Upload
hadan
View
221
Download
0
Embed Size (px)
Citation preview
© Copyright 2008 EMC Corporation. All rights reserved.
Storage Media Encryption and Enterprise Key Management
Imran Arfick, Cisco Systems & Gene Lee, RSA
2© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Agenda
Information Security– Business Challenges– Requirements– Encryption Challenges
Cisco Storage Media Encryption– Platform and Solution Overview– Integration, Scalability and HA– Provisioning and Competitive Comparison
RSA Key Manager for the Datacenter– Long Term Planning for Key Management– Meeting the needs of the Enterprise– RSA Key Manager Deployed in the Enterprise
Summary
3© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Information Isn’t Adequately SecureEVOLVING SECURITY THREATS
Perimeter-Centric SecurityGoal: Build and protect perimetersTools: VPNs, firewalls, IDS/IPS, anti-malware, endpoint protection
IS YOUR INFORMATION PROTECTED?
“Despite massive investment in security technology and services fewer than one in five companies feel that all their data is adequately protected.”
— Enterprise Strategy Group
According to IDC, security products and services spending will reach almost $50 billion in 2008
No82%
Yes18%
Sources: Enterprise Strategy Group: "Protecting Confidential Data," March 2006; and IDC: “Worldwide IT Security Software, Hardware, and Services 2007–2011 Forecast: The Big Picture," Doc. #210018, December 2007
4© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Information Isn’t Adequately SecureEVOLVING SECURITY THREATS
Perimeter-Centric SecurityGoal: Build and protect perimetersTools: VPNs, firewalls, IDS/IPS, anti-malware, endpoint protection
EMC STRATEGY
Information-Centric SecurityGoal: Manage and protect informationTools: Identity and access management, data encryption, rights management, anti-fraud, security information management
IS YOUR INFORMATION PROTECTED?
“Despite massive investment in security technology and services fewer than one in five companies feel that all their data is adequately protected.”
— Enterprise Strategy Group
According to IDC, security products and services spending will reach almost $50 billion in 2008
No82%
Yes18%
Sources: Enterprise Strategy Group: "Protecting Confidential Data," March 2006; and IDC: “Worldwide IT Security Software, Hardware, and Services 2007–2011 Forecast: The Big Picture," Doc. #210018, December 2007
5© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
EMC’s Comprehensive Product Security Policy
Spans across EMC’s entire storage product portfolioEMC’s Product Security Policy: http://productsecurity.emc.com/comply/
80 Consistent Security Design RequirementsSecure Product
Architectureand Design
Secure ProductDevelopment
ProcessesSecurity Testingand Assurance
SecureServiceability
CLARiiON
CX3 UltraScale Series
AX4
InvistaEMCCentera
Gen 4 LP Node
Symmetrix
DMX-4 and DMX-3
DMX-4 950
Celerra
Rainfinity
NSXNS80
NS20 NS40G NS80G
ConnectrixEMC Disk Library
DL4400
DL210 DL4000 series
DL6000 series
NS40
6© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Data Encryption to Secure Information
Addresses compliance with industry regulations
– PCI, Sarbanes-Oxley (SOX), SB 1386, U.K.’s Data Protection Act (DPA), Directive 95/46/EC, internal requirements
Protects data in transit– Electronic and physical movement of
data for backup, disaster recovery, and maintenance
Limits exposure to security breaches – Minimize risk of unauthorized access to
sensitive informationEncryption protects data at rest from unauthorized access
Data Encryption Becoming an IT Requirement
6
7© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Implementing Data Encryption
Management complexity– Cost and complexity associated
with deploying and managing multiple encryption technologies and key managers
Scalability across the enterprise
– Many point solutions do not scale across application types or infrastructure elements
Service-level disruption– Installing encryption
technologies and appliances may require an outage
Classify applications and develop appropriate protection policies
and enforcement strategies
Deploy encryption technologies that can address enterprise
requirements
GETTING STARTEDEncryption Challenges
Develop strategies to manage the lifecycle of encryption keys
across the enterprise
8© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
EMC Storage Security Integration
PowerPath Encryption with RSA Enables data storage on disk arrays to be encryptedIntegrates data-at-rest encryption with the industry-leading path management software
Cisco MDS Storage Media EncryptionEnables data stored on open systems tape libraries and EMC Disk Library DL4000 series virtual tape libraries to be encryptedProtects information in the event of theft or loss of backup media (drives or tapes)Sold and serviced by EMC under the EMC Connectrix brand
RSA Key Manager for the DatacenterNew server appliance to centrally administer policy-based encryption key management Simplifies the deployment and ongoing use of encryption
EMC Encryption Offerings for Data at Rest
9© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Agenda
Information Security– Business Challenges– Requirements– Encryption Challenges
Cisco Storage Media Encryption– Platform and Solution Overview– Integration, Scalability and HA– Provisioning and Competitive Comparison
RSA Key Manager for the Datacenter– Long Term Planning for Key Management– Meeting the needs of the Enterprise– RSA Key Manager Deployed in the Enterprise
Summary
10© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
HIGH-PERFORMANCE INTEGRATED SOLUTION WITH MULTI-GIGABIT THROUGHPUT
MDS 9513
MDS 9000 Modules
Mgmt
OS
MDS 9506
MDS 9000 Family
Systems
MDS 9216A MDS 9216i
Cisco Fabric Manager w/Key Management Center
Cisco MDS 9000 Family SAN-OS
MDS 9509
MDS 9222i
Encrypts traffic from any port infabric – Requires no rewiring
Cisco SME - Hardware Platform
Runs SME
18/4-Port Multiservices Module (MSM-18/4)
Runs SME
11© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Name: XYZSSN: 1234567890Amount: $123,456Status: Gold
Name: XYZSSN: 1234567890Amount: $123,456Status: Gold
1. Insert Cisco MPS-18/4 modules or MDS 9222i switches2. Enable Cisco SME and setup encryption service3. Provision encryption for specific storage devices
Cisco SME - Delivering Encryption as a SAN Service
MDS 9500Series
MDS 9200Series
Storage Media Encryption Service
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
12© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Cisco SME - Secure, Integrated Solution
Encrypts storage media (data at rest)– Strong, Std. IEEE AES-256 encryption
– Integrates as transparent fabric service
– Handles traffic from any virtual SAN (VSAN) in fabric
Supports heterogeneous, SAN attached tape devices and virtual tape libraries
Includes secure key management – Integrates with RSA Key Manager for
enterprisewide, lifecycle key management
Compresses tape data Virtual Tape Library
TapeDevices
ApplicationServer
Name: XYZSSN: 1234567890Amount: $123,456Status: Gold
Key ManagementCenter (KMC)TCP/IP
Name: XYZSSN: 1234567890Amount: $123,456Status: Gold
@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@
Encrypt
13© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Cisco SME - Scaleable, Highly Available
Integrates transparently in MDS fabrics
Dramatically reduces deployment time– No SAN re-configuration or re-wiring to
insert appliances
– Provisioning becomes a simple, logical process of selecting what to encrypt
Modular, clustered solution offers highly scaleable and reliable performance
Load balances automatically
Redirects traffic if a failure occurs
Provisions quickly with Cisco Fabric Manager wizardsTape Drives and VTLs
Media Servers
MSM-18/4 MSM-18/4
14© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Cisco SME - Rapid, Wizard Based Provisioning
15© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Cisco SME - Rapid, Wizard Based Provisioning
Cisco SME is ready !
Wizard 1 – Creating a clusterSelects encryption modulesDefines key management policiesGenerates and stores master key
Wizard 1 – Creating a clusterSelects encryption modulesDefines key management policiesGenerates and stores master key
Wizard 2 - Adding a tape groupSelects media servers Specifics devices to encrypt tape volumes on
Wizard 2 - Adding a tape groupSelects media servers Specifics devices to encrypt tape volumes on
Wizard 3 - Creating a volume groupDefines a set of tape volumesSharing a common group key
Wizard 3 - Creating a volume groupDefines a set of tape volumesSharing a common group key
Cisco SME is ready !
16© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Comparison of Encryption Solutions
Tape DevicesCisco SME SAN Appliance
Investment Protection for Storage DevicesNo drive investmentprotection
Yes Yes
Large Scale Deployment
Medium – Install drives upgrade backup app.
Easy – Insert modules, provision with wizards
Hard – Rewire and reconfigure SAN
Advanced Security Certifications
NoFIPS 140-2 L2 , CC EAL-3 compliant
FIPS 140-2 L3
Consolidated Management
Medium – Backup app integration
High – SAN, security, key mgmt integration
None – New key and appliance mgmt apps
Overall Solution Cost
Higher – New drives & media for max utility
Lower – Reuse drives & media, adds FC ports
Medium – Encryption only, consumes ports
17© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Agenda
Information Security– Business Challenges– Requirements– Encryption Challenges
Cisco Storage Media Encryption– Platform and Solution Overview– Integration, Scalability and HA– Provisioning and Competitive Comparison
RSA Key Manager for the Datacenter– Long Term Planning for Key Management– Meeting the needs of the Enterprise– RSA Key Manager Deployment
Summary
18© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Long Term Planning for Key Management
Pre-tape encryption a survey by the Yankee Group and Sunbelt Software found that “40% of IT managers had been unable to recover data from a tape when they needed it.“
The loss or even lack of availability of the encryption key defines if the IT organization will get access to the encrypted data stored to tape.
Planning an encryption strategy requires a plan for both the cryptographic engine and the lifetime management of the keys. The Key needs to live as long as the data, and in some cases longer.
Since you entrust your tapes and disks to the highest levels of long term protection you should consider your keys being treated the same way.
19© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Planning out an Encryption Deployment
Targeted Solutions based on well defined business, security, compliance and
remediation requirements
Plan ManageBuild1 2 3
DefineSecurity
Requirements
AssessSecurityPosture
EvaluateAlternatives &
Design Solution
ConductSolutionPlanning
Test, Implement & Document Solution &
Update Procedures
Validate Solution & Transfer
Knowledge
Update Solution Support
Processes
Implement Monitoring &
Reporting Mechanisms
Resolve and protect against known risks, while
implementing controls to protect against further risks
EnforceDiscover and Classify
Establish processes and technology for executing an on-going security and
compliance program
Report and Audit
Program Management and Quality Assurance4
20© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Cisco SME + RKM for the Datacenter
Enterprise ScalabilitySupports Disk, Database, and Application
EncryptionRecommended by Cisco for Large Number of
KeysSupports multiple encryption integrations—in
and out of the SAN
Basic Key Management
Local Database for Key StorageStore Attributes with KeyStore Key State
ClusteringClustering for Disaster RecoveryClustering for Failover
Add RKM for the DatacenterKey Vaulting and ProtectionKey Vaulting for Long-Term ProtectionNo Single Point of FailureEnterprise Database for Key StoreDatabase Resilience
Cisco SME
21© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
How Data Moves in the Enterprise
EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork
Partners
Business Analytics
Replica
Outsourced Dev.
Staging
DiskArrays
DiskArrays
DiskArrays Backup
Disk
BackupTape
BackupSystem
EnterpriseApplications
ProductionDatabase
InternalEmployees
RemoteEmployees
WAN
LAN
WWW
EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork
Collaboration &Content Mgmt
Systems
File Server
File Server
22© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Summary: Leverage RKM for Enterprise Key Management Needs
Reduced cost of managementSimple, scalable encryption key management across the IT stackAlignment of policies across data centers worldwidePrevention of risk due to lost or stolen mediaSavings in expense and disruption to your IT environment
Integrate RSA Key Management with SME to Provide Encryption and Lifecycle Key Management
Across the Enterprise
Adding RKM to the Datacenter provides:
23© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.
Questions?