Object and metadata security
Explore the object and metadata security features in StorageGRID.
Feature | Function | Impact | Regulatory compliance |
---|---|---|---|
Advanced Encryption Standard (AES) Server-Side Object Encryption |
StorageGRID provides AES 128- and AES 256-based server-side encryption of objects. Grid administrators can enable encryption as a global default setting. StorageGRID also supports the S3 x-amz-server-side-encryption header to allow enabling or disabling encryption on a per-object basis. When enabled, objects are encrypted when stored or in transit between grid nodes. |
Helps secure storage and transmission of objects, independent of the underlying storage hardware. |
SEC Rule 17a-4(f) |
Built-in Key Management |
When encryption is enabled, each object is encrypted with a randomly generated unique symmetric key, which is stored inside StorageGRID with no external access. |
Enables encryption of objects without requiring External Key Management. |
|
Federal Information Processing Standard (FIPS) 140-2 compliant encryption disks |
The SG5812, SG5860, SG6160, and SGF6024 StorageGRID appliances offer the option of FIPS 140-2 compliant encryption disks. |
Enables secure storage of system data, metadata, and objects. Also provides StorageGRID software-based object encryption, which secures storage and transmission of objects. |
SEC Rule 17a-4(f) |
Background Integrity Scan and Self-Healing |
StorageGRID uses an interlocking mechanism of hashes, checksums, and cyclic redundancy checks (CRCs) at the object and sub-object level to protect against data inconsistency, tampering, or modification, both when objects are in storage and in transit. StorageGRID automatically detects corrupt and tampered objects and replaces them, while quarantining the altered data and alerting the administrator. |
Enables Grid administrators to meet SLA, regulations, and other obligations regarding data durability. Helps customers detect ransomware or viruses attempting to encrypt, tamper, or modify data. |
SEC Rule 17a-4(f) |
Policy-based object placement and retention |
StorageGRID enables Grid administrators to configure ILM rules, which specify object retention, placement, protection, transition, and expiration. Grid administrators can configure StorageGRID to filter objects by their metadata and to apply rules at various levels of granularity, including grid-wide, tenant, bucket, key prefix, and user-defined metadata key-value pairs. StorageGRID helps to ensure that objects are stored according to the ILM rules throughout their lifecycles, unless they are explicitly deleted by the client. |
Helps enforce data placement, protection, and retention. Helps customers achieve SLA for durability, availability, and performance. |
SEC Rule 17a-4(f) |
Background metadata scanning |
StorageGRID periodically scans object metadata in the background to apply changes in object data placement or protection as specified by ILM. |
Helps discover corrupted objects. |
|
Tunable consistency |
Tenants can select consistency levels at the bucket level to ensure that resources such as multisite connectivity are available. |
Provides the option to commit writes to the grid only when a required number of sites or resources are available. |