DECRU
description
Transcript of DECRU
DECRU
Data At Rest Security OpportunityChris Gale [email protected]
Storage Insecurity
• Feb 2003 – Visa, Amex, MasterCard– Hacker breaches 8 million credit card accounts
through a third-party processor
• Feb, May 2004 – Microsoft and Cisco Source Code Stolen
• Sept 2004 – Guilty plea in $50 million identity theft case
– Helpdesk employee stole tens of thousands of identities from credit databases
• Feb 2005 – Bank of America– 1.2 million user accounts, including U.S.
Senators and Defense Department employees, are exposed when cleartext backup tape is lost
June, 2004AOL software engineer arrested after stealing
92 million names, selling to spammers for $100,000
Compliance Drivers: Visa CISPCardholder Information Security Program
• CISP information security program applies to vendors, merchants, and service providers who handle confidential cardholder data
• Compliance is verified by third party auditors; fines and other sanctions for non-compliance or for data breaches caused by poor security
Sec. 3 of 12: Protect Stored Data• Requirement to protect confidential cardholder data at
rest• Encryption highly recommended• Need-to-know access controls• Strong algorithms, strong key management
Perimeter Security is Insufficient
Insider Threat
• 50-80% of electronic attacks originate inside the firewall
• 67% of companies reported internal breaches
• Average loss from breach of proprietary data was $2.7 million
Source: FBI/Computer Security Institute
Storage TrendsStorage protocols have never evolved from cleartext…
Consolidation Replication Outsourcing
= Risk Multipliers
Customerdata
Customerdata
Who has access to sensitive data?
Earningsreleases
Earningsreleases
Salariesand
reviews
Salariesand
reviews
Litigationdocs
Litigationdocs
CEO
GeneralCounsel
CFO
NetworkAdministrators
SystemAdministrators
BackupAdministrators
StorageAdministrators
OutsourcingVendors
DR StorageAdministrators
TapeCourier
Storage Repair/Service Staff
Storage
Traditional Encryption Compromises
• Performance degradation• Key management complexity & security• High availability issues• Application changes and downtime• Database changes required• Changes to desktops, servers, workflow
The Decru solution addresses all of these concerns.
About Decru
• Founded 2001 to solve emerging storage security problems– Regulatory compliance– Privacy– Insider threat
• Well funded by top tier investors over $45m
– NEA, Benchmark, Greylock, In-Q-Tel (CIA-funded)
– Seasoned, proven management team
• DataFort platform is shipping and deployed, with customers on three continents
“Top 10.”
“12 Hot Startups”
Nominated: “Best Enterprise
Security Product 2003”
“Top 10 Products of 2004”
Partner Ecosystem
Rating: DeployTop 10 lab score: 8.4/10Security: 10/10
Decru DataFort™Storage Security Appliances
DataFort provides the first unified platform for securing data at rest across the entire enterprise.
DataFort integrates transparently into NAS, DAS, SAN, iSCSI & tape environments, and protects stored data with wire-speed encryption, access controls, authentication, and tamper-proof auditing.
NAS/DAS: DataFort E-Series (1Gbit)
SAN/Tape: DataFort FC-Series (2Gbit)
Tape: DataFort S-Series (2Gbit)
Lifetime Key Management™ for automated, secure
enterprise-wide key management
Top 10 Products of 2004
Decru: End-to-end storage security
Network
Authentication/Storage VPN AES-256 Encrypted
Storage
AuthenticationGranular ACLsSecure logging
Clients/Hosts
DataFort
DataFort protect the data path for applications and users, eliminating “back doors” and simplifying security
Storage Encryption
Cryptainer3
Cryptainer2
Cryptainer1
Decru: Tape Encryption
Secured Tape Backup
FC SWITCH
Unsecured Tape Backup
Encrypted
Encrypted
CUSTOMER SSN AMT John Magnus 544-89-3021 $304.31Susan Wong 522-35-1105 $91.05Ken Hernandez 670-32-1145 $21.88Alicia Sparr 435-98-0498 $209.95M.J. Satyr 594-22-9038 $76.55Dan Spencer 543-09-3451 $413.03Mary Jones 495-38-8971 $90.74Jerome White 613-98-8932 $247.11Martin Ng 339-77-9201 $20.89Fay Dunlap 784-29-6290 $401.92Takeshi Doi 544-09-3193 $29.01Sarah Fisher 432-92-7105 $142.28Ingrid Parker 595-29-7406 $102.48
CUSTOMER SSN AMT John Magnus 544-89-3021 $304.31Susan Wong 522-35-1105 $91.05Ken Hernandez 670-32-1145 $21.88Alicia Sparr 435-98-0498 $209.95M.J. Satyr 594-22-9038 $76.55Dan Spencer 543-09-3451 $413.03Mary Jones 495-38-8971 $90.74Jerome White 613-98-8932 $247.11Martin Ng 339-77-9201 $20.89Fay Dunlap 784-29-6290 $401.92Takeshi Doi 544-09-3193 $29.01Sarah Fisher 432-92-7105 $142.28Ingrid Parker 595-29-7406 $102.48
DYHY^C^@^@^@~]<F2>^?z<B2>0 ^N<E4>q<91><CD>xl<CB>^A^@^@^@^\<84>1 <92><F6>^Cq<89><90><CF><9C><D9>1#<F6><8E><C1><CF><86><DA>B<EB><F7>A.\<AD><CF><F0><D2>-<CA><C3><DA><8E><F1><B7>^C^L<EE><E5><9E><A4><9E>_^W<CE><AD><BB>2<95>`<D3>E^Tl<8D><A7>^<CD><93><A6>/<F5><AC><DF>s<88><87>,<F3>"=<F2>:P;<F3><B1><9F><82><97>^Q<BA><ED>o<AF><C5><DF>u"6,Q^D<A7><B9>ol<87>\8<D3><B6><8D>k<9D><A8>)9^^A^Q)<F0><FE>-<C0><FB>^LI<82><DB><E0><C8><D9>a<8E>W<BB><88>q<CC><C0>+^B^\L<FA><DA><DD><E3><A5>O^O<D7>T7<9
DYHY^C^@^@^@~]<F2>^?z<B2>0 ^N<E4>q<91><CD>xl<CB>^A^@^@^@^\<84>1 <92><F6>^Cq<89><90><CF><9C><D9>1#<F6><8E><C1><CF><86><DA>B<EB><F7>A.\<AD><CF><F0><D2>-<CA><C3><DA><8E><F1><B7>^C^L<EE><E5><9E><A4><9E>_^W<CE><AD><BB>2<95>`<D3>E^Tl<8D><A7>^<CD><93><A6>/<F5><AC><DF>s<88><87>,<F3>"=<F2>:P;<F3><B1><9F><82><97>^Q<BA><ED>o<AF><C5><DF>u"6,Q^D<A7><B9>ol<87>\8<D3><B6><8D>k<9D><A8>)9^^A^Q)<F0><FE>-<C0><FB>^LI<82><DB><E0><C8><D9>a<8E>W<BB><88>q<CC><C0>+^B^\L<FA><DA><DD><E3><A5>O^O<D7>T7<9
FC SWITCH
Cleartext
Cleartext
Decru DataFort
Hardware-based security
Hardware-based encryption provides crucial advantages over software-based solutions:
– Wire-speed performance• All encryption and key management are processed by specialized encryption
hardware: Decru Storage Encryption Processor (SEP)• Multi-gigabit throughput, sub-100 microsecond latency
– Encryption and key management are maintained in secure hardware
• Software encryption stores keys in…. Windows. • DataFort provides military-grade hardened architecture (FIPS 140-2 Level 3
certified) with storage optimized AES-256• Encryption keys never exposed in an open operating system (e.g. Windows,
Linux…)
High Availability for Encrypted Data
1. DataFort cluster failover
2. DataFort cloning
3. Software recovery
1. Each DataFort applianceprovides automated, self-contained key management.
1
2. Keys are automaticallyand securely replicated to additional cluster nodes.
2
3. All DataFort appliances across the enterprise replicate keys to Decru Lifetime Key Management™ (LKM) system, providing automated, secure enterprise-wide key management. Recovery smart cards enforce quorum approval for sensitive operations.
LKM3
Secure
Secure
Secure
SecureKeyDB
Decru Lifetime Key Management™Automated, Secure, Enterprise-Wide Key Management
Global Investment BankSecure Consolidation
DataFort E-Series
UNIX DevelopmentEnvironment
Sharedstorage
Access ControlsAuthentication
AES-256 EncryptionCryptainer™ Vaults
Cryptainer A
Cryptainer B
Cryptainer C
Developer A
Developer B
Developer C
Fortune 5 CompanyGLBA Compliance, Secure Offshoring
DataFort FC-Series
TransactionProcessing
Servers
Port LockingSAN Host Authentication
AES-256 EncryptionCryptainer™ Vaults
FC switches
SANStorage
SecureReplication
to DR
UK National Health ServiceTape Encryption for Patient Privacy
DataFort FC-Series
BackupServers
Port LockingSAN Host Authentication
Data CompressionAES-256 EncryptionCryptainer™ Vaults
FC switches
Backup TapeLibraries
Fibre Channel Fibre ChannelEncrypted
Encrypted
Encrypted
FC switch FC switch
Server Server
Storage Storage
Headquarters DR Site/Outsource
Clear text
Clear text
Secure DR: Multiple Copies of Data
Tape System
Data Exposed
Data Exposed
Data Exposed
Data Exposed
Clear
Data Secured
CipherText
CipherTextCipher
Text
Data Secured
Data Secured
DataFort DataFort
Data Secured
WANWAN
Questions ????