Why Druva Phoenix is the right choice for data protection
Published on 08 May 2021
Druva Phoenix is an all-in-one data security, recovery, and backup service. This whitepaper provides information on the security guidelines that Druva has put in place to protect customer data. The service has a multifaceted approach to data security. That goes beyond simple encryption.
Druva Phoenix overview
Delivered as-a-service, Druva Phoenix combines high-performance, scalable all-in-one backup, disaster recovery (DR), archival, and analytics to simplify data protection, dramatically reduce costs, and improve data visibility for today’s complex information environments. By leveraging cloud-native technologies, Druva Phoenix removes the traditional bottlenecks of computing and scale, delivering a high-performance cloud platform that enables organizations to replace on-premises solutions and still meet or exceeds their RPO and RTO targets.
See also: The ROI of Security Awareness Training
Druva Cloud Platform overview
The Druva Cloud Platform is a fully automated, enterprise-class data protection solution powered by Amazon Web Services (AWS) technology. It offers elastic compute and on-demand storage that can grow to accommodate any number of users and data. In addition, the Druva Cloud Platform can be instantly provisioned to a global-user base with policies that lock user storage to specific AWS regions.
The Druva Cloud Platform provides secure, lightning-fast backup and restores and operates in 14+ AWS regions around the world to address the needs of global enterprises. It delivers high availability and is built on an enterprise-class infrastructure that is compliant with international standards such as ISO-27001, SOC-1, SOC-2, and SOC-3. Additionally, to ensure the utmost security confidence for enterprises, Druva itself has been SOC-2 and HIPAA audited and conducts quarterly vulnerability scans and annual third-party penetration tests.
Full administrative control of Druva Phoenix is provided via a secure, web-based administrator control panel over HTTPS, which allows corporate policies to be defined for servers. Druva Phoenix supports Role-Based Access Control (RBAC) that allows for delegated administration. This enables organizations to implement separation of duties within their specific management domain and without access or visibility into the management domains of other organizations in an enterprise.
On the client-side, a lightweight agent manages backup and source-side deduplication. Provisioning is a two-step process that is easily scripted for mass deployment scenarios.
Druva Cloud Platform security
In order to thoroughly secure customer information in the cloud, Druva implements a multi-tiered security model. The components of that security model are:
The Druva Cloud Platform provides a secure, multi-tenant environment for customer data, thereby resulting in a virtual private cloud for each customer.
This secure multi-tenancy is realized by:
- Logical segmentation of customer records
- Customer data encryption using a unique per tenant AES-256 encryption key
Data in flight
Druva is designed from the ground up with the understanding that servers often connect over WANs and VPN-less networks for backup activities. The Druva Cloud Platform service encrypts data in transit with 256-bit TLS 1.2 encryption by default, ensuring enterprise-grade security over these networks.
Data at rest
In addition to strict authentication and access controls, Druva secures data in storage with 256-bit AES encryption. A unique AES 256-bit data encryption key is used for each customer account. Druva has implemented an envelope encryption mechanism to encrypt the data encryption key when stored using a customer-held key-encryption key. The use of one unique encryption key per customer along with customer-held key-encryption keys, creates crypto-segmentation between customers, completely avoiding data leakage.
Above and beyond the security mechanism that Druva provides as part of the Druva Phoenix SaaS offering, the AWS network provides significant protection against network security issues, including (but not limited to):
- Distributed denial-of-service (DDoS) attacks
- Man-in-the-middle (MITM) attacks
- IP spoofing
- Port scanning
- Packet sniffing by other tenants