Secure Data Capture to the Cloud with Veritas Alta SaaS Protection

Description

Standard practice for applications writing to cloud storage involve the application having the authentication key and password information for the target cloud storage container. Best practices are for this sensitive information to be stored encrypted by the application. However, regardless of best practices, this puts the keys to the kingdom out in the wild. If a malicious user were to somehow acquire this information they’d potentially have access to your entire archive.

 

In this article, we'll describe Veritas Alta SaaS Protection’s patent-pending secure data capture architecture. This design provides enhanced security in several ways. First, the HCS must authenticate with Azure AD (not shown in the below diagram). Second, Veritas Alta SaaS Protection design ensures the ability to read any content in any of the containers (staging included) never leaves the Web App. Next, the API key and password for the target cloud storage containers are never externalized. Finally, a security check is performed on the data, with de-duplication, so that any attempts by a malicious user to gain access to content by way of hijacking an MD5 are handled. Veritas Alta SaaS Protection also monitors for Distributed Denial of Service (DDoS) attacks and prevents them from consuming your cloud archive.

 

 

1. The Veritas Alta SaaS Protection Connector Service (HCS) evaluates your write policies and works with all of the locally deployed connectors to synchronize the target data sources in your environment.
2. When data needs to be written to Veritas Alta SaaS Protection in the cloud, the HCS obtains a time-limited write-only token to the staging container from the Web App.
3. This token is then used by the HCS to write data to the staging container.
4. The HCS then notifies the Web App of the content placed in staging.
5. The Web App then runs a de-duplication algorithm. This includes a full byte-by-byte comparison to ensure no MD5 collisions.
6. The Web App writes the unique content to the storage container using the MD5 to verify the write operation's integrity.
7. The Web App cleans up the data in the staging container.
8. The Web App updates the Veritas Alta SaaS Protection database for other Web Jobs that will incrementally update storage analytics data and run policies on a near-real time basis.
9. The Web App returns item, version, and blob identifier information to the HCS, which HCS maintains in its embedded database.