Home > Storage > ObjectScale and ECS > Product Documentation > Dell ECS: Technical FAQ > Security and compliance
Question: What type of data encryption is available, and where is it applied?
Data at Rest Encryption (D@RE) is simple, low-touch server-side encryption. It supports enterprises and service providers seeking to protect sensitive data on storage media. In ECS encryption can be enabled at the namespace and bucket levels.
Question: Which EKMs are supported?
ECS supports External Key Management using external key managers that are Key Management Interoperability Protocol version 1.4 (KMIP v1.4) compliant. ECS delegates the storage and protection of top-level Key Encrypting Key (KEK), the Master Key to the external EKM. ECS 3.3 and later versions support Safenet KeySecure (Gemalto Safenet) and ECS 3.4 supports the IBM SKLM 3.0 (Security Key Lifecycle Manager). ECS 3.6 supports Safenet KeySecure 8.11 with client certificate authentication only. ECS 3.8.0.1 supports Thales CipherTrust because Gemalto SafeNet KeySecure will end of life on December 31, 2023. ECS customers who are using KeySecure can migrate to CipherTrust Manager.
Question: How does encryption affect throughput?
In general, the performance when accessing objects in an encryption-enabled namespace can be approximated as large reads are up to half as fast when encrypted. This behavior is not seen with large creates. Small reads are performed at a lower rate as well but not nearly as much as large reads. Small creates, as with large create, are nominally impacted by encryption.
Question: How does Multi-tenancy work on ECS?
ECS supports access by multiple tenants, where each tenant is defined by a namespace and the namespace has a set of configured users who can store and access objects within the namespace. Users from one namespace cannot access the objects that belong to another namespace.
Question: Which administrative activities will be logged?
ECS monitor metering provides critical information about viewing and using the monitoring pages in the ECS portal dashboard. In the Events page, all activity by users working with the portal, the ECS REST APIs, and the ECS CLI. Other audit types include upgrade activities. For more details, see the ECS monitoring guide.
Question: How does the consistency checker process work?
ECS is a strongly consistent system that uses ownership to maintain an authoritative version of each namespace, bucket, and object. Ownership is assigned to the VDC where the namespace, bucket or object is created. For example, if a namespace, NS1, is created at VDC1, VDC1 owns NS1 and is responsible for maintaining the authoritative version of buckets inside NS1. If a bucket, B1, is created at VDC2 inside NS1, VDC2 owns B1 and is responsible for maintaining the authoritative version of the bucket contents, as well as each object’s owner VDC. Similarly, if an object, O1, is created inside B1 at VDC3, VDC3 owns O1 and is responsible for maintaining the authoritative version of O1 and associated metadata.
Question: What is the difference between an IAM user, and an object user created locally?
Local users include management users which and object users. Management users are for configuring, administering, and monitoring the logical components of the ECS architecture. Object users are users of the ECS object store. They access ECS through object clients that are using the object protocols that ECS supports (S3, Atmos, OpenStack Swift, and CAS). Object users can be assigned Unix-style permissions to access buckets exported as file systems for NFS.
A traditional object user owns the buckets it creates and has full access to the bucket. IAM users have no access to any resources by default. IAM policies given to an IAM user can have any combination of S3, IAM, or STS permissions to resources in the namespace. The root IAM account owns buckets in namespace and IAM users need to be assigned a policy which grants granular permission(s) to resources in a namespace such as a bucket and its objects.
Question: How does SAML work?
SAML is an open standard for exchanging authentication and authorization data between an identity provider and a service provider. SAML provider in ECS is used to establish trust between a SAML-compatible Identity Provider (IdP) and ECS. For more information, see the ECS data access guide.
Question: What are the ECS compliance features?
The ECS Appliance meets the storage requirements for the following standards, as verified by Cohasset Associates, Inc.
Question: How does ECS implement security controls for code?
Dell product organizations use code analysis tools and activities as part of their development process to identify quality defects and security vulnerabilities and comply with Dell’s Secure Development Lifecycle. Dell’s SDLC (Secure Development Lifecycle) integrates standards from a variety of data sources. A primary consideration is data from both internally discovered and externally reported issues. This awareness allows us to focus on the issues that are most prevalent in our technology space. A second major consideration is industry practices. Dell collaborates through many industry-standard venues such as SAFECode, BSIMM, and IEEE Center for Secure Design to help ensure that we follow industry practices. Lastly, Dell’s Secure Development Lifecycle is aligned with the principles outlined in ISO/IEC 27034 ‘Information technology, Security techniques, Application security’.
Question: What is Dell Technologies process for reviewing ECS source code?
Dell Technologies confirms that review of source code (to identify and detect threats and weaknesses in its products) is conducted during various stages of its Secure Development Life Cycle (SDLC). Based on risk analysis, Dell Technologies conducts rigorous testing of specific application modules and security safeguards with a combination of source code review, system testing, exception testing and compliance review to identify errant coding practices and vulnerabilities that could lead to security problems, violations and incidents. Please visit the Dell Security & Trust Center for more information about our security practices.