Planning for transparent cloud tiering
Planning for transparent cloud tiering involves purchasing a licensed function and then activating and enabling the function on the system.
Transparent cloud tiering is a licensed function that enables volume data to be copied and transferred to cloud storage. The system supports creating connections to cloud service providers to store copies of volume data in private or public cloud storage.
With transparent cloud tiering, administrators can move older data to cloud storage to free up capacity on the system. Point-in-time snapshots of data can be created on the system and then copied and stored on the cloud storage. An external cloud service provider manages the cloud storage, which reduces storage costs for the system. Before data can be copied to cloud storage, a connection to the cloud service provider must be created from the system.
A cloud account is an object on the system that represents a connection to a cloud service provider by using a particular set of credentials. These credentials differ depending on the type of cloud service provider that is being specified. Most cloud service providers require the host name of the cloud service provider and an associated password, and some cloud service providers also require certificates to authenticate users of the cloud storage. Public clouds use certificates that are signed by well-known certificate authorities. Private cloud service providers can use either a self-signed certificate or a certificate that is signed by a trusted certificate authority. These credentials are defined on the cloud service provider and passed to the system through the administrators of the cloud service provider.
Once the system is authenticated, it can then access cloud storage to either copy data to the cloud storage or restore data that is copied to cloud storage back to the system. The system supports one cloud account to a single cloud service provider. Migration between providers is not supported.
Each cloud service provider divides cloud storage into segments for each client that uses the cloud storage. These objects store only data specific to that client. The names of the objects begin with a prefix that you can specify when you create the account for the system. A prefix defines system-specific content that the object stores and supports multiple independent systems to store data to a single cloud account. Each cloud service provider uses different terminology for these storage objects.
- Ensure that you have a service contract with a supported cloud service provider.
- Obtain the license for transparent cloud tiering for your system. Only SAN Volume Controller 2145-DH8 and SAN Volume Controller 2145-SV1 models support transparent cloud tiering. Verify that your hardware model supports this function before proceeding.
- Ensure that a DNS server is configured on the system. During the configuration of the cloud
account, the wizard prompts you to create a DNS server if one is not already configured. Domain Name System (DNS) translates IP addresses
to host names, which are used by cloud service providers. The system requires a Domain Name System
(DNS) to convert these host names to IP addresses to establish a cloud account or to connect to
cloud based storage.
Before you create a connection to a cloud service provider or connect to cloud storage, ensure that you specify at least one DNS server to manage host names. You can have up to two DNS servers that are configured on the system. To configure DNS for the system, enter a valid IP address and name for each server. Both IPv4 and IPv6 address formats are supported.
- Determine whether encryption is required for your connection to the cloud account. If you are accessing a public cloud solution, encryption protects data during transfers to the external cloud service providers from attack. To encrypt data that is sent to the cloud service provider, the system requires an encryption license for each enclosure that supports the function and that encryption is enabled on the system.
Security considerations for cloud accounts
Whenever the system accesses outside networks, the potential for unintentional or intentional exposure of sensitive data is a risk. When you are connecting the system to a cloud service provider over a public network, you can use encryption to protect data that is transferred to the cloud service provider.
The first level of encryption-based security provides secure communications between the system and the cloud service provider. The standard protocol, Transport Layer Security (TLS), protects these connections by encrypting data that is transferred between the system and the cloud service provider. Secure communications is mandatory for these connections and requires that public certificates are exchanged between the cloud service provider and the system. To configure certificates for secure communications in the management GUI, go to . You can also use the chsystemcert command to create system certificates. With secure communications, data is encrypted while it is transferred to the cloud, but might be stored on the cloud decrypted. Each cloud service provider has its own security measures to protect data once it is located in cloud storage; however, breaches can still occur and data can be compromised. Clients that use cloud service providers can add extra encryption methods to protect their data after it is stored on the cloud.
Since the system supports encryption of at-rest data, you can optionally configure encryption key management to further protect data that is stored on the cloud storage. If key management is configured on the system, data is encrypted before it leaves the system and is stored on the cloud. The system supports key management through either a USB flash drive or an encryption key server. When encryption is configured, a master encryption key is created and is stored separately on either a USB flash drive or key server. When you create snapshots of data to send to the configured cloud service provider, each volume and each cloud account have separate encryption keys. The encryption key that is used by the cloud account protects encryption keys for the volumes. The master encryption key protects the encryption key that is used by the cloud account. Because the master encryption key is physically present on the USB flash drive or key server, you must ensure that security measures are implemented to protect the master encryption key from theft or loss. When the data is transmitted between the system and the cloud service provider, the data is also encrypted by certificates that are configured for secure communications. The master encryption key also protects the data in transit and the data remains encrypted while it is stored on the cloud storage. Data also remains encrypted with the encryption master key when it transferred back to the system from the cloud during restore operations. Finally, data can be decrypted when it arrives at the system or it can be stored on an encrypted volume on the system.
When a connection to a cloud service provider is configured, you must decide whether to encrypt data at rest in the cloud for this account. After you decide, the encryption setting for the account cannot be changed without restoring all data from the cloud, reconfiguring the account, and re-creating cloud snapshots for the data.
Update requirements for encrypted cloud accounts
chencryption -usb newkey -key prepare
chencryption -usb newkey -key commit
or
chencryption -keyserver newkey -key prepare
chencryption -keyserver newkey -key commitThe rekey operation must be run after the update is completed to the 7.8.x code level or higher and before you make the encrypted cloud account.