IBM® Virtualization Engine TS7700 Series Disk Encryption ...
IBM PureApplication ™ System Encryption
description
Transcript of IBM PureApplication ™ System Encryption
© 2013 IBM Corporation
IBM PureApplication™ System Encryption
© 2013 IBM Corporation2
Today’s CIO’s Challenges:• Consolidate and Simplify the Infrastructure• Cybersecurity
Access Integrity Control
• Privacy-Consumer Data Protection • Confidentiality
Intellectual Property Protection Theft Prevention
• Compliance Supporting a multitude of differing EU & North American Consumer Privacy,
Financial and Healthcare Regulations
• Private & Public Cloud Enablement• Foreign Government and/or Corporate Espionage• AND….Reduce Costs!!
© 2013 IBM Corporation3
From the Ponemon Institute (conducts independent research on privacy, data protection and information security policy)
Interviews with 60 large U.S. Companies: Average annualized cost of Cybercrime rose 26% in 2013 to $11.6 million per company
Loss or theft of informationDisruption of Business OperationsRevenue LossDestruction of property, plant and equipmentDetection, Investigation, Incident Response, Containment Recovery
• Average 122 successful attacks per week, up 18% from 2012
• Invest in Adequate Cybersecurity Resources• Monitor systems for early detection
“Many attacks are subtle, stealthy and probably will beat your system”
Costs of Cybercrime
Solutions – Bringing Costs Down
© 2013 IBM Corporation4
Worldwide Regulatory Environment
No single standard for “what/how much to encrypt”
Europe
Centralized regulation for Consumer Data with many differences•24 different variations•900 EU regulatory changes this year alone
Strongest WW Enforcement & Penalties•Enforcement Cases target largest companies and often affect WW Product(s) or Features•Consumer Data Protection Regulations
United States
US Federal Regulation Strongest in• Health Sector - Health Information Privacy (HIPAA)• Financial Sector - Sarbanes Oxley • Public Sector - Department of Defense
Examples of standards & enforcement:• SB 1386, requires any company that stores customer data electronically to notify its California
customers of a security breach to the company's computer system if the company knows or reasonably believes that unencrypted information about the customer has been stolen
• California Financial Information Privacy Act, creates new limits on the ability of financial institutions to share nonpublic personal information about their clients with affiliates and third parties
Best Practice: ENCRYPT ALL DATA!
© 2013 IBM Corporation5
Enterprise Characteristics East / West or NY / Jersey (Financial Markets) Real Time or Delayed Take-over depending on Cost Parameters Multi-Nationals require Business Recovery Fully Operational Facilities, not stand-by “cold” environments
SMB Characteristics Meet HIPPA ex: Doctor’s Office Solve Compliance Issue Provide Secure Entry Level High Availability Solution
Customer Environments
Geographic Redundant Data Centers & Communications
Reduce Op-Ex via Vendor Standardization Repeatable Configuration Deployment & Operational Guidelines
Remote Management from a single Control Center High Data Availability via Data Replication (acceptable lag/transaction loss)
Redundant Equipment Configurations
© 2013 IBM Corporation6
SPx is an OEM IBM Part Number (D10N0LL), not an ISV third party solution Provably Secure Data at Rest Protection FIPs 140-2 Certified
AES 256; HIPPA and FISMA data compliance at start up No External Key Management System
No additional Cost No additional Personnel Integrated with the PureApps Management System
Scales with the PureApps System Software only 2 clicks, 1 drag and drop to secure any directory
Virtually NO System Overhead Tax <8% CPU utilization for encryption, randomization and authentication of the data
(most software encryption solutions require up to 30% additional CPU utilization) No additional storage requirement with SPx encryption
Enables Secure Multitenancy for Enterprise Environments Consolidate and optimize the Infrastructure without compromising privacy and confidentiality
SPx (SecureParser) Encryption Pattern Differentiators
© 2013 IBM Corporation7
Customer Concerns: Decision Maker
IBM with SFC Host Encryption
IBM with NetApp 2240-2 & SafeNet StorageSecure
IBM with EMC VNX5500, VNX Host Enc and RSA DPM
RegulatoryReduced Corporate Risk
CIO Provably SecureScalability
Scalability challenge Corporate Risk Issues(RSA vulnerability)
Cap-Ex CFO Low costNo hardware cost
Expensive upfront costsScaling is expensive
Expensive upfront costsScaling is expensive
On-Going Op-Ex
Cost of Maintenance
CFO No incremental expense
No additional maintenance expense
Additional expense for administration, Hardware & Software licensing, MaintenanceScaling increases all of these costs
Additional expense for administration, Hardware & Software licensing, MaintenanceScaling increases all of these costs
Solution Complexity Operations SimpleHost only softwarePerformance
ComplexApplianceNetwork configuration
ComplexApplianceNetwork configuration
Installation Time & Cost Operations SetupConfigure & forgetNo services requiredNo additional FTE’s
Installation & configuration require additional servicesAdditional FTE’s
Installation & configuration require additional servicesAdditional FTE’s
Encryption Solution Decision Maker Criteria
Decision Maker’s Criteria: CIO : Regulatory i.e. SARBOX, HIPPA, Provably Secure CFO’s : Costs Cap-Ex & Op-Ex(3) CTO’s : Meeting Internal Customer Requirements Operations: Solution Time to Operation & Complexity of Support
© 2013 IBM Corporation8
Encryption Feature Comparison
-
Feature IBM with SFC IBM with NetApp FAS 2240-2 IBM with EMC VNX 5500
Cost Low costSoftware only Host solution.No added Op-EX costs
Expensive, Hardware appliance,2 Required for for HAIncreased Op-Ex costs
Expensive, Hardware Keystore, min 2 for HA, Added OP-EX costs
Ease of implementation and integration
Easily Integrated into Flex Configuration Process
No external hardware or softwareNo services or training required
DifficultExternal hardware & softwareAdditional administration tools from 3rd party vendorSetup requires services and training
DifficultExternal hardware & software
Setup requires services and training
Scalability Scales with Compute nodeAll data handled internally on ITE, small footprint
LimitedAdditional hardware to scale for throughputCapacity not an issue
LimitedRequires additional hardware for capacityThroughput not an issue
Strength of encryption and access control
AES 256 encryption, FIPS 140-2 certification, Strong authentication, Simple LDAP, Active directory file system access controlStrong control with SELinux
AES 256 encryptionFIPS-140-2 Level 3 certification Layer of extra access controlKey shared among files groups, vulnerable to attacks
AES 256 encryptionFIPS-140-2 Level 3 certificationStrong layer of extra access control overlaid on File System
Ease of use Easy to use. Configure & go! No additional administration
DifficultExternal Administration required
Difficult External administration required
IBM, NetApp and EMC
© 2013 IBM Corporation9
Case Study #1: Encryption Solution Pricing* for SAN (FCoE)
Component IBM/SFC NetApp EMC
Chassisw/network interfaces $50,956
Compute Nodes $80,690
Storage : NAS $62,914 $57,746 $65,935
Total : Hardware $194,560 $189,392 $197,581
Encryption TBD $144,000 $7,387
External Keystore $0 Included $139,727
5 Multi-Tenants (Medium) $0 $720,000 $698,635
Solution Total $194,560 + $909,392 $903,306
• None of these comparisons account for any additional gap with respect to scalability e.g. additional competitive equipment due to scaling not accounted for.
• Prices are MSRP• Pricing for Hardware and Software only. Does not include additional administrative and operational requirements for the
NetApp and EMC solution.
© 2013 IBM Corporation10
Case Study #1: Encryption Solution Components
© 2013 IBM Corporation11
© 2013 IBM Corporation12
© 2013 IBM Corporation13