Recently, a customer approached us about an application with some seemingly impossible security requirements. They needed to protect sensitive data on ingest systems from tampering, disclosure and loss. The threat actors included the customer’s infrastructure provider, hackers, and a population of users with legitimate administrative privileges.
None of the existing solutions on the market were able to satisfy all of the customer’s constraints. The customer required a solution that was compatible with their existing workflow, without modifying applications. They needed protection against malicious destruction of data. And, the product had to be software only.
Our programmable storage solution enables unique protection capabilities that reside in storage. However, to deliver the security protections that this team was looking for, we could not rely on storage-level enforcement alone. We had to bridge the gap between the ingest world, which is file based, and the block world, where our security capabilities are. So, we created DropSafe.
DropSafe is a FUSE filesystem designed to secure data stored by content ingest systems. Unlike conventional filesystems, it can be used to securely store data via insecure hosts. DropSafe integrates with low level security capabilities implemented by our Elastic Programmable Storage (EPS) product. Together, DropSafe and EPS provide a very high degree of protection against disclosure, tampering, and loss. Protections are achieved using a combination of strong authentication, authenticated encryption, policy based access controls, key management technologies and write-once media semantics.
DropSafe allows an application to securely save files to storage and permits controlled access to secured data at a future point in time. Because data protections are implemented by the storage, they apply to all users and applications, regardless of privilege (i.e., including root).
The DropSafe filesystem supports two modes of operation. In write mode, DropSafe is a zero-knowledge, write-only, write-once file system. Each file in the file system represents a journaled sequence of modifications that are transactionally committed to disk. While a file is open, it is visible only to the process that creates it. On close, files rendered inaccessible to all users and applications. In write mode, stored data cannot be read, overwritten, modified or deleted – even with direct access to the raw device.
The only way to gain access to stored content is to remount the file system in read mode, which requires strong authentication and temporary knowledge of a secret passphrase. In read mode, DropSafe operates as a read-only random access file system.
DropSafe is currently in Technology Preview. Check out the video for a demonstration. If you have questions, comments, suggestions, want to try to hack it yourself, send us mail. EPS and DropSafe are free to try.