Complete 360 Security Benefits

• Comprehensive security features that protect your data in transit, at rest and from unauthorized access.
• End-to-end AES-XTS data encryption protects your data from the moment it is written to the storage system. Data is encrypted on the client and leaves the machine only in encrypted form. Your data is protected in flight and at rest.
• Optional TLS secures all communication between Quobyte clients and servers and also between servers. You can define which networks require secure TLS communication and which ones to communicate over plaintext for maximum performance.
• Ensure that only authorized users can access your storage: Quobyte supports traditional IP network restrictions. For higher levels of protection without trusting the network Quobyte offers support for X.509 certificates or Access Keys (for object and file system).
• Fine grained access control with unified ACLs that are enforced across all interfaces (LINK to unified storage).
• Full LDAP and Active Directory support.

How Complete 360 Security Works

At-rest and in-flight Data Encryption: End-to-end AES-XTS Encryption

When using the native Quobyte or plugins (Hadoop/HDFS, TensorFlow, MPI-IO) client the data is encrypted or decrypted by the Quobyte driver on the same machine where the data is created or consumed. No data leaves the machine in plaintext format. The advantage is clear: Anything outside the client machine, including the network, the storage servers, drives and even the admins, can be untrusted.

With protocols that require a proxy, like Object/S3 or NFS, the encryption happens on the proxy node. The access protocol can be protected by using HTTPS for object.

Transport Layer Security (TLS)

TLS ensures secure communication between all Quobyte components, including clients, plugins and servers. TLS is the same protocol that is used on the web to ensure secure communication.

In Quobyte you can enable TLS selectively, e.g. only on certain networks that might be untrusted or for communication to external clients and Quobyte clusters. You can retain cleartext (as in plain TCP) connections inside a data center or cluster for maximum performance.

Authorization with X.509 Certificates

With X.509 certificates you can secure your Quobyte clusters from unauthorized access. All clients (including plugins) and quobyte services (servers) require a valid X.509 certificate to access the cluster. These certificates can be self-signed, use your organization's PKI or a public CA.

The certificates can be managed in Quobyte. They can be invalidated, be bound to a specific tenant or can be restricted to certain users or volumes.

Authorization with Access Keys

Access Keys are the standard authentication mechanism for object storage/S3. In Quobyte, users can also use them for file system authentication. Admins can provide a single, well known authentication mechanism to their users across object and file. Quobyte's self service capabilities allow users to log into the webconsole and manage their access keys themselves.

On the file system layer access keys can be used with the native Quobyte drivers, the Hadoop/HDFS plugin TensorFlow. The Quobyte CSI plugin supports access keys natively: Users can provide their access and secret key as kubernetes secrets.

Access Control with Unified ACLs

Quobyte's unified ACLs means that you have to manage a single set of ACLs for a file or directory (or object), regardless of the interface and protocol it is accessed through. Quobyte translates bidirectionally to NFS, POSIX, Windows, Object/S3 and macOS access control. This greatly simplifies ensuring proper access control and security for your data.