SNIA Developer Conference September 15-17, 2025 | Santa Clara, CA
Abstract
While protecting data at rest, or live data, using a hardware-based approach is efficient and fast, it does not allow the flexibility of per file access control and data protection. The approach we have taken at Thales allows for per file access control and transparent data protection while providing the flexibility to rotate keys within a distributed key management system without effecting access. This solution covers a wide range of platforms, but this talk will be limited to the Windows implementation which leverages a Layered File System to achieve transparency. Some of the features that will be discussed include: - How to support per file access control in a distributed system - Managing access to files undergoing a transformation or key rotation in both local and network environments - Allowing for access to encrypted content while providing clear text access to files simultaneously. Diving into each of these topics, with side bars, we will provide the audience a clear picture of the complexities involved. For example, in a distributed environment how does one ensure that during key rotations all clients are using the correct key for data encryption for various ranges of the file without falling back to a single use access? Integration with Windows subsystems such as the Cache and Memory manager will be covered to ensure the subtleties of supporting concurrent multi-data form access is not lost. As well as where to draw the line in terms of allowing the native file system to maintain some metadata information without losing robustness and flexibility in the design. We’ll answer this and more while covering the details of the design to achieve live data protection. An understanding of the Windows layered driver model, particularly in the area of file systems and file system filters will help in understanding the topics discussed.
Learning Objectives
Complexities of distributed access to encrypted data,Access control through a Layered File System,Transparent live data transformation,Windows file systems