an administrator.
7 After the domain is created and has an administrator, you can add hosts to it. See Add theprotected host names to the DSM database on page 11and Install the Agent on the Host on
page 14.
http://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdf -
8/21/2019 VDS Quick StartVormV0.4
27/100
Document Draft Version 0.4 VDS Quick-start Guide Host Protection
..
.
.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .HOSTPROTECTION
3A host is a machine that stores your sensitive data. Aprotected hostcontains a VTE agent that
downloads the data protection policies and encryption keys from the DSM. The agent enforces
those policies and encrypts data as specified.
This chapter describes how to create protected hosts. It consists of the following sections:
Protected Host Overview on page 15
Add the protected host names to the DSM database on page 15
Install the Agent on the Host on page 19
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PROTECTEDHOSTOVERVIEW
Before you can create protected hosts, you must have a working DSM and your hosts must have
network connectivity to the DSM. The steps for creating protected hosts are:
Add the protected host names to the DSM database (Add the protected host names to the DSM
database on page 15).
Install the VTE Agent on the host and register them with the DSM. See Vormetric Transparent
Encryption Agent Installation and Configuration Guide.
Add encryption and access policies to specific directories on the host (VDS Policies on page 15).
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ADDTHEPROTECTEDHOSTNAMESTOTHEDSM DATABASE
Your host names must be added to the DSM database before the VTE agent can be installed and
data is protected on them. This section describes how to do this. To add the host to the DSM
database, you will need the hosts name, Fully Qualified Domain Name (FQDN--54 character
max) or IP address.
.
.
.A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |16
http://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdf -
8/21/2019 VDS Quick StartVormV0.4
28/100
.
.
Document Draft Version 0.4 VDS Quick-start Guide Host Protection
Switch to the domain where you want to create the access policy
1 Log on to the Management Console as a Security Administrator with Keyand Policyroles or as an
administrator of typeAll.
2 Switch to the domain containing the host you wish to protect. Click Domains > Switch Domains
The Switch Domainswindow opens.
3 Select the domain that will contain the protected host and click Switch to domain. The domain
in which you are working is displayed in the upper right corner of the Management Console. A
domain was created in Create a VDS Domain on page 13.
.
.
.A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |17
-
8/21/2019 VDS Quick StartVormV0.4
29/100
.
.
Document Draft Version 0.4 VDS Quick-start Guide Host Protection
Adding host names to DSM database
1 Select Hosts->Hostsin the menu bar. An empty Hostswindow opens.
2 Click Add. TheAdd Hostwindow opens.
3 Enter the following information:
Host Name: Enter the IP address, host name or FQDN. Host names cannot contain an
underscore.
Select a Password Creation Method. This is the password that a host user can use to unlock a
GuardPoint when the connection to the DSM is broken. For example, if a host user cannot
access a GuardPoint because connection to the DSM is down, the user can execute a VDS
password command on the host. The command will provide the phone number of the SecurityAdministrator, who will provide the user with a password to access the GuardPoint. If the
method selected is Manual, then this password is static. If the method selected is Generate,
.
.
.A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |18
-
8/21/2019 VDS Quick StartVormV0.4
30/100
.
.
Document Draft Version 0.4 VDS Quick-start Guide Host Protection
then the user will be given a challenge string to provide to the Security Administrator who will
use the string a generate a dynamic password. Select Generate.
Description: Optional. Enter text to identify the host or its function. Limited to 256 characters.
Registration Allowed Agents: Select the agents that will run on the host system. Depending on
your license, your choices are FS(file system), Key(for Oracle database or Microsoft SQL TDE)
and DB2(backup). You must select the agents here before you can register that agent with the
DSM.
License Type: Choose the type of license that will run on this host. Options are Perpetual,
Term, and Hourly, depending on the system license.
4 Click Ok. You are returned to the Hostswindow.
5 Click the hostname link that you just added to the DSM database. This brings up the Generaltab
of the Edit Hostwindow. Make sure the Communication Enabledcheckbox is checked for all
agent types registered.
6 Your host is added to the DSM database.
7 Repeat for all your protected hosts.
.
.
.
.I N S T A L L T H E A G E N T O N T H E H O S T |19
-
8/21/2019 VDS Quick StartVormV0.4
31/100
.
.
Document Draft Version 0.4 VDS Quick-start Guide Host Protection
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
INSTALLTHEAGENTONTHEHOST
Once your hostnames are added to the DSM database, you can install the VTE agent on the
host and register it with the DSM. See theAgent Installation and Configuration Guide. After
installing and registering your VTE agent on your host, you can create policies to protect its
data. See VDS Policies on page 15.
The Hostswindow with protected hosts is shown below.
.
.
.
.I N S T A L L T H E A G E N T O N T H E H O S T |20
http://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdf -
8/21/2019 VDS Quick StartVormV0.4
32/100
.
Document Draft Version 0.4 VDS Quick-start Guide Host Protection
-
8/21/2019 VDS Quick StartVormV0.4
33/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
..
.
.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS POLICIES 4
This chapter describes data security policies and how to create them. You will create a policy
that will be used in subsequent chapters. This chapter contains the following sections:
Policy Overview on page 21
Creating encryption keys on page 23
Creating the Basic Encryption Policy on page 26
Creating the initial operational policy on page 31
Creating GuardPoints: Applying policies to directories on page 39
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
POLICYOVERVIEW
The VDS Security Administrator creates policies to protect data. Policies employ two
mechanisms to do this:
Data encryption. Policies can specify that data written to a particular directory (called a
GuardPoint) is encrypted. That data can only be decrypted by specified users. Anyone else whotries to access it will only get useless unecrypted data.
Access control. Policies can specify which users can access which files and directories in a
GuardPoint. Policies can furthermore specify which executables, and actions can be used and at
what times.
Thus, policies govern access to, and encryption of, the files in Vormetric-protected directories
called GuardPoints. Furthermore, policies can enable auditing such that each time a useraccesses a GuardPoint, a log message is created with all the details.
.
.
.
.P O L I C Y O V E R V I E W |22
-
8/21/2019 VDS Quick StartVormV0.4
34/100
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
A VDSpolicyitself consists of a set of rules that control how GuardPoint data can be accessed
by users and processes. Each rules consist of five criteriaand an effect:
Every time a user or application attempts to access a GuardPoint file, the access attempt passes
through each rule of the policy until it finds a rule where all the criteria are met. When a rule
matches, the Effectassociated with that rule is enforced. Effectcan have the following values:
Permitor Deny- Specifies whether access to protected data permitted or denied.
Criteria Action
Resource Specifies which files and/or directories in a GuardPoint are to be protected.Example: /secure_dir/financials. Default is All.
User Specifies which user(s) or groups can access protected data. Default is All.
Process Specifies which executables can access protected data. Default is All.
When Specifies the time range when protected data can be accessed. Default is All.
Action Specifies the allowed action(s) on the protected data. Example: read, write, remove,
rename, make directory. Default is All.
.
.
.
.C R E A T I N G E N C R Y P T I O N K E Y S |23
-
8/21/2019 VDS Quick StartVormV0.4
35/100
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
Apply Key- Specifies that data going in or coming out of a GuardPoint be encrypted.
Audit- Specifies that data access attempts be recorded and logged.
A criteria field that is left blank specifies a value ofAll. Thus, if Useris blank, the rule applies to
all users; if Whenis blank, the rule applies to all times; if Processis blank, the rules applies to all
executables, and so on. Effectcan never be blank. It must have at least apermit(allow access)
or deny(deny access).
Rules are evaluated much like firewall rules; they are evaluated in order, from first to last, and
evaluation stops when a match is made on a given rule. Therefore, it is important to carefully
order a policy's rules to achieve the desired result.
Note: We recommend creating policies that follow the model of PERMIT ALL EXCEPT, as it is
generally easy to create, understand, and accommodates most circumstances.
Policy creation
The rest of this chapter will describe how to create policies. Two specific policies will be
described: the Basic Encryption Policyand the Initial Operational Policy.
The Basic Encryption Policy simply encrypts data written to a GuardPoint, and decrypt it when
it is accessed from the GuardPoint directory by an authorized user (a user with directory-read
permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable
data. This is described in Creating the Basic Encryption Policy on page 26.
The initial operational policy is designed to encrypt the data and also control user access. Theinitial operational policy audits all GuardPoint activity and provides a detailed log of access and
usage. By studying the audit log, the Security Administrator can tune the policies to limit which
users have access to the decrypted data, as well as what executables and actions they can use.
See Creating the initial operational policy on page 31.
Before either of these policies a created, you must create encryption keys. See Creating
encryption keys on page 23.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CREATINGENCRYPTIONKEYS
Encryption keys encrypt and decrypt data. Once encryption is applied, you must keep track of
the encryption keys that you are using. Encrypted data is unusable without the proper keys.
A keys attributes and the policies you apply to a host determine if a constant connection isrequired between the DSM and File System Agent. Hosts with their keys Stored on DSM Server
require a constant connection to the DSM. As long the DSM and host are connected, the
.
.
..
C R E A T I N G E N C R Y P T I O N K E Y S |24
-
8/21/2019 VDS Quick StartVormV0.4
36/100
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
policies stay in effect. When the network connection is interrupted, users cannot access
encrypted data. Users can resume access after the network connection is re-established.
Hosts with the keys Cached on Hostare a different matter. The policies stay in effect as long theDSM and host are connected. When the network connection is interrupted, data access is
interrupted, however users can still access encrypted data by requesting a temporary password
from a security administrator.
See the VDS Users Guidefor more details.
Encryption key management
Establishing encryption key strategy
You can create a single data encryption key for each GuardPoint, for each server, for all the
servers in your company, or anything in between. Additionally, there can be one key for each of
the major environments, for example, your production and non-production environments.
You want to choose an approach that strikes the balance between maximizing security and
minimizing the administrative overhead of the periodic key rotations. Basically more keys cancreate more security at the cost of more complexity and overhead.
Encryption Key Naming convention
Define a naming convention for creating data encryption keys. This allows administrators to
know where the key will be applied to encrypt/decrypt data. The following is an example of a
simple self-documenting key naming convention:
[BU]_[Environment]_KEY_[Strength]_[date]_[n]
Where:
BUis the name of the business unit.
Environmentindicates whether the environment for this key. For example: production or non-
production.
Keyis a literal labeling this file as a key file.
Strengthis the algorithm used to create the key and the key length.
dateindicates the date (year and month) this key was created.
nindicates this is the nth copy of the key.
Below is an example of a key name using this convention:
SALES_PROD_KEY_AES256_2014-04_2
.
.
.
..
C R E A T I N G E N C R Y P T I O N K E Y S |25
-
8/21/2019 VDS Quick StartVormV0.4
37/100
.
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
Creating a data encryption key
1 Go to Keys > Agent Keys > Keysin the Management Console to bring up theAgent Keyswindow.
2 Click Addto bring up the Add Agent Keywindow.
3 Enter a key name, description and security algorithm.
Name: Name of key. 64 character limit.
Description: Optional key description. 265 character limit.
Template: A key template with a set of pre-defined attributes. To create a Microsoft SQL Server
TDE agent asymmetric key, choose Default_SQL_Asymmetric_Key_Template and do not change
any of the custom attribute values.
Algorithm: Algorithm used to create the key.
Key Type: Location for the encryption key. Stored on Serverkeys are downloaded to non-
persistent memory on the host. Each time the key is needed, the host retrieves the key fromthe DSM. Cached on Hostdownloads and stores (in an encrypted form) the key in persistent
memory on the host. The cached keys are used when there is no network connection between
.
.
.
..
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |26
-
8/21/2019 VDS Quick StartVormV0.4
38/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
the host and DSM. All hosts using the same encryption key can access encrypted data on other
hosts that use the same key. The Unique to Host checkboxis displayed when Cached on Hostis
selected.
Unique to Host: When enabled with Cached on Host, makes the encryption key unique. The
key is downloaded to the host, encrypted using the host password, and stored. These keys are
used for locally attached devices, as files encrypted by them can only be read by one machine.
Do not enable this checkbox for cloned systems, RAID configurations, clustered environments,
or any environment that utilizes host mirroring. Requires that Key Creation Methodis set to
Generate.
Key Creation Method: Select to generate a key using a random seed (Generate) or by Manual
Input.
Expiry Date: Date the key expires.
Key Refreshing Period (minutes): Used only with the Oracle Database TDE and Microsoft SQL
Server TDE Key Agent. Minutes you want the key in the local key cache before it is refreshed.
Example:
Name: SALES_PROD_KEY_AES256_2014-04_2
Description: Key for Sales Dept.
Algorithm: AES256
All other values are the default.
4 Click OK. Your new key is created and displayed in theAgent Keyswindow.
5 Create as many keys as desired.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CREATING
THE
BASIC
ENCRYPTION
POLICY
The Basic Encryption Policy encrypts data written to a GuardPoint and decrypt it when it is
accessed from the GuardPoint directory by an authorized user (a user with directory-read
permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable
data. This is described in Creating the Basic Encryption Policy on page 26.
The Basic Encryption Policy consists of a single rule:
Rule 1specifies that data written to a GuardPoint is encrypted, and that any user with access tothe GuardPoint directory can access the decrypted data.
.
.
.
..
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |27
-
8/21/2019 VDS Quick StartVormV0.4
39/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
The rest of this section describes how to create the initial operational policy.
Create policy
1 Log on to the Management Console as an administrator of typeAll, or as a Security
Administrator with Keyand Policyroles. Switch to the domain containing the host you wish to
protect (see Switch to the domain where you want to create the access policy on page 17).
2 Create a data encryption key for the Basic Encryption Policy. See Creating encryption keys on
page 23.
3 Click Policies > Manage Policiesto list the policies available to this domain. In this example,there are two policies.
.
.
.
..
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |28
http://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdf -
8/21/2019 VDS Quick StartVormV0.4
40/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
4 Click Add Online Policyto create a new policy. TheAdd Online Policy window opens. Enter a
name and optional description for your policy. In our example we use the name basic-
encryption-policy.
5 Click Addin the Security Rulespanel. TheAdd Security Rulewindow opens.
.
.
.
..
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |29
-
8/21/2019 VDS Quick StartVormV0.4
41/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
6 Click Effect. The Select Effectwindow opens. Select Permit(permit user access) and Apply Key
(encrypt data written into the GuardPoint).
7 Click Select Effect. The Edit Security Rulewindow opens with Effectdefined. Click Ok. The Edit
Online Policywindow opens with Rule 1 added.
Add an encryption key to the policy
Whenever you specify Apply Keyin an effect, you must add an encryption key to the policy.
.
.
.
..
C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |30
-
8/21/2019 VDS Quick StartVormV0.4
42/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
1 Click Addin the Key Selection Rulespanel.
2 TheAdd Key Rulewindow opens.
3 Select Key. TheAgent Keyswindow opens. Select the key you created earlier (our example:
SALES_PROD_KEY_AES256_2014-04_2 ) and click Select Key. TheAdd Key Rulewindow returns.
Resourcefield is optional. It opens the Resource Set Listwindow from which you can select or
create the resource set whose members are to be encrypted. See VDS Users Guidefor details.
4 Click Ok. The Edit Online Policywindow opens with the new key added to the Key Selection Rules
panel.
5 Click Ok. The basic-encryption-policyis created. When you apply this policy to a
directory, that directory becomes a GuardPoint, and any data written to that directory is
encrypted. encrypts data copied in and decrypts data accessed from the GuardPoint.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |31
-
8/21/2019 VDS Quick StartVormV0.4
43/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
CREATINGTHEINITIALOPERATIONALPOLICY
An initial operational policy is often the first data security policy applied to a GuardPoint. Theinitial operational policy described here:
Encrypts all data written into the GuardPoint.
Decrypts the GuardPoint data for any user who attempts access.
Audits and creates log messages for every GuardPoint access.
Reduces log message noise so you can analyze the messages that are important to you for
tuning this policy.
In a common VDS deployment you apply the initial operational policy to a GuardPoint, write
your sensitive information into the GuardPoint directory so that its encrypted, and direct data
users to this new directory. Over time you analyze the audit messages to assess who accesses
protected data and how. You then tune the initial operational policy to limit access and
decryption to only those who need it, using only appropriate executables, exercising only the
appropriate actions (read, write, modify and so on) and at the appropriate times.
The initial operational policy described here consists of two rules:
Rule 1specifies that all users can read the attributes and properties of any file and directory in
a GuardPoint. The purpose of this rule is to reduce excessive log messages so you can analyze
log files without excess noise.
Rule 2specifies that files written in the GuardPoint are encrypted, that all users have unlimited
access to the decrypted files, and that every operation is audited.
The rest of this section describes how to create the initial operational policy.
Name Policy
1 Log on to the Management Console as an administrator of typeAll, or as a Security
Administrator with Keyand Policyroles. Switch to the domain containing the host you wish to
protect (see Switch to the domain where you want to create the access policy on page 17).
2 Create a data encryption key for the initial operational policy. See Creating encryption keys on
page 23.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |32
http://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdf -
8/21/2019 VDS Quick StartVormV0.4
44/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
3 Click Policies > Manage Policiesto list the policies available to this domain. In this example,
there are two policies.
4 Click Add Online Policy. TheAdd Online Policy window opens.
5 Enter a name and optional description for your policy. In our example we use the name basic-
access-policy. Select Learn Mode.
Learn Modepermits a policy to be tested without actually denying access to resources. In Learn
Mode, all actions that would have been denied are instead permitted. These actions are logged
to assist in tuning and troubleshooting policies. The Learn Modeis highly recommended for
policies that restrict by application (process), as many applications use multiple binaries that
may not be known to the creator of the policy at time of creation. See the Vormetric DataSecurity Platform Users Guidefor details.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |33
bli h L d ill di bl h li b k h h h
-
8/21/2019 VDS Quick StartVormV0.4
45/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
Enabling the Learn Mode will disable the policy, but track each attempt that matches any
security rule in the policy. A denystatement in Effectmust include apply_keywhen Learn Mode
is enabled. This option generates a warning each time an access attempt is made that matches
any security rule in the policy. This warning is sent as a log message and it can be viewed in the
Management Console (if its configured to accept Warnings).
6 Click Addin the Security Rulespanel.
Create Rule 1
The purpose of this rule is to reduce excessive log messages so you can analyze log files without
excess noise.
1 Select Action in theAdd Security Rulewindow.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |34
2 The Select Action indo opens Select f d tt f h d d tt and d d
-
8/21/2019 VDS Quick StartVormV0.4
46/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
2 The Select Action window opens. Select f_rd_att, f_chg_sec, d_rd_ttand d_rd_sec.
The selected attributes have the following meanings:
d_rd_att- Can read the attributes of a directory (example: ls -la).
d_rd_sec- Can view the security properties of a Windows folder, such as on the Security tab of
the Propertieswindow.
f_rd_att- Can read the attributes of a file (example: ls -l).
f_rd_sec- Can view the security properties of a Windows file, such as on the Security tab of the
Propertieswindow.
See the VDS Users Guidefor a full description of the Actions.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |35
3 Click Select Action The Add Security Rule window opens with Action defined
-
8/21/2019 VDS Quick StartVormV0.4
47/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
3 Click Select Action. TheAdd Security Rulewindow opens withActiondefined.
4 Click Effect. The Select Effect window opens.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |36
5 Select Permit (permit GuardPoint access) and then Select Effect The Edit Security Rule window
-
8/21/2019 VDS Quick StartVormV0.4
48/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
5 Select Permit(permit GuardPoint access) and then Select Effect. The Edit Security Rulewindow
opens with Effectdefined. Click Ok. The Edit Online Policywindow opens with Rule 1 added.
Create Rule 2 for the initial operational policy
This rule specifies that files written in the GuardPoint are encrypted, that all users haveunlimited access to the decrypted files, and that every operation is audited.
1 Click Addin the Security Rulespanel. TheAdd Security Rulewindow opens
2 Select Action. The Select Action window opens.
3 Select all_ops. all_opsallows any operation to be performed in the GuardPoint. Click Select
Action. TheAdd Security Rulewindow opens withActiondefined.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |37
4 Click Effect. The Select Effect window opens.
-
8/21/2019 VDS Quick StartVormV0.4
49/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
p
5 Select Deny(deny access to GuardPoint), Apply Key(see below) and Audit(create a log entry for
access attempts). Then click Select Effect. TheAdd Security Rulewindow opens with Effect
defined.
Apply Key- Applies an encryption key to data in a GuardPoint. Data copied into the GuardPoint
is encrypted with the key specified in the Key Selection Rules tab. Data accessed from the
GuardPoint is decrypted using the same key.
6 Click Ok. The Edit Online Policywindow opens with Rule 2 added.
.
.
.
..
C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |38
Add an encryption key to the policy
-
8/21/2019 VDS Quick StartVormV0.4
50/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
yp y p y
Whenever you specify Apply Keyin an effect, you must add an encryption key to the policy.1 Click Addin the Key Selection Rulespanel.
2 TheAdd Key Rulewindow opens.
3 Select Key. TheAgent Keyswindow opens. Select the key you created earlier (our example:
SALES_PROD_KEY_AES256_2014-04_2 ) and click Select Key. TheAdd Key Rulewindow returns.
4 Click Ok. The Edit Online Policywindow opens with the new key added to the Key Selection Rules
panel.
5 Click Ok. basic-access-policyencrypts data copied in and decrypts data accessed from the
GuardPoint.
.
.
.
..
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I ES |39
CREATINGGUARDPOINTS: APPLYINGPOLICIESTODIRECTORIES
-
8/21/2019 VDS Quick StartVormV0.4
51/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
When a policy is applied to a directory, that directory is called a GuardPoint. This sectiondescribes how to create GuardPoints.
Apply a policy to folders
1 Log on to the Management Console as an administrator of typeAll, or as a Security
Administrator with Keyand Policyroles. Switch to the domain containing the host you wish to
protect (see Switch to the domain where you want to create the access policy on page 17.
2 Click Hosts > Hostsin the Management Console. The Hostswindow opens.
.
.
.
..
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I ES |40
3 Click on the protected host name in bluewhere you will create the GuardPoints. The Edit Host
http://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdf -
8/21/2019 VDS Quick StartVormV0.4
52/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
screen opens.
4 Click the Guard FS(File System) tab. The hosts GuardPoints, if any, are displayed. Click Guardto
create a new GuardPoint.
.
.
.
..
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I ES |41
5 The Guard File Systempanel opens.
-
8/21/2019 VDS Quick StartVormV0.4
53/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
For Policy, choose the policy name you want to apply to the directory. For example, basic-
encryption-policyor basic-access-policy.
For Type, use Directory (Auto Guard)for directories.
For Path, enter the GuardPoint directory. For example,/vipdatafor Linux and UNIX hosts orc:\Users\Marketing1\vipdatafor Windows hosts.
Optionally, click Browseto browse and highlight the GuardPoint directory. Note that Browse
will not work if the host was registered with One-way Communication.
6 Click Okto apply the policy to the GuardPoint. The Edit Host panel opens with the new
GuardPoint.
.
.
.
..
C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I ES |42
Repeat this process for each folder you wish to protect.
-
8/21/2019 VDS Quick StartVormV0.4
54/100
Document Draft Version 0.4 VDS Quick-start Guide VDS Policies
A redstatus indicator means that the policy hasn't taken effect. Click Refreshuntil the Status
turns green. This may take up to 30 seconds. The policy is now activated and the GuardPoint is
protected.
DATA ENCRYPTION AND PROTECTION 5
-
8/21/2019 VDS Quick StartVormV0.4
55/100
Document Draft Version 0.4 VDS Quick-start Guide Data Encryption and Protection
..
.
.
.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .DATAENCRYPTIONANDPROTECTION 5
By now, you have set up your DSM, created VDS administrators, installed agents on your
protected hosts, and created an initial operational policy. This chapter describes how to encrypt
your sensitive data and tune your data protection policy to prevent unwanted access. This
chapter contains these sections:
Data Protection Overview on page 43
Determine encryption method on page 44
Using the Copy or Restore encryption method on file systems on page 46
Using the Copy or Restore encryption method on block devices on page 48
Using dataxform to encrypt your data on page 52
Viewing the audit logs on page 62
Tune the Policies on page 64
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DATAPROTECTIONOVERVIEW
Steps for protecting data
The basic steps for protecting your data are:
1 Determine optimal data encryption method for your environment: Copy, Restore or dataxform.
2 Verify that your data is backed up.
3 Stop all services and access to the directories or block devices that will be encrypted.
4 Create GuardPoint with initial operational policy on protected directories or block devices. For
the dataxform encryption method, create a dataxform policy. For the Copy or Restore method,
use the initial operational policy described in Creating the initial operational policy on page 31.
5 For the dataxform method, run dataxform on each GuardPoint. For Copy and Restore methods,
copy files into GuardPoint.
6 After verifying that encryption was successful, start services and restore access to the data now
encrypted.
.
.
.
..
D E T E R M I N E E N C R Y P T I O N M E T H O D |44
7 Test and monitor access to the encrypted data.
8 T th li i t i d fi it
-
8/21/2019 VDS Quick StartVormV0.4
56/100
Document Draft Version 0.4 VDS Quick-start Guide Data Encryption and Protection
8 Tune the policies to increase and refine security.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
DETERMINEENCRYPTIONMETHOD
VDS provides three encryption methods: the Copy, Restore, and dataxformmethods. The
optimal method depends on three things: 1) Whether you are encrypting data on a block
device or directory; 2) the amount of disk space you have; 3) speed of your backup devices.
Note: Whichever method you select, it is essential that you have a good backup of the data
before your encrypt it.
Restore encryption method
In this method, your sensitive data is backed up on some device, for example, a tape drive or
disk drive. To encrypt the data, you will:
1 Block access to all directories and block devices that are to be encrypted.
2 Create a GuardPoint on these directories and block devices .
3 Restore the data from the backup device into the GuardPoint. As data is written into the
GuardPoint, it is encrypted.
An example is shown below.
In this example, users access a number of databases on the protected host. To protect
\database-3, first block user access to it, create a GuardPoint on \database-3and then
restore the backup data from the backup media into \database-3. This method requires no
.
.
.
..
D E T E R M I N E E N C R Y P T I O N M E T H O D |45
extra disk space, and the speed of encryption depends on the speed of the restore. Slower
backup media, like tape drives, will result in a slower encryption speed.
-
8/21/2019 VDS Quick StartVormV0.4
57/100
Document Draft Version 0.4 VDS Quick-start Guide Data Encryption and Protection
p , p , yp p
Copy encryption method
In this method, you copy sensitive data into a GuardPointwith an encryption policy. This
method is generally faster than the restore encryption method. If the data you copy to the
GuardPoint is on the same drive and volume as the GuardPoint, this method is comparable in
speed to dataxform, approximately 2-4 Gigabytes per minute. If the data to be encrypted is
accessed from a slow disk or a different volume, the encryption will be slightly slower.
Heres an example of how the Copy encryption method works:
1 Block all access to the directory containing the sensitive source data. Rename that directory
(example: from \mssql\data\3to \mssql\data\3-OLD).
2 Create a new directory for your sensitive data with the original directory path. Block access to it.
3 Create a GuardPoint on that directory.
4 Copy the sensitive data into the GuardPoint. Data in the GuardPoint is encrypted.
5 Open access to the new directory.
An example is shown the graphic below.
In this example, users access a number of SQL databases on the protected host. To protect\mssql\data\3you block access to the directory, rename it to \mssql\data\3-OLD, create
a new \mssql\data\3directory, block access to it, create a GuardPoint on it, copy the data in
\mssql\data\3-OLDto \mssql\data\3, open access to \mssql\data\3. This method
requires additional disk space at least as large as \mssql\data\5. The speed of the backup
depends on the speed of the copy.
Block access
.
.
.
..
U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N F I L E S Y S T E M S |46
dataxform encryption method
-
8/21/2019