IBM System Storage Data Protection and Security · IBM has build Storage Security into the...
-
Upload
duongtuyen -
Category
Documents
-
view
219 -
download
0
Transcript of IBM System Storage Data Protection and Security · IBM has build Storage Security into the...
© 2008 IBM Corporation
Chen Chee Khye
ATS – Storage
IBM System Storage
Data Protection and Security
© 2008 IBM CorporationIBM Security 2
Data Impact
Structured
Unstructured
Data GrowthData Types
Information is Exploding
Today....
Up to 80% of data is unstructured content (email, video, images)
Through 2012...
Storage capacity shipments are growing at 54% a year
By 2010...
Example: Medical images will take up 30% of the world’s storage
1MB/2D
image
1TB/4D
image
2004 20072005 2006 2007 2008 2009 2010
PB shipped
© 2008 IBM CorporationIBM Security
Impact on Data Storage
Data volumes doubling every 18 months
– Devices accessing data doubling every 2.5 years
70% of the digital universe is created by individuals…
– … but enterprises are responsible for the security, privacy, reliability and compliance of 85%
Information created, captured, or replicated exceeded available storage for the 1st time in 2007
Structured data growing at 32%
Unstructured data growing at 63%
Replicated data growing at 49%Source: IDC worldwide enterprise disk in Exabytes from
“Changing Enterprise Data Profile”, December 2007
Current economic climate will push for storage services
which raises the need for security
© 2008 IBM Corporation© 2008 IBM Corporation4
IBM Information Infrastructure
Data Loss is Top of Mind
© 2008 IBM Corporation© 2008 IBM Corporation5
IBM Information Infrastructure
The Cost of Data Loss
The impact of data loss is significant
• Totaling $66.9M in 2007±
• Average data breach costs a company $5M†
• Average annual loss per company is $350,000 ±
• Breaches costs companies an average of $185 per record
• 327 data breaches were reported in 2006*
• More than 100M data points exposed in 2006*
• Requirement for data privacy and encryption is mandatory
• Customers will not have a choice on storage security spending
±Computer Security Institute 2007
†Network World Magazine
*Source: privacyrights.org
6
Reduce reputation risks and audit deficiencies
Support information retention policies
Deliver continuous, reliable access to information
We Need IT Infrastructure Able to Handle Data Growth
Secure sharing of information
37% of data is expired or inactive.
Average US legal discovery request can cost
organizations from $150K to $250K.
Average cost of a privacy breach is around $200 per
compromised record
Downtime costs can amount up to 16% of revenue in
some industries.
Sources: CIO Magazine survey 2007; IBM Tivoli Market needs and profiling study 2005;
The Costs of Enterprise Downtime: NA Vertical Markets 2005" Information Research; IBM Market Intelligence.
SNIA Data Management Forum, 100 Year Archive Requirements Survey, © Storage Networking Industry Association (SNIA), 2007
Information
Compliance
Information
Availability
Information
Retention
Information
Security
IBM Software Group
View of the IBM’s data protection technology– encryption everywhere
Encryption choices – why should
encryption be built into storage
– Performance – cryptography can be
computationally intensive
– Efficiency - encrypted data is not able
to be compressed or de-duplicated
– Security - Data in transit should use
temporary keys, data at rest should
have long term retention and robust
management
– Scalability – best to distribute
cryptography across many devices
IBM has launch encrypting tape
systems, moving to encrypting
storage arrays (Full Disk Encryption),
with plans to extend to the rest of the
infrastructure (Switch/Base/Backup
components)Disk Storage Array Enterprise Tape
Library
3592
SAN
Switch encryption
File system encryption
Database encryption
Encryption Encryption
Encryption
Encryption
Key
Management
© 2008 IBM CorporationIBM Security
Why Wouldn’t You Encrypt Data at Rest?
1. Performance
• Encryption that isn’t built into the
storage infrastructure could cause
serious performance penalties
2. Potential to Lose data
• If you encrypt the data and lose the
key then the data is lost
3. Complexity
• Some solutions add extra boxes on
the wire, classification, constant
configuration, application changes
4. Total cost of ownership
• Some solutions can double the
cost of the storage solution
• Our encrypting storage solutions
have an impact on performance that is
less than 1%
• Our key management is proven with
thousands of customers today
• Our solution is simple to install,
configure, with no application or
server changes required
• Our Encryption and key management
adds small incremental cost
Our solution is high performance, robust, safe, simple, and cost effective
Your Concerns: IBM’s Response:
© 2008 IBM CorporationIBM Security
– Encryption built into the infrastructure (not on top
of it)
• IBM’s 3rd generation tape drive with encryption: TS1130
• TS1120
• LTO Gen 4
• Full Disk Encryption (FDE)
B Over 3,500 security professionals worldwide
B $1.5B investment in security in 2008
Tivoli Key Lifecycle
Manager
•TS1130 Tape Drive
•Disk Encryption
•Security and Privacy
Services
“ What separates IBM from the pack is its ability to provide a complete and extensible Storage Encryption
architecture, including an enterprise key management capability.”
Jon Oltsik, Enterprise Strategy Group, August 2008
IBM Vision for Encryption and Key Management
© 2008 IBM CorporationIBM Security
The Future of Storage
Encryption is built in – just like compression,
and increasingly de-duplication
• IBM has shipped tape systems with built in
encryption for 2 years
• IBM has shipped encrypting disk systems
You will need unified key management for
operational simplicity, security, and
compliance
• Transparent to applications – no changes or
upgrades required
• Simple, easy to install and use
• Adheres to regulations
• Fits into your environment – no new
appliances
• IBM Tivoli Key Lifecycle Manager is
the answer!
Disk Storage Array
Enterprise Tape
Library
3592
IBM Information Infrastructure
© 2008 IBM Corporation
IBM Tivoli Key Lifecycle Manager v.1.0Simplified key management across distributed and mainframe
Client Value
• Reduces encryption management costs related to set up, use and expiration of keys
• Enables organizations to comply with disclosure laws and regulations
• Ensures against loss of information due to key mismanagement
• Transparently detects encryption-capable media to assign necessary authorization keys
• Runs on most existing server platforms to leverage resident server’s existing access control/high availability/disaster recovery configs
Its predecessor EKM is proven key management system with 2000 customers worldwide!
Simple, Secure and Cost-effective Key Storage, Key Serving and Key Management
IBM Information Infrastructure
© 2008 IBM Corporation12
IBM Tivoli Key Lifecycle Manager v.1.0Feature Function
Focused on device key serving
• IBM encrypting tape – TS1120, TS1130, LTO gen 4
• IBM encrypting disk
– DS4000/DS5000/DS6000/DS8000
Lifecycle functions
• Notification of certificate expiry
• Automated rotation of certificates
• Automated rotation of groups of keys
Designed to be Easy to use
Provide a Graphical User Interface
Initial configuration wizards
Easy backup and restore of TKLM files
– One button operation
Installer to simplify installation experience
– Simple to use install for Windows, Linux, AIX, Solaris
– Can be silent install
Platforms for V1– AIX 5.3 64 bit
– Red Hat AS 4.0 x86 - 32 bit
– Suse Linux 9.0 and 10 x86 - 32 bit
– Solaris 10 Sparc -64 bit.
– Windows Server 2003 - 32 bit.
– z/OS 1.9
IBM Information Infrastructure
© 2008 IBM Corporation
With TKLM Solution….
… IBM Solution offering includes
IBM Information Infrastructure
© 2008 IBM Corporation
IBM’s Tape System Offerings
TS1040 (LTO4) Tape Drive
– Standard feature on all FC & SAS LTO4 Tape Drives
– Supports “traditional” and “encrypted” modes of operation
TS1130 / TS1120 Tape Drive
– Standard feature on all new TS1130 Tape Drives
– Supports “traditional” and “encrypted” modes of operation
TKLM – Tivoli Key Lifecycle Manager
– EKM follow-on
– AIX, Sun, Linux and Windows
– z/OS – Statement of Direction
– Serves keys
IBM Information Infrastructure
© 2008 IBM Corporation15
Flexible IBM Tape Encryption MethodsT
ivo
li K
ey L
ifecycle
Man
ager
IBM Software Group
The encryption
engine is in the
controller ASIC
Storage System
Like Tape, Self-Encrypting Drives Have Virtually No Performance Degradation
Encryption engine speedMatches
Port’s max speed
Scales Linearly, Automatically
Storage System
All data can be encrypted, with no performance degradation No need to classify which data to encrypt
IBM Software Group
17
IBM’s Disk Storage Offering withFull Disk Encryption – DS5000
Real-world performanceSustainable, scalable with Full Disk
Encryption Support
Interface adaptability4 Gbps FC, 8 Gbps FC, iSCSI
Continuous and reliable
access to InformationOnline administration, active-active
redundancy, advanced diagnostics
Application integrationCertifications, solutions, meet SLAs
Green efficiencyDo more with less, support of intermix
with normal disk drives and FDE drives!
* 2H 2009 feature
IBM Software Group
18
EXP5000 Expansion Unit
16 drives in 3U enclosure
4 Gbps FC interfaces / ESMs
– High-speed, low-latency interconnect
from controllers to drives
Supports intermixing FC, FDE and SATA drives
– More efficient use of enclosures
Unique speed-matching technology
– 3 Gbps SATA II drives effectively run at 4 Gbps speeds
Switched architecture
– Drive isolation, better diagnostics
– Higher performance, lower latency
IBM Software Group
Secure DS5000 Encryption Services
Comprehensive security for data-at-rest
Full Disk Encryption (FDE)
– Encryption takes place at the drive level
Robust management tools
– Integrated local key management
DS5000 Series Drive Support
– Drives supported: 4Gbps FDE 15K FC
146GB, 300GB, and 450GB
IBM Software Group
DS5000 Encryption Benefits
Bullet-proof security throughout the drive’s lifecycle
– Unparalleled security assurance with government-grade encryption
– Instant secure erase for a higher security level than other common methods
– Automatically protects data on drives returned for repair, retired, or repurposed
High performance
– Drive-based encryption engine maintains our exceptional performance
Robust yet easy-to-understand management
– FDE key management is transparent to day-to-day storage administration,
making FDE drives as easy to manage as traditional drives
– A single DS5000 system can support all tiers and classifications of data
– No application/operating system changes or modifications required
© 2008 IBM CorporationIBM Security
Disposal Options Are Riddled with Shortcomings
Format the drive or delete the data
Doesn’t remove the data -data is still readable
Over-writing
Takes hours-to-days
Error-prone; no notification from the drive of overwrite completion
Degaussing
Very costly, time-consuming
Difficult to ensure degauss strength matched type of drive
Shredding
Very costly, time-consuming
Environmentally hazardous
Smash the disk drive
Not always as secure as shredding, but more fun
Professional offsite disposal services
• Drive is now exposed to the tape’s falling-off-the-truck issue
© 2008 IBM CorporationIBM Security
… With IBM Storage Systems Data protection
IBM has build Storage Security into the infrastructure
– Will fit into your existing server management
– Will leverage existing high availability and disaster recovery solutions
you have thought of!
Adding IBM’s storage security option is:
– Simple
– Transparent to existing applications
– Cost effective
– Leverage existing investments
© 2008 IBM CorporationIBM Security
Questions?
© 2008 IBM CorporationIBM Security
IBM Storage Systems offerings