IBM DS8880 Series Introduction And Planning Manual page 70

|
|
|
|
|
|
|
|
|
|
|
|
|
|
58
DS8880 Introduction and Planning Guide
Modern enterprises adopted cloud storage to overcome the massive amount of
data growth. The transparent cloud tiering system supports creating connections to
cloud service providers to store data in private or public cloud storage. With
transparent cloud tiering, administrators can move older data to cloud storage to
free up capacity on the system. Point-in-time snapshots of data can be created on
the system and then copied and stored on the cloud storage.
An external cloud service provider manages the cloud storage, which helps to
reduce storage costs for the system. Before data can be copied to cloud storage, a
connection to the cloud service provider must be created from the system. A cloud
account is an object on the system that represents a connection to a cloud service
provider by using a particular set of credentials. These credentials differ depending
on the type of cloud service provider that is being specified. Most cloud service
providers require the host name of the cloud service provider and an associated
password, and some cloud service providers also require certificates to authenticate
users of the cloud storage.
Public clouds use certificates that are signed by well-known certificate authorities.
Private cloud service providers can use either self-signed certificate or a certificate
that is signed by a trusted certificate authority. These credentials are defined on the
cloud service provider and passed to the system through the administrators of the
cloud service provider. A cloud account defines whether the system can
successfully communicate and authenticate with the cloud service provider by
using the account credentials. If the system is authenticated, it can then access
cloud storage to either copy data to the cloud storage or restore data that is copied
to cloud storage back to the system. The system supports one cloud account to a
single cloud service provider. Migration between providers is not supported.
Client-side encryption for transparent cloud tiering ensures that data is encrypted
before it is transferred to cloud storage. The data remains encrypted in cloud
storage and is decrypted after it is transferred back to the storage system. You can
use client-side encryption for transparent cloud tiering to download and decrypt
data on any DS8000 storage system that uses the same set of key servers as the
system that first encrypted the data.
Notes:
v Client-side encryption for transparent cloud tiering requires IBM Security Key
Lifecycle Manager v3.0.0.2 or higher. For more information, see the IBM Security
Key Lifecycle Manager online product documentation(www.ibm.com/support/
knowledgecenter/SSWPVP/).
v Transparent cloud tiering supports the Key Management Interoperability
Protocol (KMIP) only.
Cloud object storage is inherently multi-tenant, which allows multiple users to
store data on the device, segregated from the other users. Each cloud service
provider divides cloud storage into segments for each client that uses the cloud
storage. These objects store only data specific to that client. Within the segment
that is controlled by the user's name, DFSMShsm and its inventory system controls
the creation and segregation of containers that it uses to store the client data
objects.
The storage system supports the OpenStack Swift and Amazon S3 APIs. The
storage system also supports the IBM TS7700 as an object storage target and the
following cloud service providers:
v Amazon S3