Presentation is loading. Please wait.

Presentation is loading. Please wait.

Secure Off Site Backup at CERN Katrine Aam Svendsen.

Published by Modified over 9 years ago

Similar presentations

Presentation on theme: "Secure Off Site Backup at CERN Katrine Aam Svendsen."— Presentation transcript:

1 Secure Off Site Backup at CERN Katrine Aam Svendsen

2 2 Outline Problem Related Work System at the start of the project System requirements System design Conclusions

3 3 Problem How to develop a transparent and secure off site backup solution within the current systems at CERN?  How is this best implemented?  How should key management, policies and guidelines be designed?  Develop a user interface imposing as little inconvenience as possible to the user. Is the security satisfactory with regards to the requirements to the system?

4 4 Related work Different encryption file systems: CFS – Cryptographic File System SFS – Secure File System Farsite TCFS – Transparent Cryptographic File System Other sources: Threats and vulnerabilities of storage systems Key management Policy writing Disaster recovery

5 5 System at the start of the project Off Site Backup Service Service to provide groups and services at CERN with the opportunity of storing a current copy of vital data, for disaster recovery purposes Server:  Dual Intel Xeon 2,66 GHz CPU  2 GB RAM  ~3TB storage space  Scientific Linux CERN 4 (SLC4)

6 6 System must offer the possibility of scheduled backups, but must also accept backup data from client machines at any time. The system must be portable The system must be easy to operate. The user must not need to enter a password to perform the backup The data must be transferred securely The data stored by one client must not be visible by any other client The client must be able to restore the data at any time The data must be secure if an adversary gains physical access to the server. System requirements

7 7 System must offer the possibility of scheduled backups, but must also accept backup data from client machines at any time. The system must be portable The system must be easy to operate. The user must not need to enter a password to perform the backup The data must be transferred securely The data stored by one client must not be visible by any other client The client must be able to restore the data at any time The data must be secure if an adversary gains physical access to the server. System requirements

8 8 System design – Components AFS servers: Distributed computer environment Available for several operating systems Uses Kerberos for authentication Possibility of traffic encryption Off site backup server: Installed TrueCrypt Safe in secure location: To store password for disaster recovery

9 9 System design – TrueCrypt Creates virtual encrypted disks and mount these as plain text disks Volume file – can be managed as any other file (copy, move, rename etc.) Volume partition/device – encrypts an entire partition or device (e.g. USB stick) Providing the correct password or keyfile, a user can mount the volume on a desired mount point The data stored in the volume are then accessible as any other plain text data

10 10 System design – Key management Encryption keys are created by TrueCrypt Keyfiles are used to mount a volume, these are stored in AFS. Kerberos authentication is necessary to access the keyfile. Volume is first created using a strong password, and volume header is backed up. The password is stored in a secure location, e.g. a safe, also off site. Disaster recovery: Password is retrieved, volume header is restored, and the volume can be mounted.

11 11 System design – Information flow when making a backup

12 12 System design – Scripts To lessen user inconvenience, scripts are developed: To create a volume To check if a volume is mounted To mount and unmount a volume To make a backup To change keyfile To restore the volume header

13 13 System design – Policies and procedures Policies and procedures have been designed, defining such things as: Who is allowed to create new volumes? How is the keyfile/password stored? Who is allowed to access the keyfiles and password? How is disaster recovery handled? Who is responsible for controlling the access to the safe in the secure location? What happens when a user leaves the organization? Etc…

14 14 Conclusions A software tool such as TrueCrypt can successfully be used for secure backup encryption such as the one presented here. Scripts are one way of decreasing the user inconvenience, combined with SSH using cryptographic keys and the keyfile functionality of TrueCrypt The requirements to the security of the system is satisfied:  The data is transferred securely  The data stored by one client is not visible to any other client  The data is secure if an adversary gains physical access to the server. Therefore, the security of the system is satisfactory. The system is also adaptable to other situations.

15 Questions?

Download ppt "Secure Off Site Backup at CERN Katrine Aam Svendsen."

Similar presentations

Data Encryption Data In Transit / Data At Rest. Learning Outcomes How to: – encrypt data on an USB key – encrypt a document – email a document safely.

Data Encryption Data In Transit / Data At Rest. Learning Outcomes How to: – encrypt data on an USB key – encrypt a document – a document safely.
Lesson 3: Working with Storage Systems

Lesson 3: Working with Storage Systems
Chapter 17: WEB COMPONENTS

Chapter 17: WEB COMPONENTS
E NHANCING F ILE D ATA S ECURITY IN L INUX O PERATING S YSTEM BY I NTEGRATING S ECURE F ILE S YSTEM PTD By, Ravikumar Madam Rajesh Kumar Pal, Indranil.

E NHANCING F ILE D ATA S ECURITY IN L INUX O PERATING S YSTEM BY I NTEGRATING S ECURE F ILE S YSTEM PTD By, Ravikumar Madam Rajesh Kumar Pal, Indranil.
Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.

Networks. User access and levels Most network security involves users having different levels of user access to the network. The network manager will.
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
Password?. Project CLASP: Common Login and Access rights across Services Plan

Password?. Project CLASP: Common Login and Access rights across Services Plan
HiberSnail Portable home directory with environment retrieval.

HiberSnail Portable home directory with environment retrieval.
MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.

MCITP: Microsoft Windows Vista Desktop Support - Enterprise Section 1: Prepare to Deploy.
Useful Tools for Testing

Useful Tools for Testing
 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.

 Contents 1.Introduction about operating system. 2. What is 32 bit and 64 bit operating system. 3. File systems. 4. Minimum requirement for Windows 7.
Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.

Virtual Network Servers. What is a Server? 1. A software application that provides a specific one or more services to other computers  Example: Apache.
CT NIKHEF June 2003 1 File server CT system support.

CT NIKHEF June File server CT system support.
70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.

70-293: MCSE Guide to Planning a Microsoft Windows Server 2003 Network, Enhanced Chapter 14: Problem Recovery.
Senior Design – Spring 2009 Richard Gory Focus: Networking & Web.

Senior Design – Spring 2009 Richard Gory Focus: Networking & Web.
TRUECRYPT.

TRUECRYPT.
Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.

Fundamentals of Networking Discovery 1, Chapter 2 Operating Systems.
Chapter 4 Operating Systems and File Management. 4 Chapter 4: Operating Systems and File Management 2 Chapter Contents  Section A: Operating System Basics.

Chapter 4 Operating Systems and File Management. 4 Chapter 4: Operating Systems and File Management 2 Chapter Contents  Section A: Operating System Basics.
Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.

Chapter-4 Windows 2000 Professional Win2K Professional provides a very usable interface and was designed for use in the desktop PC. Microsoft server system.
Report : Zhen Ming Wu 2008 IEEE 9th Grid Computing Conference.

Report : Zhen Ming Wu 2008 IEEE 9th Grid Computing Conference.

Similar presentations

Ads by Google