VDS Quick StartVormV0.4

8/21/2019 VDS Quick StartVormV0.4

1/100

VDS Quick-start Guide

Release 5

Version 5.2.1

M A Y 28 , 2 0 1 4

Vormetric Data Security Platform

50-1000000-01


2/100

ii

Vormetric Data Security

VDSQuick-startGuide

Release 5, Version 5.2.1

May 28,2014, Doc Document Draft Version 0.4

50-1000010-01

Produced in the United States of America

Copyright (C) 2009 - 2014 Vormetric, Inc. All rights reserved.

NOTICES, LICENSES, AND USE RESTRICTIONS

Vormetric is a registered trademark of Vormetric, Inc. in the United States (U.S.) and certain other countries.

Microsoft, Windows, Windows XP, Windows NT, SQL Server and the Windows logo are trademarks of Microsoft

Corporation in the U.S., other countries, or both.

UNIX is a registered trademark of The Open Group in the U.S. and other countries.

Linux is a trademark of Linus Torvalds in the U.S., other countries, or both.

Java and all Java-based trademarks (including Java, JavaServer Pages, Javadoc, JavaMail, and JavaBeans) are logos and

trademarks or registered trademarks of Oracle, Inc., in the U.S. and other countries, and are used under license.

Oracle, Oracle ASM, Solaris, SPARC, Oracle Enterprise Linux and Java are registered trademarks of Oracle Corporation

and/or its affiliates.

IBM, IBM logo, ibm.com, AIX, DB2, PowerPC, DB2 Universal Database and Informix are trademarks of International

Business Machines Corporation in the U.S., other countries, or both.

Intel, Intel logo, Intel Xeon, Itanium, and Pentium are trademarks or registered trademarks of Intel Corporation or its

subsidiaries in the U.S. and other countries.HP-UX is registered trademark of Hewlett-Packard Company in the U.S., other countries, or both.

Adobe, Acrobat, PostScript and all Adobe-based trademarks are either registered trademarks or trademarks of Adobe

Systems Incorporated in the U.S., other countries, or both.

X Window System is a trademark of the Massachusetts Institute of Technology.

Red Hat and Red Hat Enterprise Linux, are trademarks of Red Hat, Inc., registered in the United States and other

countries.

SUSE and SLES are a registered Trademarks of Novell, Inc.All other products described in this document are trademarks

of their respective holders.

The Software and documentation contains confidential and proprietary information that is the property of Vormetric,Inc. The Software and documentation are furnished under Vormetric's Standard Master License Software Agreement

(Agreement) and may be used only in accordance with the terms of the Agreement. No part of the Software and

documentation may be reproduced, transmitted, translated, or reversed engineered, in any form or by any means,

electronic, mechanical, manual, optical, or otherwise.

Licensee shall comply with all applicable laws and regulations (including local laws of the country where the Software is

being used) pertaining to the Software including, without limitation, restrictions on use of products containing

encryption, import or export laws and regulations, and domestic and international laws and regulations pertaining to

privacy and the protection of financial, medical, or personally identifiable information. Without limiting the generality

of the foregoing, Licensee shall not export or re-export the Software, or allow access to the Software to any third party

including, without limitation, any customer of Licensee, in violation of U.S. laws and regulations, including, withoutlimitation, the Export Administration Act of 1979, as amended, and successor legislation, and the Export

Administration Regulations issued by the Department of Commerce.

Any provision of any Software to the U.S. Government is with "Restricted Rights" as follows: Use, duplication, or

disclosure by the government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical

Data and Computer Software clause at DFARS 252.277.7013, and in subparagraphs (a) through (d) of the Commercial

Computer-Restricted Rights clause at FAR 52.227-19, and in similar clauses in the NASA FAR Supplement, when

applicable. The Software is a "commercial item" as that term is defined at 48 CFR 2.101, consisting of "commercial

computer software" and "commercial computer software documentation", as such terms are used in 48 CFR 12.212

and is provided to the U.S. Government and all of its agencies only as a commercial end item. Consistent with 48 CFR

12.212 and DFARS 227.7202-1 through 227.7202-4, all U.S. Government end users acquire the Software with only

those rights set forth herein. Any provision of Software to the U.S. Government is with Limited Rights. Vormetric is

Vormetric, Inc. at 2545 N 1st St., San Jose, CA, 95131-1003, (408) 433-6000.

VORMETRIC, INC., PROVIDES THIS SOFTWARE AND DOCUMENTATION "AS IS" WITHOUT WARRANTY OF ANY KIND,

EITHER EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY OR

FITNESS FOR A PARTICULAR PURPOSE, TITLE, NON-INFRINGEMENT OF THIRD PARTY RIGHTS, AND ANY WARRANTIES


3/100

Vormetric Data Security User Guide iii

ARISING OUT OF CONDUCT OR INDUSTRY PRACTICE. ACCORDINGLY, VORMETRIC DISCLAIMS ANY LIABILITY, AND SHALL

HAVE NO RESPONSIBILITY, ARISING OUT OF ANY FAILURE OF THE SOFTWARE TO OPERATE IN ANY ENVIRONMENT OR IN

CONNECTION WITH ANY HARDWARE OR TECHNOLOGY, INCLUDING, WITHOUT LIMITATION, ANY FAILURE OF DATA TO

BE PROPERLY PROCESSED OR TRANSFERRED TO, IN OR THROUGH LICENSEE'S COMPUTER ENVIRONMENT OR ANYFAILURE OF ANY TRANSMISSION HARDWARE, TECHNOLOGY, OR SYSTEM USED BY LICENSEE OR ANY LICENSEE

CUSTOMER. VORMETRIC SHALL HAVE NO LIABILITY FOR, AND LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD

VORMETRIC HARMLESS FROM AND AGAINST, ANY SHORTFALL IN PERFORMANCE OF THE SOFTWARE, OTHER

HARDWARE OR TECHNOLOGY, OR FOR ANY INFRINGEMENT OF THIRD PARTY INTELLECTUAL PROPERTY RIGHTS, AS A

RESULT OF THE USE OF THE SOFTWARE IN ANY ENVIRONMENT. LICENSEE SHALL DEFEND, INDEMNIFY, AND HOLD

VORMETRIC HARMLESS FROM AND AGAINST ANY COSTS, CLAIMS, OR LIABILITIES ARISING OUT OF ANY AGREEMENT

BETWEEN LICENSEE AND ANY THIRD PARTY. NO PROVISION OF ANY AGREEMENT BETWEEN LICENSEE AND ANY THIRD

PARTY SHALL BE BINDING ON VORMETRIC.

Protected by U.S. patents:

6,678,828

6,931,530

7,143,288

7,283,538

7,334,124

Vormetric Data Security includes a restricted license to the embedded IBM DB2 database. That license stipulates that

the database may only be used in conjunction with the Vormetric Security Server. The license for the embedded DB2

database may not be transferred and does not authorize the use of IBM or 3rd party tools to access the database

directly.


4/100

iv


5/100

.

.

.

.

.

Document Draft Version 0.4 VDS Quick-start Guide Contents

|v

.

.

.

..

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .Contents

1 VDS Platform Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

What the VDS Platform does . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1

What the VDS Platform is . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1VDS Installation and Configuration Road Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

Prerequisites: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2

VDS Installation, Configuration and Operations Roadmap . . . . . . . . . . . . . . . 3

Management Console Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3

Access the Management Console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4

Install licenses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5

Allocate licenses and hours to a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5Set system log preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 6

2 VDS Administrators and Domains . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

VDS Administrator and Domain Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7

VDS administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8

To create VDS Platform administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11Create a VDS administrator . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 11

Create a VDS Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

How to create a domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

3 Host Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15

Protected Host Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Add the protected host names to the DSM database . . . . . . . . . . . . . . . . . . . . . . . . 15

Switch to the domain where you want to create the access policy . . . . . . . . 16
http://agent_ig_intro.pdf/


6/100Document Draft Version 0.4 VDS Quick-start Guide Contents

Adding host names to DSM database . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17

Install the Agent on the Host . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19

4 VDS Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Policy Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Policy creation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23Creating encryption keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23

Encryption key management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24

Creating the Basic Encryption Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Create policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Add an encryption key to the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29

Creating the initial operational policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Name Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31

Create Rule 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Create Rule 2 for the initial operational policy . . . . . . . . . . . . . . . . . . . . . . . . . 36


Creating GuardPoints: Applying policies to directories . . . . . . . . . . . . . . . . . . . . . . . 39

Apply a policy to folders . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39

5 Data Encryption and Protection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Data Protection Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Steps for protecting data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43

Determine encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Restore encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Copy encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45dataxform encryption method . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

How to decide what method to use . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46

Using the Copy or Restore encryption method on file systems . . . . . . . . . . . . . . . . 46

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Apply the Initial Operational Policy to folders . . . . . . . . . . . . . . . . . . . . . . . . . 47

Using the Copy or Restore encryption method on block devices . . . . . . . . . . . . . . . 48

Prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48Other information for block devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48

Apply Initial Operational Policy to block device . . . . . . . . . . . . . . . . . . . . . . . . 49


7/100

.

.

.

.

.

Document Draft Version 0.4 VDS Quick-start Guide Contents

|vii

Using dataxform to encrypt your data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52

dataxform encryption method prerequisites . . . . . . . . . . . . . . . . . . . . . . . . . . 52

Create dataxform policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53

Apply the dataxform policy to the GuardPoints . . . . . . . . . . . . . . . . . . . . . . . . 56

Execute dataxform to start data encryptionin the GuardPoint . . . . . . . . . . . . 59

Remove the dataxform policy and apply Initial Operational Policy . . . . . . . . 60

Viewing the audit logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

View and Analyze Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62

Search audit records by keyword . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Tune the Policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Policy tuning process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64

Creating the policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65

Create Rule 1 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66Add Rule 2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70

Add Rule 3 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71

Add Rule 4 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72


6 DSM Backup and Restore . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

DSM Backup and Restore Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Create a Backup Encryption Wrapper Key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

To create the wrapper key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76

Backup the DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

To backup the DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

Restore the DSM from a Backup Image . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79

To restore the DSM from a backup configuration . . . . . . . . . . . . . . . . . . . . . . 80Automatic Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 80

Setting Automatic DSM Backups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81

A Clustering the DSM for High Availability . . . . . . . . . . . . . . . . . . . . . . . . . 83

HA Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83

Configuring a DSM for Failover . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83Configure the DSM to resolve hostnames . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84

Add Failover DSM to Primary DSM cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . 84


8/100Document Draft Version 0.4 VDS Quick-start Guide Contents

Convert Failover DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Configure Replication from Primary DSM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86


9/100

.

.

.

.

.

Document Draft Version 0.4 VDS Quick-start Guide Preface

|v

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PREFACE

This guide describes:

1 How to set up and configure the Vormetric Data Security Platform (VDS Installation and

Configuration Road Map on page 4).

2 The essential features, concepts and high-level architecture of the VDS Platform.

3 Instructions for how to protect your data on a cloud or on-site host machine. (Data Encryption

and Protection on page 28).

4 How to set up automatic DSM backup (DSM Backup and Restore on page 52).

5 How to set up an HA cluster for DSM (Clustering the DSM for High Availability on page 60).

This book is intended to teach your how to quicklyuse the Vormetric Data Security Platform

(VDS Platform) to secure sensitive data. More detailed information is available in the Vormetric

Data Security User Guide.

SCOPE

This document describes the basic steps to get your VDS Platform up and running.

INTENDED AUDIENCEThe VDS Quick-start Guide is intended for security teams who are setting up the VDS Platform

for the first time.

Assumptions

This document assumes that you have the following:

Vormetric Data Security Manager (DSM)

Linux, UNIX or Windows hosts on which you wish install the Vormetric Transparent Encryption

Agent to protect your data

VDS documentation (see Related documents on page vi)

This documentation assumes knowledge of network configuration.
http://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Overview.pdf


10/100

.

.

.

.

.


|vi

RELATED DOCUMENTS

Vormetric Data Security Platform User GuideVormetric Data Security Manager Installation Guide

Vormetric Transparent Encryption Agent Installation and Configuration Guide

Vormetric Data Security Release Notes

TYPOGRAPHICAL CONVENTIONSThis section lists the common typographical conventions for Vormetric technical publications.

Typographical Conventions

Convention Usage Example

bold, Times New Roman

font

GUI labels, and options. Click the System tab and selectGeneralPreferences.

bold, fixed width(courier new)

commands

arguments

switches

options

variables

elements

properties, objects, parameters, events

session set

appname=

regular fixed width(courier new)

Command and code examples

XML examples

Example:

session start

iptarget=192.168.253.102


11/100

.

.

.

.

.


|vii

SERVICE UPDATES AND SUPPORT INFORMATION

Vormetric's Master Software License and Hardware Purchase Agreement (MSLA) defines

software updates and upgrades, support and services, and governs the terms under which they

are provided. Any statements made in this guide or collateral documents that conflict with the

definitions or terms in Vormetric's MSLA, shall be superseded by the definitions and terms of

the MSLA. Any references made to upgrades in this guide or collateral documentation canapply either to a software update or upgrade.

SALES AND SUPPORT

For support and troubleshooting issues:

help.vormetric.com

Email questions to [email protected] call 877-267-3247

italic regular font

GUI dialog box titles The General Preferences windowopens.

Non-literal symbols myport, Failover.Port

File names, paths, and directories /usr/bin/

URLs and names of protocols http://server.domain.com:90/

Text to be replaced

Emphasis Do not resize the page.

New terminology CDF (Carousel Definition Format)

quotes File extensionsAttribute values

Terms used in special senses

.js, .exttrue false, 0

1+1 hot standby failover

Typographical Conventions

Convention Usage Example
mailto:%[email protected]:%[email protected]


12/100

.

.

.

.

.


|viii

For Vormetric Sales:

http://enterprise-encryption.vormetric.com/contact-sales.html

(888) 267-3732

[email protected]


13/100

Document Draft Version 0.4 VDS Quick-start Guide VDS Platform Overview

.

.

.

.

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS PLATFORMOVERVIEW

1This chapter describes the features, components and high-level architecture of the Vormetric

Data Security Platform (VDS Platform). It also describes how to log on to the VDS Management

Console. This chapter consists of the following sections:

VDS Installation and Configuration Road Map on page 2

Product Overview on page 1

Management Console Overview on page 3

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PRODUCTOVERVIEW

What the VDS Platform does

The VDS Platform combines encryption, context-aware access control, and fine-grained audit

trails to create a data protection and encryption solution which is transparent to end users and

applications. With no changes to the existing infrastructure, the VDS Platform supportsseparation of duties between data owners, server administrators and security administrators.

The VDS Platform protects data at rest. The VDS Platform can protect data residing on locally

attached storage (DAS), Network area storage (NAS) or Storage area networks (SAN). This can

be a mapped drive or mounted disk as well as through UNC paths.

VDS Platform supports FIPS 140-2.

What the VDS Platform is

VDS consists of a Data Security Manager(DSM) and one or more Vormetric Transparent

Encryption (VTE) agents residing on your protected hosts. Protected hosts contain your

sensitive data, or, if connected to a NAS or SAN, have access to your sensitive data. Protected

hosts can be on-site, in the cloud, or a hybrid of both.

The DSM is the central component of VDS, storing and managing data encryption keys, data

access policies, administrative domains, and administrator profiles. The DSM can be either a

security-hardened hardware appliance or a virtual appliance. The agents communicate with the

DSM and implement the security policies on their protected host systems.

.V D S I N S T A L L A T I O N A N D C O N F I G U R AT I O N R O A D M A P |2


14/100

.

.

.

.

V D S I N S T A L L A T I O N A N D C O N F I G U R AT I O N R O A D M A P


|2

The architecture of VDS is shown below.

Figure 1: Vormetric Data Security Architecture

The circled Vsrepresent the Vormetric Transparent Encryption agents on protected hosts. VMis

virtual machines. Communication between agents and the DSM is encrypted and secure. The

VDS Administrators establish access and encryption policies through the Management Console,

a browser-based interface to the DSM.

The VDS Platform achieves security with complete transparency to end users and no sacrifice of

application performance. It requires no changes to your existing infrastructure and supports

separation of duties between data owners, system administrators and security administrators.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS INSTALLATIONANDCONFIGURATIONROADMAP

Use the following road map to install and configure your VDS system.

Prerequisites:

You have received from Vormetric:

DSM device(s)

.M A N A G E M E N T C O N S O L E O V E R V I E W |3


15/100

.

.

.

.

M A N A G E M E N T C O N S O L E O V E R V I E W


|3

Agent licenses. A default number of licenses are installed on the DSM devices. If you run out or

the licenses expire, contact Vormetric Customer Support to get more.

VDS documentation (DSM Installation Guide, VDS Users Guide, this VDS Quick-start Guide and

the Windows, UNIX and Linux Release Notes).

You have installed:

UNIX, Linux, or Windows hosts on which you would like to protect data. These hosts conform to

the support matrices in the VDS UNIX, Linux or Windows Release Notes, and they have network

connectivity to the DSM.

VDS Installation, Configuration and Operations Roadmap

To set up the VDS Platform to protect your hosts, the following steps are required:

1 Install and configure your DSM. See the DSM Installation Guide.

2 Configure log preferences (see Management Console Overview on page 3).

3 Create VDS administrators and domains in the DSM. See VDS Administrators and Domains onpage 5.

4 Add your protected host names or IP addresses to the DSM database. See Add the protected

host names to the DSM database on page 11.

5 Install VTE agents on your protected hosts and register them to the DSM. See Vormetric

Transparent Encryption Agent Installation and Configuration Guide. If you have obtained your

host from a third party, they will install the VTE agents and provide you with the host names.

6 If you are setting up a high availability configuration, add additional DSMs as necessary. See

Clustering the DSM for High Availability on page 60.

7 Backup your DSM (DSM Backup and Restore on page 52)

8 Optional: Setup your DSM for HA (Clustering the DSM for High Availability on page 60)

9 Set up GuardPoints (VDS protected directories) on your protected hosts and encrypted your

data.See VDS Policies on page 15and Data Encryption and Protection on page 28.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

MANAGEMENTCONSOLEOVERVIEW

The VDS Management Console is the primary interface to the security features of the VDS

Platform. VDS administrators perform almost all security work through the Management

Console. You can access the Management Console as soon as the DSM has been installed andconfigured (see the Data Security Manager Installation Guide). In this section you will do the

following:

http://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DataProtection.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_DSM_Backup-Restore.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_HA.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Admin-Domains.pdf


16/100

.

.

.

.

M A N A G E M E N T C O N S O L E O V E R V I E W


|

Access the Management Console

Logging into the Management Console is the most common operation you will perform as a

VDS Platform administrator. Heres how to do it:

1 Open a browser and enter either the DSM URL. (This is either the hostname if configured in DNS,

or its IP over HTTPS of the DSM.) Example URL: https://dsm.vormetric.com

The Loginwindow displays.

2 Enter the default login and password. The default login is admin. The default password is

admin123.

Note: You will be asked to change the default password upon first log in. Remember this new

password or you will not be able to log in again!

The Dashboardwindow displays.



17/100

.

.

.

.


Install licenses

Upload a license file

1 Get the license file from Vormetric.

2 Log on to the Management Console on the primary server as an administrator of type System

Administrator or All.

3 Select System > Licensein the menu bar. The Licensewindow opens.

4 Click Upload License File. The Upload License Filewindow opens.

Note: If you are in a domain, the Upload License Filebutton is disabled. Click Domain > Exit

Domain.

5 In the License Filebox, enter the full path of the license file or click Browseto locate and select

the license file.

6 Click Ok.

Allocate licenses and hours to a domain

Use these procedures to control how many licenses (Term) or license hours (Hourly) can be

used in a domain under the Licensetab in the Edit Domainwindow.

1 Click Domains >Manage Domains. The Domainswindow lists all the domains available to the

current administrator.

2 Click the domain link in the Namecolumn. The Edit Domainwindow opens to the Generaltab.

3 Click the Licensetab. The fields under the License tab operate as follows:

Leave a field blank agents can be registered in the domain according to the number of

licenses available on the system.

Enter a zero no agents can be registered in this domain.

Enter a number in an Agent (Term) or Agent (Perpetual) field the domain is restricted to that

number of hosts registered with that type of license.

Enter a date in the Expiration Date (Term) field new hosts cannot register after the expiration

date. Active hosts continue to function until they are unregistered or rebooted.

Enter a number in the Core Hours (Hourly) field the domain is restricted to that number of

core CPU hours with that agent. Active hosts continue to function until they are unregistered or

rebooted.



18/100

.

.

.

.


Set system log preferences

1 ClickSystem > Log Preferences > FS Agent Log. The File System Log Preferenceswindow opens.

2 If not already done, make the following log preference changes:

Change Policy Evaluation/Levelto INFO, and check the Policy Evaluation/Log to File/Level

checkbox.

Click Applyand Ok. This is a more useful log preference setting.


19/100

Document Draft Version 0.4 VDS Quick-start Guide VDS Administrators and Domains

.

.

.

.

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS ADMINISTRATORSANDDOMAINS

2Once your DSM is installed and configured, you must 1) create VDS administrator accounts for

the administrators who will be responsible for data security, and 2) create VDS domains

containing the hosts that VDS administrators will protect. Once hosts are added to the

domains, VDS administrators can create encryption keys and policies, assign them to sensitive

data, and perform other data security operations through the Management Console.

This chapter describes Vormetric Data Security (VDS) administrators and domains--what they

are and how to create them. It contains the following sections:

VDS Administrator and Domain Overview on page 7

To create VDS Platform administrators on page 11

Create a VDS Domain on page 13

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

VDS ADMINISTRATORANDDOMAINOVERVIEW

VDS Platform administrators(or simply VDS administrators) manage VDS infrastructure and perform

various security operations to protect sensitive data on hosts. Vormetric recommends not to assign this role

to system administrators of protected hosts. System administrators generally have access to all the

data on all the machines that they administer. A VDS administrator should have no access to

data or user accounts on any protected host to enforce separation of duties. The VDS

administrators sole responsibility is to provide data access to those who need it and block data

access to those who don't need it--including system administrators.

The VDS platform allows to group one or more protected hosts and its associated encryption

keys and policies in a container called VDS domain. VDS domains allow horizontal separation

of DSM where different business units, application teams or geographical locations can share

DSM without having access to each others security configuration. The domain is a logical

entity that separates administrators and the data they access from other administrators.

Administrative tasks are performed in each domain based upon each administrators assigned

type. The benefits of administrative domains are:

Segregation of data for increased security

Separation of responsibilities

.

.V D S A D M I N I S T R A T O R A N D D O M A I N O V E R V I E W |8


20/100

.

.

.


No one administrator has complete control over Vormetric Data Security and the data it

protects

Figure 2: Vormetric Data Security Domains

VDS administrators

VDS administrators protect data by establishing data access policies, encrypting data, andauditing data access attempts. VDS administrators are assigned to domains, which are a group

of one or more VDS-protected hosts sharing the same administrators and data security policies.

After initial DSM configuration, you can login with default VDS System Administrator account

admin. It is highly recommended that you use this account to log into DSM web console and

create other Administrator accounts. After this operation, you should not use admin account

and use these newly created accounts for any further configuration.

Five types of administrators are provided, each is allowed to perform specific administrative

tasks. The administrator types are:

.



21/100

.

.

.


By default, an administrator is assigned one administrative type and is allowed to perform the

tasks for that one administrative type only. This approach requires at least three administrators,

Role Permissions

System Administrator Add and delete all administrators

Reset passwords for all administrators

Add and delete all domains

Assign one Domain Administrator to each domain

Configure HA

Configure syslog server for system-level messages

Upgrade DSM software

Backup and restore DSM database

Install license file

Import 3.x configuration

Configure preferences

View logs

Domain Administrator Add and remove administrators (Domain, Security, All) to and from domains ConfigureSecurity Administrator roles (Audit, Key, Policy, Host, Challenge & Response)

Configure syslog server for application-level messages

View preferences

View logs

Security Administrator Configure signature sets

Configure keys and key groups

Configure online and offline policies

Configure hosts and host groups

Assign host passwords (manually or generated)

Apply GuardPoints

Share a host with another domain

Export the DSM public key

Import symmetric keys

View preferences

View logs

Domain and SecurityAdministrator

Domain Administrator and Security Administrators combined. Administrators of this typeare deleted from the DSM database upon switching from relaxed to strict domain mode.

All System, Domain, and Security Administrators combined. Administrators of type All aredeleted from the DSM database upon switching from relaxed to strict domain mode.

.



22/100

.

.

.


each assigned to a different type. Administrator type assignment can also be configured where

one administrator can perform the tasks of all three administrative types--System, Domain, and

Security administrators. This approach provides less control because one administrator can

administer the entire DSM. Also, a single administrator can be configured to perform the tasks

of a Domain Administrator and Security Administrator combined. The Domain and Security

Administrator can perform every task that is allowed a user from inside a domain. For example,

the Domain and Security Administrator can add users to the domains of which it is a member,

but it cannot create new users.

System Administrator type

The System Administrator type operates outside of domains. It creates domains and assigns

administrators of type Domain Administrator to the domains. Administrators of types Domain

Administrator and Security Administrator operate within those domains. Administrators of type

All can operate both inside and outside of domains. When an administrator of type All enters adomain, the administrator can perform Domain Administrator and Security Administrator

tasks. When an administrator of type All exits the domain, the administrator can perform

System Administrator tasks.

The default DSM administrator, admin, has a System Administrator type. In this type, the

adminadministrator creates additional administrators and domains, and then it assigns one

administrator of type Domain Administrator to each domain.

Domain Administrator type

The Domain Administrator adds additional Domain Administrators to each domain. One

Domain Administrator can be a member of multiple domains. If a Domain Administrator is a

member of multiple domains, it can easily switch between the domains. The Domain

Administrator also adds Security Administrators to a domain and assigns them roles (for

example,Audit, Key, Policy, Host, and/or Challenge & Response) that are applied only within

that domain.

The System Administrator creates domains but does not operate within them; however, all

tasks performed by the Domain Administrator and Security Administrator occur within

domains. The Domain Administrator and Security Administrator must always know what

domain they are in before performing any task. If you log in as a Domain Administrator or a

Security Administrator, and you notice that the administrator, host, or log data is wrong, you

are most likely in the wrong domain.

.

.T O C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |11


23/100

.

.

.


Security Administrator type

One Security Administrator can be assigned to multiple domains; however, the Security

Administrator has only the roles that were assigned when it was made a member of that

domain. That is, the same administrator can have different roles in different domains.

Roles are assigned by Domain Administrators when they assign a Security Administrator to a

domain. A brief description of the roles is described below. For detailed information see the

VDS Users Guide.

Audit. Allows the Security Administrator to view log data.

Key. Allows the Security Administrator to create, edit, and delete local key-pairs, public keys

only, and key groups. Can also view log data.

Policy. Allows the Security Administrator to create, edit, and delete policies. (Apolicyis a set of

rules that specify who can access which files with what executable during what times. Policies

are described in more detail later.) Can also view log data.

Host. Allows the Security Administrator to configure, modify, and delete hosts and host groups.

Can also view log data. The Challenge & Responserole is automatically selected when the Host

role is selected.

Challenge & Response. Allows a VDS Security Administrator to generate a temporary password

to give to a system user to decrypt cached on host encryption keys when there is no connection

to the DSM.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

TOCREATEVDS PLATFORMADMINISTRATORS

This section describes how to create VDS administrators. A default VDS Administrator called

adminis already created. Additional administrators are required to perform duties that admin

cannot.

Create a VDS administrator

1 Login to the Management Console as the DSM System Administrator admin.

.

.T O C R E A T E V D S P L A T F O R M A D M I N I S T R A T O R S |12


24/100

.

.

.


2 Click Administrators.

TheAdministratorswindow opens listing all the administrators for this DSM.

adminis created by default and cannot be deleted.

3 Click Add. TheAdd Administratorwindow appears.

4 Enter your information into the corresponding text fields. Example:

Login:

Description: Admin of type All

Password: Temp123!

Confirm Password: Temp123!

User Type: All

.

.

.C R E A T E A V D S D O M A I N |13


25/100

.

.

.


Note: The first time you log in to the Management Console on a newly created VDS

Administrator account, you will be prompted to change its password. You will not be allowed to

use the same password that you enter here. If you have a specific password you want to use, do

not enter it here as you will have to change it at first login.

5 Click Ok. A new Vormetric Administrator is created.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CREATEAVDS DOMAIN

A VDS domain is a group of one or more VDS-protected hosts under the control of an assigned

VDS administrator. Before a protected host can be administered, it must placed in a domain.

How to create a domain

1 If you are already logged into the Management Console, log out and log in again as the DSM

System Administrator admin. Otherwise, just login as admin.

.

.

.C R E A T E A V D S D O M A I N |14


26/100

.

.


2 On the menu bar click Domains > Manage Domainsto bring up Manage Domainswindow.

3 Click Addto bring up theAdd DomainWindow.

4 Under the Generaltab, fill in a Domain Name. For example, Marketing_Domain. The next two

fields are optional. Descriptionidentifies the domain. Help Desk Informationis the phone

number to call to get the response string for challenge-response authentication. If you leave this

box empty, the default message is Please contact a Security Server administrator for a

response.

5 Click Okto create the new domain.

6 Click the Assign Admintab to assign a VDS administrator. You can assign an administrator

anytime after the domain is created. Note that you will not be able to switch to, or access, the

domain until you assign an administrator.

7 After the domain is created and has an administrator, you can add hosts to it. See Add theprotected host names to the DSM database on page 11and Install the Agent on the Host on

page 14.
http://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_ProtectedHosts.pdf


27/100

Document Draft Version 0.4 VDS Quick-start Guide Host Protection

..

.

.

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .HOSTPROTECTION

3A host is a machine that stores your sensitive data. Aprotected hostcontains a VTE agent that

downloads the data protection policies and encryption keys from the DSM. The agent enforces

those policies and encrypts data as specified.

This chapter describes how to create protected hosts. It consists of the following sections:

Protected Host Overview on page 15

Add the protected host names to the DSM database on page 15

Install the Agent on the Host on page 19

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

PROTECTEDHOSTOVERVIEW

Before you can create protected hosts, you must have a working DSM and your hosts must have

network connectivity to the DSM. The steps for creating protected hosts are:

Add the protected host names to the DSM database (Add the protected host names to the DSM

database on page 15).

Install the VTE Agent on the host and register them with the DSM. See Vormetric Transparent

Encryption Agent Installation and Configuration Guide.

Add encryption and access policies to specific directories on the host (VDS Policies on page 15).

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .ADDTHEPROTECTEDHOSTNAMESTOTHEDSM DATABASE

Your host names must be added to the DSM database before the VTE agent can be installed and

data is protected on them. This section describes how to do this. To add the host to the DSM

database, you will need the hosts name, Fully Qualified Domain Name (FQDN--54 character

max) or IP address.

.

.

.A D D T H E P R O T E C T E D H O S T N A M E S T O T H E D S M D A T A B A S E |16
http://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdfhttp://../CloudDocs/IBM_CMS/VDS_QS_Policies.pdf


28/100

.

.


Switch to the domain where you want to create the access policy

1 Log on to the Management Console as a Security Administrator with Keyand Policyroles or as an

administrator of typeAll.

2 Switch to the domain containing the host you wish to protect. Click Domains > Switch Domains

The Switch Domainswindow opens.

3 Select the domain that will contain the protected host and click Switch to domain. The domain

in which you are working is displayed in the upper right corner of the Management Console. A

domain was created in Create a VDS Domain on page 13.

.

.



29/100

.

.


Adding host names to DSM database

1 Select Hosts->Hostsin the menu bar. An empty Hostswindow opens.

2 Click Add. TheAdd Hostwindow opens.

3 Enter the following information:

Host Name: Enter the IP address, host name or FQDN. Host names cannot contain an

underscore.

Select a Password Creation Method. This is the password that a host user can use to unlock a

GuardPoint when the connection to the DSM is broken. For example, if a host user cannot

access a GuardPoint because connection to the DSM is down, the user can execute a VDS

password command on the host. The command will provide the phone number of the SecurityAdministrator, who will provide the user with a password to access the GuardPoint. If the

method selected is Manual, then this password is static. If the method selected is Generate,

.

.



30/100

.

.


then the user will be given a challenge string to provide to the Security Administrator who will

use the string a generate a dynamic password. Select Generate.

Description: Optional. Enter text to identify the host or its function. Limited to 256 characters.

Registration Allowed Agents: Select the agents that will run on the host system. Depending on

your license, your choices are FS(file system), Key(for Oracle database or Microsoft SQL TDE)

and DB2(backup). You must select the agents here before you can register that agent with the

DSM.

License Type: Choose the type of license that will run on this host. Options are Perpetual,

Term, and Hourly, depending on the system license.

4 Click Ok. You are returned to the Hostswindow.

5 Click the hostname link that you just added to the DSM database. This brings up the Generaltab

of the Edit Hostwindow. Make sure the Communication Enabledcheckbox is checked for all

agent types registered.

6 Your host is added to the DSM database.

7 Repeat for all your protected hosts.

.

.

.

.I N S T A L L T H E A G E N T O N T H E H O S T |19


31/100

.

.


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

INSTALLTHEAGENTONTHEHOST

Once your hostnames are added to the DSM database, you can install the VTE agent on the

host and register it with the DSM. See theAgent Installation and Configuration Guide. After

installing and registering your VTE agent on your host, you can create policies to protect its

data. See VDS Policies on page 15.

The Hostswindow with protected hosts is shown below.

.

.

.

.I N S T A L L T H E A G E N T O N T H E H O S T |20


32/100

.



33/100

Document Draft Version 0.4 VDS Quick-start Guide VDS Policies

..

.

.

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .VDS POLICIES 4

This chapter describes data security policies and how to create them. You will create a policy

that will be used in subsequent chapters. This chapter contains the following sections:

Policy Overview on page 21

Creating encryption keys on page 23

Creating the Basic Encryption Policy on page 26

Creating the initial operational policy on page 31

Creating GuardPoints: Applying policies to directories on page 39

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

POLICYOVERVIEW

The VDS Security Administrator creates policies to protect data. Policies employ two

mechanisms to do this:

Data encryption. Policies can specify that data written to a particular directory (called a

GuardPoint) is encrypted. That data can only be decrypted by specified users. Anyone else whotries to access it will only get useless unecrypted data.

Access control. Policies can specify which users can access which files and directories in a

GuardPoint. Policies can furthermore specify which executables, and actions can be used and at

what times.

Thus, policies govern access to, and encryption of, the files in Vormetric-protected directories

called GuardPoints. Furthermore, policies can enable auditing such that each time a useraccesses a GuardPoint, a log message is created with all the details.

.

.

.

.P O L I C Y O V E R V I E W |22


34/100

.


A VDSpolicyitself consists of a set of rules that control how GuardPoint data can be accessed

by users and processes. Each rules consist of five criteriaand an effect:

Every time a user or application attempts to access a GuardPoint file, the access attempt passes

through each rule of the policy until it finds a rule where all the criteria are met. When a rule

matches, the Effectassociated with that rule is enforced. Effectcan have the following values:

Permitor Deny- Specifies whether access to protected data permitted or denied.

Criteria Action

Resource Specifies which files and/or directories in a GuardPoint are to be protected.Example: /secure_dir/financials. Default is All.

User Specifies which user(s) or groups can access protected data. Default is All.

Process Specifies which executables can access protected data. Default is All.

When Specifies the time range when protected data can be accessed. Default is All.

Action Specifies the allowed action(s) on the protected data. Example: read, write, remove,

rename, make directory. Default is All.

.

.

.

.C R E A T I N G E N C R Y P T I O N K E Y S |23


35/100

.


Apply Key- Specifies that data going in or coming out of a GuardPoint be encrypted.

Audit- Specifies that data access attempts be recorded and logged.

A criteria field that is left blank specifies a value ofAll. Thus, if Useris blank, the rule applies to

all users; if Whenis blank, the rule applies to all times; if Processis blank, the rules applies to all

executables, and so on. Effectcan never be blank. It must have at least apermit(allow access)

or deny(deny access).

Rules are evaluated much like firewall rules; they are evaluated in order, from first to last, and

evaluation stops when a match is made on a given rule. Therefore, it is important to carefully

order a policy's rules to achieve the desired result.

Note: We recommend creating policies that follow the model of PERMIT ALL EXCEPT, as it is

generally easy to create, understand, and accommodates most circumstances.

Policy creation

The rest of this chapter will describe how to create policies. Two specific policies will be

described: the Basic Encryption Policyand the Initial Operational Policy.

The Basic Encryption Policy simply encrypts data written to a GuardPoint, and decrypt it when

it is accessed from the GuardPoint directory by an authorized user (a user with directory-read

permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable

data. This is described in Creating the Basic Encryption Policy on page 26.

The initial operational policy is designed to encrypt the data and also control user access. Theinitial operational policy audits all GuardPoint activity and provides a detailed log of access and

usage. By studying the audit log, the Security Administrator can tune the policies to limit which

users have access to the decrypted data, as well as what executables and actions they can use.

See Creating the initial operational policy on page 31.

Before either of these policies a created, you must create encryption keys. See Creating

encryption keys on page 23.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CREATINGENCRYPTIONKEYS

Encryption keys encrypt and decrypt data. Once encryption is applied, you must keep track of

the encryption keys that you are using. Encrypted data is unusable without the proper keys.

A keys attributes and the policies you apply to a host determine if a constant connection isrequired between the DSM and File System Agent. Hosts with their keys Stored on DSM Server

require a constant connection to the DSM. As long the DSM and host are connected, the

.

.

..

C R E A T I N G E N C R Y P T I O N K E Y S |24


36/100

.


policies stay in effect. When the network connection is interrupted, users cannot access

encrypted data. Users can resume access after the network connection is re-established.

Hosts with the keys Cached on Hostare a different matter. The policies stay in effect as long theDSM and host are connected. When the network connection is interrupted, data access is

interrupted, however users can still access encrypted data by requesting a temporary password

from a security administrator.

See the VDS Users Guidefor more details.

Encryption key management

Establishing encryption key strategy

You can create a single data encryption key for each GuardPoint, for each server, for all the

servers in your company, or anything in between. Additionally, there can be one key for each of

the major environments, for example, your production and non-production environments.

You want to choose an approach that strikes the balance between maximizing security and

minimizing the administrative overhead of the periodic key rotations. Basically more keys cancreate more security at the cost of more complexity and overhead.

Encryption Key Naming convention

Define a naming convention for creating data encryption keys. This allows administrators to

know where the key will be applied to encrypt/decrypt data. The following is an example of a

simple self-documenting key naming convention:

[BU]_[Environment]_KEY_[Strength]_[date]_[n]

Where:

BUis the name of the business unit.

Environmentindicates whether the environment for this key. For example: production or non-

production.

Keyis a literal labeling this file as a key file.

Strengthis the algorithm used to create the key and the key length.

dateindicates the date (year and month) this key was created.

nindicates this is the nth copy of the key.

Below is an example of a key name using this convention:

SALES_PROD_KEY_AES256_2014-04_2

.

.

.

..

C R E A T I N G E N C R Y P T I O N K E Y S |25


37/100

.


Creating a data encryption key

1 Go to Keys > Agent Keys > Keysin the Management Console to bring up theAgent Keyswindow.

2 Click Addto bring up the Add Agent Keywindow.

3 Enter a key name, description and security algorithm.

Name: Name of key. 64 character limit.

Description: Optional key description. 265 character limit.

Template: A key template with a set of pre-defined attributes. To create a Microsoft SQL Server

TDE agent asymmetric key, choose Default_SQL_Asymmetric_Key_Template and do not change

any of the custom attribute values.

Algorithm: Algorithm used to create the key.

Key Type: Location for the encryption key. Stored on Serverkeys are downloaded to non-

persistent memory on the host. Each time the key is needed, the host retrieves the key fromthe DSM. Cached on Hostdownloads and stores (in an encrypted form) the key in persistent

memory on the host. The cached keys are used when there is no network connection between

.

.

.

..

C R E A T I N G T H E B A S I C E N C R Y P T I O N P O L I C Y |26


38/100


the host and DSM. All hosts using the same encryption key can access encrypted data on other

hosts that use the same key. The Unique to Host checkboxis displayed when Cached on Hostis

selected.

Unique to Host: When enabled with Cached on Host, makes the encryption key unique. The

key is downloaded to the host, encrypted using the host password, and stored. These keys are

used for locally attached devices, as files encrypted by them can only be read by one machine.

Do not enable this checkbox for cloned systems, RAID configurations, clustered environments,

or any environment that utilizes host mirroring. Requires that Key Creation Methodis set to

Generate.

Key Creation Method: Select to generate a key using a random seed (Generate) or by Manual

Input.

Expiry Date: Date the key expires.

Key Refreshing Period (minutes): Used only with the Oracle Database TDE and Microsoft SQL

Server TDE Key Agent. Minutes you want the key in the local key cache before it is refreshed.

Example:

Name: SALES_PROD_KEY_AES256_2014-04_2

Description: Key for Sales Dept.

Algorithm: AES256

All other values are the default.

4 Click OK. Your new key is created and displayed in theAgent Keyswindow.

5 Create as many keys as desired.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .CREATING

THE

BASIC

ENCRYPTION

POLICY

The Basic Encryption Policy encrypts data written to a GuardPoint and decrypt it when it is

accessed from the GuardPoint directory by an authorized user (a user with directory-read

permissions). Anyone else who obtains the GuardPoint data will only get encrypted unsuable

data. This is described in Creating the Basic Encryption Policy on page 26.

The Basic Encryption Policy consists of a single rule:

Rule 1specifies that data written to a GuardPoint is encrypted, and that any user with access tothe GuardPoint directory can access the decrypted data.

.

.

.

..



39/100


The rest of this section describes how to create the initial operational policy.

Create policy

1 Log on to the Management Console as an administrator of typeAll, or as a Security

Administrator with Keyand Policyroles. Switch to the domain containing the host you wish to

protect (see Switch to the domain where you want to create the access policy on page 17).

2 Create a data encryption key for the Basic Encryption Policy. See Creating encryption keys on

page 23.

3 Click Policies > Manage Policiesto list the policies available to this domain. In this example,there are two policies.

.

.

.

..



40/100


4 Click Add Online Policyto create a new policy. TheAdd Online Policy window opens. Enter a

name and optional description for your policy. In our example we use the name basic-

encryption-policy.

5 Click Addin the Security Rulespanel. TheAdd Security Rulewindow opens.

.

.

.

..



41/100


6 Click Effect. The Select Effectwindow opens. Select Permit(permit user access) and Apply Key

(encrypt data written into the GuardPoint).

7 Click Select Effect. The Edit Security Rulewindow opens with Effectdefined. Click Ok. The Edit

Online Policywindow opens with Rule 1 added.

Add an encryption key to the policy

Whenever you specify Apply Keyin an effect, you must add an encryption key to the policy.

.

.

.

..



42/100


1 Click Addin the Key Selection Rulespanel.

2 TheAdd Key Rulewindow opens.

3 Select Key. TheAgent Keyswindow opens. Select the key you created earlier (our example:

SALES_PROD_KEY_AES256_2014-04_2 ) and click Select Key. TheAdd Key Rulewindow returns.

Resourcefield is optional. It opens the Resource Set Listwindow from which you can select or

create the resource set whose members are to be encrypted. See VDS Users Guidefor details.

4 Click Ok. The Edit Online Policywindow opens with the new key added to the Key Selection Rules

panel.

5 Click Ok. The basic-encryption-policyis created. When you apply this policy to a

directory, that directory becomes a GuardPoint, and any data written to that directory is

encrypted. encrypts data copied in and decrypts data accessed from the GuardPoint.

.

.

.

..

C R E A T I N G T H E I N I T I A L O P E R A T I O N A L P O L I C Y |31


43/100


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

CREATINGTHEINITIALOPERATIONALPOLICY

An initial operational policy is often the first data security policy applied to a GuardPoint. Theinitial operational policy described here:

Encrypts all data written into the GuardPoint.

Decrypts the GuardPoint data for any user who attempts access.

Audits and creates log messages for every GuardPoint access.

Reduces log message noise so you can analyze the messages that are important to you for

tuning this policy.

In a common VDS deployment you apply the initial operational policy to a GuardPoint, write

your sensitive information into the GuardPoint directory so that its encrypted, and direct data

users to this new directory. Over time you analyze the audit messages to assess who accesses

protected data and how. You then tune the initial operational policy to limit access and

decryption to only those who need it, using only appropriate executables, exercising only the

appropriate actions (read, write, modify and so on) and at the appropriate times.

The initial operational policy described here consists of two rules:

Rule 1specifies that all users can read the attributes and properties of any file and directory in

a GuardPoint. The purpose of this rule is to reduce excessive log messages so you can analyze

log files without excess noise.

Rule 2specifies that files written in the GuardPoint are encrypted, that all users have unlimited

access to the decrypted files, and that every operation is audited.

The rest of this section describes how to create the initial operational policy.

Name Policy



protect (see Switch to the domain where you want to create the access policy on page 17).

2 Create a data encryption key for the initial operational policy. See Creating encryption keys on

page 23.

.

.

.

..



44/100


3 Click Policies > Manage Policiesto list the policies available to this domain. In this example,

there are two policies.

4 Click Add Online Policy. TheAdd Online Policy window opens.

5 Enter a name and optional description for your policy. In our example we use the name basic-

access-policy. Select Learn Mode.

Learn Modepermits a policy to be tested without actually denying access to resources. In Learn

Mode, all actions that would have been denied are instead permitted. These actions are logged

to assist in tuning and troubleshooting policies. The Learn Modeis highly recommended for

policies that restrict by application (process), as many applications use multiple binaries that

may not be known to the creator of the policy at time of creation. See the Vormetric DataSecurity Platform Users Guidefor details.

.

.

.

..


bli h L d ill di bl h li b k h h h


45/100


Enabling the Learn Mode will disable the policy, but track each attempt that matches any

security rule in the policy. A denystatement in Effectmust include apply_keywhen Learn Mode

is enabled. This option generates a warning each time an access attempt is made that matches

any security rule in the policy. This warning is sent as a log message and it can be viewed in the

Management Console (if its configured to accept Warnings).

6 Click Addin the Security Rulespanel.

Create Rule 1

The purpose of this rule is to reduce excessive log messages so you can analyze log files without

excess noise.

1 Select Action in theAdd Security Rulewindow.

.

.

.

..


2 The Select Action indo opens Select f d tt f h d d tt and d d


46/100


2 The Select Action window opens. Select f_rd_att, f_chg_sec, d_rd_ttand d_rd_sec.

The selected attributes have the following meanings:

d_rd_att- Can read the attributes of a directory (example: ls -la).

d_rd_sec- Can view the security properties of a Windows folder, such as on the Security tab of

the Propertieswindow.

f_rd_att- Can read the attributes of a file (example: ls -l).

f_rd_sec- Can view the security properties of a Windows file, such as on the Security tab of the

Propertieswindow.

See the VDS Users Guidefor a full description of the Actions.

.

.

.

..


3 Click Select Action The Add Security Rule window opens with Action defined


47/100


3 Click Select Action. TheAdd Security Rulewindow opens withActiondefined.

4 Click Effect. The Select Effect window opens.

.

.

.

..


5 Select Permit (permit GuardPoint access) and then Select Effect The Edit Security Rule window


48/100


5 Select Permit(permit GuardPoint access) and then Select Effect. The Edit Security Rulewindow

opens with Effectdefined. Click Ok. The Edit Online Policywindow opens with Rule 1 added.

Create Rule 2 for the initial operational policy

This rule specifies that files written in the GuardPoint are encrypted, that all users haveunlimited access to the decrypted files, and that every operation is audited.

1 Click Addin the Security Rulespanel. TheAdd Security Rulewindow opens

2 Select Action. The Select Action window opens.

3 Select all_ops. all_opsallows any operation to be performed in the GuardPoint. Click Select

Action. TheAdd Security Rulewindow opens withActiondefined.

.

.

.

..


4 Click Effect. The Select Effect window opens.


49/100


p

5 Select Deny(deny access to GuardPoint), Apply Key(see below) and Audit(create a log entry for

access attempts). Then click Select Effect. TheAdd Security Rulewindow opens with Effect

defined.

Apply Key- Applies an encryption key to data in a GuardPoint. Data copied into the GuardPoint

is encrypted with the key specified in the Key Selection Rules tab. Data accessed from the

GuardPoint is decrypted using the same key.

6 Click Ok. The Edit Online Policywindow opens with Rule 2 added.

.

.

.

..


Add an encryption key to the policy


50/100


yp y p y

Whenever you specify Apply Keyin an effect, you must add an encryption key to the policy.1 Click Addin the Key Selection Rulespanel.

2 TheAdd Key Rulewindow opens.

3 Select Key. TheAgent Keyswindow opens. Select the key you created earlier (our example:

SALES_PROD_KEY_AES256_2014-04_2 ) and click Select Key. TheAdd Key Rulewindow returns.

4 Click Ok. The Edit Online Policywindow opens with the new key added to the Key Selection Rules

panel.

5 Click Ok. basic-access-policyencrypts data copied in and decrypts data accessed from the

GuardPoint.

.

.

.

..

C R E A T I N G G U A R D P O I N T S : A P P L Y I N G P O L I C I E S T O D I R E C T O R I ES |39

CREATINGGUARDPOINTS: APPLYINGPOLICIESTODIRECTORIES


51/100


. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

When a policy is applied to a directory, that directory is called a GuardPoint. This sectiondescribes how to create GuardPoints.

Apply a policy to folders



protect (see Switch to the domain where you want to create the access policy on page 17.

2 Click Hosts > Hostsin the Management Console. The Hostswindow opens.

.

.

.

..


3 Click on the protected host name in bluewhere you will create the GuardPoints. The Edit Host


52/100


screen opens.

4 Click the Guard FS(File System) tab. The hosts GuardPoints, if any, are displayed. Click Guardto

create a new GuardPoint.

.

.

.

..


5 The Guard File Systempanel opens.


53/100


For Policy, choose the policy name you want to apply to the directory. For example, basic-

encryption-policyor basic-access-policy.

For Type, use Directory (Auto Guard)for directories.

For Path, enter the GuardPoint directory. For example,/vipdatafor Linux and UNIX hosts orc:\Users\Marketing1\vipdatafor Windows hosts.

Optionally, click Browseto browse and highlight the GuardPoint directory. Note that Browse

will not work if the host was registered with One-way Communication.

6 Click Okto apply the policy to the GuardPoint. The Edit Host panel opens with the new

GuardPoint.

.

.

.

..


Repeat this process for each folder you wish to protect.


54/100


A redstatus indicator means that the policy hasn't taken effect. Click Refreshuntil the Status

turns green. This may take up to 30 seconds. The policy is now activated and the GuardPoint is

protected.

DATA ENCRYPTION AND PROTECTION 5


55/100

Document Draft Version 0.4 VDS Quick-start Guide Data Encryption and Protection

..

.

.

.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .DATAENCRYPTIONANDPROTECTION 5

By now, you have set up your DSM, created VDS administrators, installed agents on your

protected hosts, and created an initial operational policy. This chapter describes how to encrypt

your sensitive data and tune your data protection policy to prevent unwanted access. This

chapter contains these sections:

Data Protection Overview on page 43

Determine encryption method on page 44

Using the Copy or Restore encryption method on file systems on page 46

Using the Copy or Restore encryption method on block devices on page 48

Using dataxform to encrypt your data on page 52

Viewing the audit logs on page 62

Tune the Policies on page 64

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DATAPROTECTIONOVERVIEW

Steps for protecting data

The basic steps for protecting your data are:

1 Determine optimal data encryption method for your environment: Copy, Restore or dataxform.

2 Verify that your data is backed up.

3 Stop all services and access to the directories or block devices that will be encrypted.

4 Create GuardPoint with initial operational policy on protected directories or block devices. For

the dataxform encryption method, create a dataxform policy. For the Copy or Restore method,

use the initial operational policy described in Creating the initial operational policy on page 31.

5 For the dataxform method, run dataxform on each GuardPoint. For Copy and Restore methods,

copy files into GuardPoint.

6 After verifying that encryption was successful, start services and restore access to the data now

encrypted.

.

.

.

..

D E T E R M I N E E N C R Y P T I O N M E T H O D |44

7 Test and monitor access to the encrypted data.

8 T th li i t i d fi it


56/100


8 Tune the policies to increase and refine security.

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

DETERMINEENCRYPTIONMETHOD

VDS provides three encryption methods: the Copy, Restore, and dataxformmethods. The

optimal method depends on three things: 1) Whether you are encrypting data on a block

device or directory; 2) the amount of disk space you have; 3) speed of your backup devices.

Note: Whichever method you select, it is essential that you have a good backup of the data

before your encrypt it.

Restore encryption method

In this method, your sensitive data is backed up on some device, for example, a tape drive or

disk drive. To encrypt the data, you will:

1 Block access to all directories and block devices that are to be encrypted.

2 Create a GuardPoint on these directories and block devices .

3 Restore the data from the backup device into the GuardPoint. As data is written into the

GuardPoint, it is encrypted.

An example is shown below.

In this example, users access a number of databases on the protected host. To protect

\database-3, first block user access to it, create a GuardPoint on \database-3and then

restore the backup data from the backup media into \database-3. This method requires no

.

.

.

..

D E T E R M I N E E N C R Y P T I O N M E T H O D |45

extra disk space, and the speed of encryption depends on the speed of the restore. Slower

backup media, like tape drives, will result in a slower encryption speed.


57/100


p , p , yp p

Copy encryption method

In this method, you copy sensitive data into a GuardPointwith an encryption policy. This

method is generally faster than the restore encryption method. If the data you copy to the

GuardPoint is on the same drive and volume as the GuardPoint, this method is comparable in

speed to dataxform, approximately 2-4 Gigabytes per minute. If the data to be encrypted is

accessed from a slow disk or a different volume, the encryption will be slightly slower.

Heres an example of how the Copy encryption method works:

1 Block all access to the directory containing the sensitive source data. Rename that directory

(example: from \mssql\data\3to \mssql\data\3-OLD).

2 Create a new directory for your sensitive data with the original directory path. Block access to it.

3 Create a GuardPoint on that directory.

4 Copy the sensitive data into the GuardPoint. Data in the GuardPoint is encrypted.

5 Open access to the new directory.

An example is shown the graphic below.

In this example, users access a number of SQL databases on the protected host. To protect\mssql\data\3you block access to the directory, rename it to \mssql\data\3-OLD, create

a new \mssql\data\3directory, block access to it, create a GuardPoint on it, copy the data in

\mssql\data\3-OLDto \mssql\data\3, open access to \mssql\data\3. This method

requires additional disk space at least as large as \mssql\data\5. The speed of the backup

depends on the speed of the copy.

Block access

.

.

.

..

U S I N G T H E C O P Y O R R E S T O R E E N C R Y P T I O N M E T H O D O N F I L E S Y S T E M S |46

dataxform encryption method

8/21/2019

Documents

VDS Quick StartVormV0.4