data encryption and key management panel discussion - snia

Data Encryption and Key Management Panel Discussion – Part I

Ray Lucchesi, Silverton ConsultingBrandon Hoff, Emulex

Michael Willett, SamsungWalt Hubis, LSI Corporation

Gordon Arnold, IBM

Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved. 22

SNIA Legal Notice

The material contained in this tutorial is copyrighted by the SNIA unless otherwise noted. Member companies and individual members may use this material in presentations and literature under the following conditions:

Any slide or slides used must be reproduced in their entirety without modificationThe SNIA must be acknowledged as the source of any material used in the body of any document containing material from these presentations.

This presentation is a project of the SNIA Education Committee.Neither the author nor the presenter is an attorney and nothing in this presentation is intended to be, or should be construed as legal advice or an opinion of counsel. If you need legal advice or a legal opinion please contact your attorney.The information presented herein represents the author's personal opinion and current understanding of the relevant issues involved. The author, the presenter, and the SNIA do not assume any responsibility or liability for damages arising out of any reliance on or use of this information.

NO WARRANTIES, EXPRESS OR IMPLIED. USE AT YOUR OWN RISK.


Abstract

Data Encryption and Key Management Panel Discussion

Data security is top of mind for most businesses trying to respond to the constant barrage of news highlighting data theft and security breaches. Nevertheless, questions arise as to where to encrypt the data and how to manage the keys.Our panelists will explore diverse perspectives on both data encryption and key management. If you have questions, we've got answers.

Data Encryption and Key Management Panel Discussion© 2010 Storage Networking Industry Association. All Rights Reserved.

Customers Need EncryptionEnd-Users are looking for a Compliance Strategy

New & Emerging Regulations and Laws Impact Key Verticals

Encryption is a ‘Safe Harbor’ whereby encrypted data cannot be stolen as long as the thief doesn’t have the key

Customers are struggling to avoid the cost of a security breach

$204 per lost record, $6.7 million per breach

Customers “Getting By” with current approaches31% of End-Users use DB encryption

25% of customers are planning to add more encryption

Disk shredding can cost millions per year

Customers are overwhelmed with the complexity of compliance

Up to 20% of IT staff time

Real Customers asking for helpF100 Companies, Healthcare, RetailFederal, DoD, and other three letter agencies

Customers are looking for a better solution

Vertical Encryption RequirementsPublic Sector Encryption is required to for FISMA, DoD,

and DCID 6/3

Health Sector HiTECH gives HIPAA teeth. Healthcare providers can be fined or prosecuted

Ecommerce or Ecommerce hosting

PCI-DSS Requirement 3 is mandatory for any company that handles credit cards

Retail PCI-DSS mandates encryption for data at rest for credit card data

Service Providers Need to provide service level support for HiTECH, PCI-DSS, GLBA, FFIEC

Financial Institutions

Basel II, FFIEC, and GLBA place strict requirements including encryption

Other Massachusetts and Nevada Laws are mandating encryption for any company that does business in their state.Law firms are sending out Client Alerts on the requirement to encrypt data

Over 10,000 rules and regulations for end-users to deal with

4


Why Encrypt Data-At-Rest?

Compliance 46+ states have data privacy laws with encryption safe harbors New data breach bills have explicit encryption safe harbors

Data center and laptop drives are mobile (HDD, SSD)

Exposure of data loss is expensive ($6.65 Million on average per incident1)

Obsolete, Failed, Stolen, Misplaced… Nearly ALL drives leave the security of the data center

The vast majority of decommissioned drives are still readable

Threat scenario: stored data leaves the owner’s control – lost, stolen, re-purposed, repaired, end-of-life, …

1. Ponemon Institute, Fourth Annual US Cost of Data Breach Study – Jan 2009 www.ponemon.org

http://www.kmktechnologies.com/Iron%20Mountain%20logo%202.gif�


Host and HBA Based Encryption

6

Switch/Router/Appliance

Storage Controller

HBA

HBA

Host basedApplication

O/S


Storage Controller

HBA

HBA basedApplication

O/S

HBAKe

y M

anag

er

Key

Man

ager


Switch or Appliance Based Encryption

7

Switch based

Switch or Router

Storage Controller

HBA

HBA

Application

O/S

Switch based

Network Appliance

Storage Controller

HBA

HBA

Application

O/S

Key

Man

ager

Key

Man

ager


Storage Controller or Drive Based Encryption

8

Storage Controller


Storage Controller

HBA

HBA

Application

O/S

Drive


Storage Controller

HBA

HBA

Application

O/S

Key

Man

agerKe

y M

anag

er

9

Brandon HoffEmulex


What Host based Encryption (HbE) isHbE is the most common encryption technique

Very simple, HbE provides encryption in the server

Provides the best security by moving encryption to where the data is created and stored

Best practice that companies legally should follow

Simplifies management through integrating into host based management tools

Examples of HbEOracle TDEMSSQL EncryptionmySQL EncryptionInside-the-server SEDsOneSecure eHBAsPowerPath Encryption with RSA

VM 1

VM 2

VM 3

© 2009 Emulex, all rights reserved.

External StorageInside-the-Server SEDs

Oracle Transparent Encryption

PowerPath Encryption with

RSA

10


Host Based (HBA) EncryptionHow it works

11


Host-based Storage SecurityArchitecture and Customer Perspective

Host-based Storage Security ArchitectureHardware encryption in the host HBAFocused on disk encryptionIntegration into leading key managersIntegration into Event Management and other datacenter tools

Host-based Storage Security Customer Perspectives

“HBA encryption is more scalable for workloads”“HBA encryption is more scalable for capacity”“Host based encryption is always the easiest”“May become the most cost effective”“Protocol agnostic security simplifies deployment”“Put it into a FedEx box and ship it!”“Key Refresh is an critical requirement.”

SAN

VM 1

VM 2

VM 3

© 2009 Emulex, all rights reserved.

12


Interesting Market Data PointsFrom IDC’s Encryption Survey, 2006

Amount of Data to be EncryptedOver 66% of customers expect to encrypt over 50% of their data

44% of customers expect to encrypt 75% or more of their data22% of customers expect to encrypt 50%-74%17% of customers expect to encrypt 25%-49%

A weighted average of 55% of data is expected to be encryptedBoth hardware and software solutions may be deployed

Where should storage encryption occur?Over 80% of end-users would deploy host based encryption

55% said between the host and the storage system50% said in the storage system

End-users will deploy various types of encryption to fit their needs

13

14

Michael WillettSamsung


Self-Encrypting Drives

“Many organizations are considering drive-level security for its simplicity in helping secure sensitive data through the hardware lifecycle from

initial setup, to upgrade transitions and disposal”Eric Ouellet

Research Vice PresidentGartner

• Simplified Management• Robust Security• Compliance “Safe Harbor” • Cuts Disposal Costs

• Scalable • Interoperable • Integrated • Transparent


Trusted Storage Standardization


Complexity• Data classification • Impact on OS, applications, databases• Interoperability

Performance • Performance degradation; scalability

Cost• Initial acquisition costs

• Deployment costs

• Tracking and managing encryption keys• Tracking and managing authentication keys

(passwords for unlocking drives)

Key management / data loss

‘Hurdles’ to Implementing Encryption…


Addressing the Hurdles…

Simplifies Planning and Management

Standards-based for optimal manageability and interoperability

Transparent to application developers and database administrators. No change to OS, applications, databases

Data classification not needed to maintain performance

Solves Performance No performance degradation

Automatically scales linearly

Can change keys without re-encrypting data

Reduces Cost

Standards enables competition and drive cost down

Compression and de-duplication maintained

Simplifies decommissioning and preserves hardware value for returns, repurposing

Encryption key does not leave the drive; it does not need to be escrowed, tracked, or managed

Simplifies key management to prevent data loss


-Transparency: SEDs come from factory with encryption key already generated

- Ease of management: No encrypting key to manage

- Life-cycle costs: The cost of an SED is pro-rated into the initial drive cost; software has continuing life cycle costs

- Disposal or re-purposing cost: With an SED, erase on-board encryption key

- Re-encryption: With SED, there is no need to ever re-encrypt the data

- Performance: No degradation in SED performance

- Standardization: Whole drive industry is building to the TCG/SED Specs

- No interference with upstream processes

Hardware-Based Self-Encryption versus Software Encryption

ISSUE: Hardware acquisition (part of normal replacement cycle)


The Future: Self-Encrypting Drives

Encryption everywhere!Data center/branch office to the USB drive

Standards-basedMultiple vendors; interoperability

Unified key managementAuthentication key management handles all forms of storage

Simplified key managementEncryption keys never leave the drive. No need to track or manage.

Transparent Transparent to OS, applications, application developers, databases, database administrators

Automatic performance scalingGranular data classification not needed

USB

Key Management Service

BranchOffice

Data Center Application Servers

Storage SystemLocal Key Mgmt

Storage System, NAS, DAS

Network

StandardKey MgmtProtocol

Trusted Computing GroupT10/T13

Security Protocol

Notebook

DesktopUSB

Authentication Key Flow Data Flow

Tape

Authentication Key (lock key or password)Data Encryption Key (encrypted)

OASIS KMIP

Data Encryption and Key Management Panel Discussion - Part II

Ray Lucchesi, Silverton ConsultingBrandon Hoff, Emulex

Michael Willett, SamsungWalt Hubis, LSI Corporation

Gordon Arnold, IBM

22

Walt HubisLSI


Database Replica Staging

Email Server File Server

VPN

Storage Array

Storage Media Library Encrypting HBA

SED Disk

Key Server 1Key Server 2 Key Server 3 Key Server N

Key Management: Disparate, Proprietary Protocols


Database Replica Staging

Email Server File Server

VPN

Storage Array

Storage Media Library Encrypting HBA

SED Disk

Enterprise Key Management

Standardized Key Management

Key Management Interoperability Protocol

25

Gordon ArnoldIBM


KMIP and Storage

KMIP 1.0 includes a symmetric key profileBulk encryption uses symmetric keys

Implementations may use wrapping keys, authentication keys as a way of simplifying management

Storage array firmware hides complexity from storage managers

KMIP 1.1 is focusing on Client registrationGrouping of keys and devicesAsymmetric key usage

SSIF KMIP interoperability validationOASIS and SSIF alliance for documenting KMIP interoperability

26


Guiding Principles

Simplicity and Robustness of solutionYou should be able to reliably manage the keys so you do not loose access to the dataSecurity of the keys is important but it is not a one size fits all solution

Encryption does effect the storage designYou can introduce encryption with no performance penaltyEncryption however does effect compression and de-duplication

Encryption and decryption for data in transitData at rest encryption as the last operation

27


Additional Security Tutorials

28

Check out these SNIA Security Tutorials:

Tuesday 10:45 am: Practical Secure Enterprise Storage – Walt Hubis

Tuesday 2:10 pm: Legal Issue Relevant to Storage – Eric Hibbard

Thursday 9:25 am: Cloud Storage Security– Gordon Arnold (in the Cloud Computing track)


SNIA Security: Get Involved!

SNIA Security Technical Work Group (TWG)Focus: Requirements, architectures, interfaces, practices, technology, educational materials, and terminology for storage networking.http://www.snia.org/tech_activities/workgroups

Storage Security Industry Forum (SSIF)Focus: Education, customer needs, whitepapers including the BCPs & Encryption of Data At-Rest (a Step-by-Step Checklist)http://www.snia.org/forums/ssif

29

http://www.snia.org/tech_activities/workgroups�

http://www.snia.org/forums/ssif�


Q&A / Feedback

Please send any questions or comments on this presentation to SNIA: add your track reflector here

Many thanks to the following individuals for their contributions to this tutorial.

- SNIA Education Committee

Ray LucchesiMichael WillettBrandon HoffWalt HubisGordon ArnoldGianna DaGiauSNIA SSIF

data encryption and key management panel discussion - snia

Documents