In-Flight Encryption in the Cloud for NFS and SMB Workloads

[Cloud Volumes ONTAP, File Services, Data Protection, Customer Case Study, Master, 6 minute read]

Encryption in the cloud is a key part of protecting your data, but is that protection more essential for some workloads than others? By nature, file storage is meant to be shared. But how can you make sure that the data in your file storage is protected as it transfers between different repositories, where it’s moving between clouds or within hybrid architectures? If you’re using Cloud Volumes ONTAP for cloud file sharing services, your in-flight data is protected.

While Cloud Volumes ONTAP supports both encryption for data at rest (with key services like AWS KMS) and in-flight, this blog post focuses on in-flight data encryption. We’ll take a high-level look at the process, considerations, and resources needed to enable you to protect your file-based protocols in Cloud Volumes ONTAP with in-flight data encryption.

How Granular Do You Want Your SMB Data Encryption?

Whether you’re looking for encryption in the cloud or in a hybrid environment, if you want to encrypt SMB/CIFS traffic in Cloud Volumes ONTAP, SMB 3 is supported. SMB encryption is easily configured using System Manager or the CLI. You can enable SMB either on the Storage Virtual Machine (SVM) or laptop individually on each share. For greater security, you can configure SMB sealing and signing on the SVM. However, this configuration is not necessary to enable encryption for SMB/CIFS shares. Additionally, if you are using an operating system that supports older SMB versions, you may need to disable them so that only SMB 3 is used.

How to Set Up SMB Encryption for Cloud Volumes ONTAP

Based on security requirements, determine if SMB encryption is required for all shares. If this is the case, enable SMB encryption at the SVM level in System Manager or CLI.

vserver cifs security modify -vserver vserver_name -is-smb-encryption-required true

If more granular encryption is preferred, disable SMB encryption on the SVM and enable encryption on a share-by-share basis.

vserver cifs security modify -vserver vserver_name -is-smb-encryption-required false
vserver cifs share properties add –vserver -share-name -share-property encrypt-data

Confirm that there are no unencrypted or partially encrypted sessions: 

vserver cifs session show -vserver vserver_name unencrypted | partially-encrypted

Learn more about configuring SMB servers and shares here.

Next up is NFS.

NFS Encryption with Kerberos

Cloud Volumes ONTAP supports NFSv4.1 and requires Kerberos for in-flight data encryption. Here are some prerequisites for encrypting the in-flight traffic for NFS exports:

  • A Kerberos Key Distribution Center (KDC) running Kerberos V5.
  • A DNS server or local host files on both the NFS client and ONTAP SVM to resolve SPN entries.

If you run a Windows Active Directory server adjacent to Cloud Volumes ONTAP, you should meet the requirements for both DNS and a Kerberos KDC. Other KDCs like MIT Kerberos and FreeIPA are also supported.

Follow these steps in System Manager or the CLI:

  • Configure the Kerberos realm for your NFS-serving SVM. You will need your Kerberos KDC server name, IP address, and credentials.
  • Enable Kerberos on the Data LIFs that will serve NFS v4.1 clients. This step will create a machine account and SPN on your KDC.
  • Modify export policy rules to allow Kerberos.

While the process of configuring in-flight encryption is more complex than the process for SMB, there are great resources that you can turn to, such as TR-4616: NFS Kerberos in ONTAP with Microsoft Active Directory ONTAP 9.7 and later and this post by NetApp’s Justin Parisi on the NFS-Kerberos workflow.

Note that ONTAP 9.8 includes IPSec support and configuring this will remove any Kerberos requirement and simplify configuration of in-flight data encryption.

Customer Case Studies with Cloud Volumes ONTAP

Let’s take a look at how Cloud Volumes ONTAP encryption has helped some companies with strict data security requirements.

One NetApp Cloud Volumes ONTAP customer is a genomics and biotechnology company known for its commercially available genetic testing services. Customers provide saliva samples, and the extracted DNA is then analyzed at the company’s lab to report on ancestry or other genetic details, such as susceptibility to illness. With the sensitive nature of DNA, security is paramount for this business.

In NetApp Cloud Volumes, this company found a way to replicate data with full encryption and also securely move data to AWS by leveraging SnapMirror. Full encryption offered more security than transferring data over their VPN connection.

Another case study of Cloud Volumes ONTAP is with the Environment and Natural Resources Division of the Department of Justice (ENRD/DOJ). When ENRD decided to move their workloads to the cloud, they reviewed many cloud storage solutions. Only one offering met their stringent security requirements while offering fast access and management simplicity.

With a critical legal mission, the security features that ENRD looked for included data encryption, both at-rest and in-flight. ENRD/DOJ's data solutions department needed its cloud storage solution to be secure enough to protect valuable evidence and powerful enough to handle significant data demands. NetApp Cloud Volumes ONTAP fit that bill. Read more about ENRD/DOJ's seamless migration to Cloud Volumes ONTAP and how Cloud Volumes ONTAP's inherent security enables them to manage the data they need to drive prosecutions.

Get More Than Cloud Encryption

Zero Trust, where organizations verify each and every request and never trust, is the world the cloud helped create. No longer can you rely solely on this idea of trusted internal traffic and perimeter firewalls to keep your data safe and thwart would-be attackers. The best approach isn't a single preventative measure but a multi-pronged or layered approach to minimize risks and keep data secure. Only when organizations adopt a layered security approach can they act as good stewards for their data.

Encryption in the cloud or hybrid environments is a necessity. Many regulatory and compliance frameworks including the Health Insurance Portability and Accountability Act of 1996 (HIPAA) require encryption for data-at-rest and data in-flight. This kind of encryption can deter and prevent man-in-the-middle attacks that aim to get in-between client-server communication to eavesdrop or alter or corrupt messages, and compromise the confidentiality and integrity of your data. Not all data is created equal, and because any kind of encryption typically comes with a performance penalty, it should be carefully considered where and when to implement in-flight encryption. 

Encryption for cloud storage is a vital part of a layered approach to security and imperative to any storage solution. In-flight data encryption may be the solution for protecting your SMB3 and NFSv4.1 workloads on Cloud Volumes ONTAP. In-flight encryption is just one of the powerful security features that Cloud Volumes ONTAP uses to keep your data safe. For any number of workloads, from file services, database, and cloud automation, to cloud migration, application data, and cloud backup with encryption, Cloud Volumes ONTAP keeps your data safe.

Learn more about Enterprise Data Security with Cloud Volumes ONTAP here.

New call-to-action

-