1. Technical Field
This disclosure relates generally to backup and restore of sensitive data stored in a cloud deployment appliance.
2. Background of the Related Art
An emerging information technology (IT) delivery model is cloud computing, by which shared resources, software and information are provided over the Internet to computers and other devices on-demand. Cloud computing can significantly reduce IT costs and complexities while improving workload optimization and service delivery. With this approach, an application instance can be hosted and made available from Internet-based resources that are accessible through a conventional Web browser over HTTP. An example application might be one that provides a common set of messaging functions, such as email, calendaring, contact management, and instant messaging. A user would then access the service directly over the Internet. Using this service, an enterprise would place its email, calendar and/or collaboration infrastructure in the cloud, and an end user would use an appropriate client to access his or her email, or perform a calendar operation.
Cloud compute resources are typically housed in large server farms that run networked applications, typically using a virtualized architecture wherein applications run inside virtual servers, or so-called “virtual machines” (VMs), that are mapped onto physical servers in a data center facility. The virtual machines typically run on top of a hypervisor, which is a control program that allocates physical resources to the virtual machines.
It is known in the art to provide an appliance-based solution to facilitate rapid adoption and deployment of cloud-based offerings. One such appliance is IBM® Workload Deployer, which is based on the IBM DataPower® 7199/9005 product family. Typically, the appliance is positioned directly between the business workloads that many organizations use and the underlying cloud infrastructure and platform components. Because of this unique position, the appliance can receive and act upon operational data, and it can monitor application workload demand conditions and adjust resource allocation or prioritization as required to achieve established service level agreements. IBM Workload Deployer also may be used to manage a shared, multi-tenant environment, where isolation and security are important.
Typically, the appliance includes hardware and firmware cryptographic support to encrypt all the data on hard disk. This data includes, without limitation, event log data that may be used to facilitate auditing. No users, including administrative users, however, can access any data on physical disk. In particular, the operating system (e.g., Linux) locks down the root account and does not provide a command shell, and the user does not have file system access. When an administrator performs a backup of the appliance, the backup image is encrypted to protect the confidentiality of the data. When restoring an encrypted image, a decryption key thus is needed to decrypt the backup image to enable the data to be restored to the appliance. Currently, this decryption key is maintained and managed by an administrator so that the administrator can restore the backup image to a new appliance box should the original appliance box fail completely and need to be replaced. This approach of having the administrator maintain the decryption key used for restore, however, places the data at risk because the administrator can use that key to decrypt the backup image outside of the appliance and thus gain access to all sensitive user data.
The subject matter herein addresses the security risk.