230 likes | 491 Views
Data Encryption, The Last Line of Defense. Jim Kaplan Technical Sales Specialist Sun Microsystems james.kaplan@sun.com 714-267-1426. SCCMG – November 2, 2007 NCCMG – November 6, 2007. Today’s Agenda. Focus on security Market drivers Different approaches Device-based encryption
E N D
Data Encryption,The Last Line of Defense Jim Kaplan Technical Sales Specialist Sun Microsystems james.kaplan@sun.com 714-267-1426 SCCMG – November 2, 2007 NCCMG – November 6, 2007
Today’s Agenda • Focus on security • Market drivers • Different approaches • Device-based encryption • Key management • Future directions
The Burning Issue • New legislative requirements worldwide • Average cost per breach = $4.7M USD • Average cost per lost/stolen record = $182 USD • That doesn’t take into account damage to brand • Can easily be $5M per incident • Payment Card Industry requires encryption for data at rest • Many IT organizations are under mandates to encrypt yesterday • Burning issue across all industries
Security Breaches • “The total number of records containing sensitive personal information involved in security breaches over the past two years now stands at over 155,000,000 according to the Privacy Rights Clearinghouse.” Original quote by Keith Regan,eCommerce Times – 9/25/06 Updated number fromwww.privacyrights.org
Global legislation that requires self-reporting to the media and direct notification of all affected California Senate Bill 1386 “DATA” Act (USA) Data Protection Directive (EU) Personal Information Protection Act (Japan) Protecting Data is a Fiduciary Responsibility
Understanding Business Risks • Digital assets • Company data • Employee data • Customer data • Loss of potential sales • Negativebrand impact • Loss of competitive advantage • Loss of consumer confidence • Diversion of funds • Continuity expenses • Lost customers • Recovery expenses • Failure tomeet contracts • Failure to meet privacy regulations • Illegal useractivity • Directorliability (i.e. lawsuits) DirectLosses IndirectLosses ProductivityLosses LegalExposure
Data security can be thought of as a series of protective layers Physical access control Guns & gates Logical access control Firewalls, identity management Data encryption The last layer of security is to alter the data, so that the intruder will not find it useful Encryption insures data integrity – once data is encrypted, it cannot be altered without the key A Multi-Layered Approach toData Security
Security Requires a Delicate Balance Cost Risk
Primary Methodologies In the Storage Device At creation In the network
Encrypting at Data Creation • Data encrypted the momentit’s created, providing the highest level of data security • Platform/application dependent • No compression possible after encryption, cost and performance issues • Bottom line: Good fit for small amounts of highly sensitive, dynamic data in homogeneous environments Host/ServerLayer
In-Band Data Encryption • Encrypts data as it flows acrossthe network • Appliance-based encryption and key management • Poor scalability, cost, network management and security issues • Bottom Line: Easy to implement, and good as a “stop gap” for smaller, localized encryption solutions, good fit for legacy media formats In-Band In-BandAppliances
Data Encryption In Device • Data can be encrypted on atape drive, making iteasy to validate and eliminatingthe performance penalty on the server and network • Most secure solution • Easiest to implement, manageand scale • Bottom line: Good fit for archive data in heterogeneous environments In theStorage Device
Business Value of Tape Encryption • Customer or regulatory body notification is not required as information is not accessible to unauthorized parties • Provides protection from bothoff-site and on-premise information loss • Enables secure shipment of data • Supports time-based data expiration and secure data disposal • Destroy key without touching cart
Managing Encryption • Understanding key managementand having a well-defined key management strategy is crucial • Consider an Encryption Readiness Assessment
Managing Encryption Raises Questions • Who will create and manage keys? • How many keys do we need? • How often should we change keys? • How will we share keys with entities that need to read the data? • How will disaster recovery work? • How will I integrate this into my workflow? • And more...
Key Elements Needed for Data Encryption on Tape • Device-independent appliance • Is designed to deliver a secure and reliable data environment • Has limited or no interaction with other applications to simplify system installation • Can be run independent of any network • Can be directly attached to automated libraries Key Management Station T10000 EnterpriseTape Drive
Token and Token Bay • Holds over 60,000 keys • Easy to quickly secure library • Direct KMS connection supported • Powered from the Token Bay • 1U Token Bay rack unit • Holds 2 tokens • Ethernet connections to drive switch in library Key Token
Encryption-capable tape drives • Sun StorageTek T10000 • Currently supported • LTO4 • Support planned for 2008 • IBM TS1120 • Multiple key management solutions available from IBM
Key Management Overview The KMS generates keys to be placed on the token The token is connected via private line or hand carried to the internal library LAN Key Token Key ManagementStation Media Interface The token downloads the required keysto the drive(s), and retains the encrypted media keys for power-cycle recovery
Storage Encryption Roadmap • KMS management clusters • Continuous database mirroring within KMS clusters • Control of multiple KMS sites from a single KMS • KMS management from a console or remote GUI • Additional device support • API standardization
Tape-Based Encryption Success Government Retail Energy • National grocery retailer needed to encrypt customer data and streamline backup processes while reducingcartridge count • Integrated electricand natural gas utility needed to secure sensitive customer data for off-site backup and disaster recovery • Heavily-involved in the development of encryption methodology • Set our direction for ultimate security
“The value provided by securing sensitivedata with encryption, access controls, andaudit functionality outweighs the cost of implementation. With regulations requiring security at varying levels, and non-compliance costs adding up quickly, can you afford notto secure your data?” Avivah LitanGartner Security AnalystIT Security Summit, May 2006
Questions? Jim Kaplan Technical Sales Specialist Sun Microsystems james.kaplan@sun.com 714-267-1426 SCCMG – November 2, 2007 NCCMG – November 6, 2007