Post on 31-Jan-2020
Data Encryption and Key Management Panel Discussion – Part I
Ray Lucchesi, Silverton ConsultingBrandon Hoff, Emulex
Michael Willett, SamsungWalt Hubis, LSI Corporation
Gordon Arnold, IBM
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 22
SNIA Legal Notice
The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may use this material in presentations and literature under the following conditions:
Any slide or slides used must be reproduced in their entirety without modificationThe SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations.
This presentation is a project of the SNIA Education Committee.Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney.The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information.
NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 33
Abstract
Data Encryption and Key Management Panel Discussion
Data security is top of mind for most businesses trying to respond to the constant barrage of news highlighting data theft and security breaches. Nevertheless, questions arise as to where to encrypt the data and how to manage the keys.Our panelists will explore diverse perspectives on both data encryption and key management. If you have questions, we've got answers.
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Customers Need EncryptionEnd-Users are looking for a Compliance Strategy
New & Emerging Regulations and Laws Impact Key Verticals
Encryption is a ‘Safe Harbor’ whereby encrypted data cannot be stolen as long as the thief doesn’t have the key
Customers are struggling to avoid the cost of a security breach
$204 per lost record, $6.7 million per breach
Customers “Getting By” with current approaches31% of End-Users use DB encryption
25% of customers are planning to add more encryption
Disk shredding can cost millions per year
Customers are overwhelmed with the complexity of compliance
Up to 20% of IT staff time
Real Customers asking for helpF100 Companies, Healthcare, RetailFederal, DoD, and other three letter agencies
Customers are looking for a better solution
Vertical Encryption RequirementsPublic Sector Encryption is required to for FISMA, DoD,
and DCID 6/3
Health Sector HiTECH gives HIPAA teeth. Healthcare providers can be fined or prosecuted
Ecommerce or Ecommerce hosting
PCI-DSS Requirement 3 is mandatory for any company that handles credit cards
Retail PCI-DSS mandates encryption for data at rest for credit card data
Service Providers Need to provide service level support for HiTECH, PCI-DSS, GLBA, FFIEC
Financial Institutions
Basel II, FFIEC, and GLBA place strict requirements including encryption
Other Massachusetts and Nevada Laws are mandating encryption for any company that does business in their state.Law firms are sending out Client Alerts on the requirement to encrypt data
Over 10,000 rules and regulations for end-users to deal with
4
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 5
Why Encrypt Data-At-Rest?
Compliance 46+ states have data privacy laws with encryption safe harbors New data breach bills have explicit encryption safe harbors
Data center and laptop drives are mobile (HDD, SSD)
Exposure of data loss is expensive ($6.65 Million on average per incident1)
Obsolete, Failed, Stolen, Misplaced… Nearly ALL drives leave the security of the data center
The vast majority of decommissioned drives are still readable
Threat scenario: stored data leaves the owner’s control – lost, stolen, re-purposed, repaired, end-of-life, …
1. Ponemon Institute, Fourth Annual US Cost of Data Breach Study – Jan 2009 www.ponemon.org
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Host and HBA Based Encryption
6
Switch/Router/Appliance
Storage Controller
HBA
HBA
Host basedApplication
O/S
Switch/Router/Appliance
Storage Controller
HBA
HBA basedApplication
O/S
HBAKe
y M
anag
er
Key
Man
ager
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Switch or Appliance Based Encryption
7
Switch based
Switch or Router
Storage Controller
HBA
HBA
Application
O/S
Switch based
Network Appliance
Storage Controller
HBA
HBA
Application
O/S
Key
Man
ager
Key
Man
ager
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Storage Controller or Drive Based Encryption
8
Storage Controller
Switch/Router/Appliance
Storage Controller
HBA
HBA
Application
O/S
Drive
Switch/Router/Appliance
Storage Controller
HBA
HBA
Application
O/S
Key
Man
agerKe
y M
anag
er
9
Brandon HoffEmulex
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
What Host based Encryption (HbE) isHbE is the most common encryption technique
Very simple, HbE provides encryption in the server
Provides the best security by moving encryption to where the data is created and stored
Best practice that companies legally should follow
Simplifies management through integrating into host based management tools
Examples of HbEOracle TDEMSSQL EncryptionmySQL EncryptionInside-the-server SEDsOneSecure eHBAsPowerPath Encryption with RSA
VM 1
VM 2
VM 3
© 2009 Emulex, all rights reserved.
External StorageInside-the-Server SEDs
Oracle Transparent Encryption
PowerPath Encryption with
RSA
10
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Host Based (HBA) EncryptionHow it works
11
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Host-based Storage SecurityArchitecture and Customer Perspective
Host-based Storage Security ArchitectureHardware encryption in the host HBAFocused on disk encryptionIntegration into leading key managersIntegration into Event Management and other datacenter tools
Host-based Storage Security Customer Perspectives
“HBA encryption is more scalable for workloads”“HBA encryption is more scalable for capacity”“Host based encryption is always the easiest”“May become the most cost effective”“Protocol agnostic security simplifies deployment”“Put it into a FedEx box and ship it!”“Key Refresh is an critical requirement.”
SAN
VM 1
VM 2
VM 3
© 2009 Emulex, all rights reserved.
12
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Interesting Market Data PointsFrom IDC’s Encryption Survey, 2006
Amount of Data to be EncryptedOver 66% of customers expect to encrypt over 50% of their data
44% of customers expect to encrypt 75% or more of their data22% of customers expect to encrypt 50%-74%17% of customers expect to encrypt 25%-49%
A weighted average of 55% of data is expected to be encryptedBoth hardware and software solutions may be deployed
Where should storage encryption occur?Over 80% of end-users would deploy host based encryption
55% said between the host and the storage system50% said in the storage system
End-users will deploy various types of encryption to fit their needs
13
14
Michael WillettSamsung
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 15
Self-Encrypting Drives
“Many organizations are considering drive-level security for its simplicity in helping secure sensitive data through the hardware lifecycle from
initial setup, to upgrade transitions and disposal”Eric Ouellet
Research Vice PresidentGartner
• Simplified Management• Robust Security• Compliance “Safe Harbor” • Cuts Disposal Costs
• Scalable • Interoperable • Integrated • Transparent
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 16
Trusted Storage Standardization
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 17
Complexity• Data classification • Impact on OS, applications, databases• Interoperability
Performance • Performance degradation; scalability
Cost• Initial acquisition costs
• Deployment costs
• Tracking and managing encryption keys• Tracking and managing authentication keys
(passwords for unlocking drives)
Key management / data loss
‘Hurdles’ to Implementing Encryption…
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 18
Addressing the Hurdles…
Simplifies Planning and Management
Standards-based for optimal manageability and interoperability
Transparent to application developers and database administrators. No change to OS, applications, databases
Data classification not needed to maintain performance
Solves Performance No performance degradation
Automatically scales linearly
Can change keys without re-encrypting data
Reduces Cost
Standards enables competition and drive cost down
Compression and de-duplication maintained
Simplifies decommissioning and preserves hardware value for returns, repurposing
Encryption key does not leave the drive; it does not need to be escrowed, tracked, or managed
Simplifies key management to prevent data loss
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 19
-Transparency: SEDs come from factory with encryption key already generated
- Ease of management: No encrypting key to manage
- Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost; software has continuing life cycle costs
- Disposal or re-purposing cost: With an SED, erase on-board encryption key
- Re-encryption: With SED, there is no need to ever re-encrypt the data
- Performance: No degradation in SED performance
- Standardization: Whole drive industry is building to the TCG/SED Specs
- No interference with upstream processes
Hardware-Based Self-Encryption versus Software Encryption
ISSUE: Hardware acquisition (part of normal replacement cycle)
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 20
The Future: Self-Encrypting Drives
Encryption everywhere!Data center/branch office to the USB drive
Standards-basedMultiple vendors; interoperability
Unified key managementAuthentication key management handles all forms of storage
Simplified key managementEncryption keys never leave the drive. No need to track or manage.
Transparent Transparent to OS, applications, application developers, databases, database administrators
Automatic performance scalingGranular data classification not needed
USB
Key Management Service
BranchOffice
Data Center Application Servers
Storage SystemLocal Key Mgmt
Storage System, NAS, DAS
Network
StandardKey MgmtProtocol
Trusted Computing GroupT10/T13
Security Protocol
Notebook
DesktopUSB
Authentication Key Flow Data Flow
Tape
Authentication Key (lock key or password)Data Encryption Key (encrypted)
OASIS KMIP
Data Encryption and Key Management Panel Discussion - Part II
Ray Lucchesi, Silverton ConsultingBrandon Hoff, Emulex
Michael Willett, SamsungWalt Hubis, LSI Corporation
Gordon Arnold, IBM
22
Walt HubisLSI
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 23
Database Replica Staging
Email Server File Server
VPN
Storage Array
Storage Media Library Encrypting HBA
SED Disk
Key Server 1Key Server 2 Key Server 3 Key Server N
Key Management: Disparate, Proprietary Protocols
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 24
Database Replica Staging
Email Server File Server
VPN
Storage Array
Storage Media Library Encrypting HBA
SED Disk
Enterprise Key Management
Standardized Key Management
Key Management Interoperability Protocol
25
Gordon ArnoldIBM
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
KMIP and Storage
KMIP 1.0 includes a symmetric key profileBulk encryption uses symmetric keys
Implementations may use wrapping keys, authentication keys as a way of simplifying management
Storage array firmware hides complexity from storage managers
KMIP 1.1 is focusing on Client registrationGrouping of keys and devicesAsymmetric key usage
SSIF KMIP interoperability validationOASIS and SSIF alliance for documenting KMIP interoperability
26
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Guiding Principles
Simplicity and Robustness of solutionYou should be able to reliably manage the keys so you do not loose access to the dataSecurity of the keys is important but it is not a one size fits all solution
Encryption does effect the storage designYou can introduce encryption with no performance penaltyEncryption however does effect compression and de-duplication
Encryption and decryption for data in transitData at rest encryption as the last operation
27
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.
Additional Security Tutorials
28
Check out these SNIA Security Tutorials:
Tuesday 10:45 am: Practical Secure Enterprise Storage – Walt Hubis
Tuesday 2:10 pm: Legal Issue Relevant to Storage – Eric Hibbard
Thursday 9:25 am: Cloud Storage Security– Gordon Arnold (in the Cloud Computing track)
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 29
SNIA Security: Get Involved!
SNIA Security Technical Work Group (TWG)Focus: Requirements, architectures, interfaces, practices, technology, educational materials, and terminology for storage networking.http://www.snia.org/tech_activities/workgroups
Storage Security Industry Forum (SSIF)Focus: Education, customer needs, whitepapers including the BCPs & Encryption of Data At-Rest (a Step-by-Step Checklist)http://www.snia.org/forums/ssif
29
Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 3030
Q&A / Feedback
Please send any questions or comments on this presentation to SNIA: add your track reflector here
Many thanks to the following individuals for their contributions to this tutorial.
- SNIA Education Committee
Ray LucchesiMichael WillettBrandon HoffWalt HubisGordon ArnoldGianna DaGiauSNIA SSIF