170 likes | 189 Views
Securing Data with Strong Encryption and Access Controls. Blair Semple Storage Security Evangelist Network Appliance Sept 12, 2007. Agenda. Understanding the Risks to Stored Data Methodologies for Securing Data Emerging Industry Standards How Encryption and Access Controls Reduce the Risk.
E N D
Securing Data with Strong Encryption and Access Controls Blair Semple Storage Security Evangelist Network Appliance Sept 12, 2007
Agenda • Understanding the Risks to Stored Data • Methodologies for Securing Data • Emerging Industry Standards • How Encryption and Access Controls Reduce the Risk
Storage Trends - The Scale of Exposure Single backup tape = 1 Terabyte = 20 million lbs. of paper = Every credit card in world
Network Administrators Outsourcing Vendors Storage Administrators DR Storage Administrators Storage Repair/ Service Staff Tape Courier System Administrators Backup Administrators Consider Who Has Access to Sensitive Data CEO Customer Data Storage Intellectual Property CFO Salaries and Reviews Litigation Docs General Counsel
Steps To Managing Information Risk • Assess Exposure • Potential damage from data security/privacy breach • Evaluate Threats • External • Internal • Enforce using Technology • Encryption based storage security • Strong Access Controls • Audit Logging • Review People/ Processes • Classification, Role Separation, Authentication, Quorum requirements, Need to know, Auditing
Defense in Depth • Multi-faceted security approach that includes both technical and non-technical layers of security to protect resources. • Defensive countermeasures are used to reinforce each other, protecting information and resources while allowing response activities to be undertaken quickly and efficiently. • No single security technique or mechanism is solely relied upon to protect valuable resources, resulting in a higher degree of security.
Elements of Information Security Who are you? • Authentication • Authorization (aka Access Control) • Accounting (aka Auditing, Logging) • Non-Repudiation (aka Integrity) • Confidentiality (aka Privacy) What are you Allowed to do? Who did that? Who did that and has it been tampered with? Who can read it?
Storage Security with Encryption • Dramatically simplifies security planning • Ensure only authorized personnel access assets • Allow ‘maintenance’ without risking exposure • Audit and track access to valuable assets • Copies automatically protected • Loss of physical custody no longer a threat
Encryption Approaches Host / Application Storage Network • Pros: • Transparent to host, storage, and applications • Wire-speed encryption and compression • Strong logging and Access Control • HW-based encryption and key mgmt provide strong security • Cons: • May require additional device • Pros: • Granular options • Encrypted at host • Lower cost (SW) • Cons: • CPU intensive, slow • Weak Key Management • Keys exposed in OS • Complex to implement and manage • Poor coverage for heterogeneous OS/app environments • Pros: • Transparent to host • Bundled with HW • Cons: • Immature key mgmt • No support for heterogeneous, multi-vendor environments • Lock-in to storage vendor • “Forklift upgrade” • Not backwards compatible in many cases
Information Security Compromises Performance degradation Key management complexity & security High availability issues Application changes and downtime Database changes required Increased tape media usage Changes to desktops, servers, workflow A proper solution must address all of these concerns.
Emerging Standards for Storage Security • The IEEE Security in Storage workgroup (SISWG) is working on standards for encrypted storage media. • Members of the groups include: Brocade Cisco NetApp/Decru EMC Hifn Hitachi HP IBM NeoScale Optica PGP Quantum Seagate Stanford SUN • P1619 (disk) • Draft 17 in Ballot, with due date of 9 Aug • P1619.1 (tape) • Draft 21 expected to enter Ballot in mid-Aug • P1619.2 (wide block for disk) • Drafts in progress • P1619.3 (key management) • Draft 1 being worked
IEEE P1619.3 - Key Management Infrastructure for Cryptographic Protection of Stored Data • HP and NetApp/Decru have jointly submitted a draft proposal for key APIs (largely based on our OpenKey standard) to the IEEE P1619.3 committee. • This draft was accepted unanimously. • Decru will continue to work with HP, and other storage vendors, to ensure interoperability, as well as continue working toward an industry standard.
Value of Information Security • As back-end IT complexity increases (e.g. replication, networking, sharing…), this dramatically increases the “attack surface” • Data encryption reduces attack surface: everything behind the encryption is opaque • By narrowing the number of people and devices that can see data, encryption can simplify overall system security • Separates ability to manage data from ability to read it • Encryption and AAA (Authentication, Authorization, Auditing) can be combined in a single device, or can be deployed in adjacent layers (e.g. storage and application layers)
Consider who has access to sensitive data Network Administrators Outsourcing Vendors Storage Administrators CEO Customer Data Storage Intellectual Property CFO Salaries and Reviews DR Storage Administrators Storage Repair/ Service Staff Litigation Docs General Counsel Tape Courier System Administrators Backup Administrators
Delivering Customer Success • Worldwide, enterprise customers • Fastestgrowing storage company • Outpacing the industry by 3x • Data Center proven solutions portfolio • Industry-leading partners • Comprehensive professional services • Global support $3.0B FY07: $2.8 Billion $2.0B $1B • 6500+ Employees • Distributed in 138+ countries • 94,000+ installed systems • Fortune 1000 • S&P 500 • NASDAQ 100