IBM System Storage Data Protection and Security · IBM has build Storage Security into the...

© 2008 IBM Corporation

Chen Chee Khye

ATS – Storage

[email protected]

IBM System Storage

Data Protection and Security

© 2008 IBM CorporationIBM Security 2

Data Impact

Structured

Unstructured

Data GrowthData Types

Information is Exploding

Today....

Up to 80% of data is unstructured content (email, video, images)

Through 2012...

Storage capacity shipments are growing at 54% a year

By 2010...

Example: Medical images will take up 30% of the world’s storage

1MB/2D

image

1TB/4D

image

2004 20072005 2006 2007 2008 2009 2010

PB shipped

© 2008 IBM CorporationIBM Security

Impact on Data Storage

Data volumes doubling every 18 months

– Devices accessing data doubling every 2.5 years

70% of the digital universe is created by individuals…

– … but enterprises are responsible for the security, privacy, reliability and compliance of 85%

Information created, captured, or replicated exceeded available storage for the 1st time in 2007

Structured data growing at 32%

Unstructured data growing at 63%

Replicated data growing at 49%Source: IDC worldwide enterprise disk in Exabytes from

“Changing Enterprise Data Profile”, December 2007

Current economic climate will push for storage services

which raises the need for security

© 2008 IBM Corporation© 2008 IBM Corporation4

IBM Information Infrastructure

Data Loss is Top of Mind

© 2008 IBM Corporation© 2008 IBM Corporation5


The Cost of Data Loss

The impact of data loss is significant

• Totaling $66.9M in 2007±

• Average data breach costs a company $5M†

• Average annual loss per company is $350,000 ±

• Breaches costs companies an average of $185 per record

• 327 data breaches were reported in 2006*

• More than 100M data points exposed in 2006*

• Requirement for data privacy and encryption is mandatory

• Customers will not have a choice on storage security spending

±Computer Security Institute 2007

†Network World Magazine

*Source: privacyrights.org

6

Reduce reputation risks and audit deficiencies

Support information retention policies

Deliver continuous, reliable access to information

We Need IT Infrastructure Able to Handle Data Growth

Secure sharing of information

37% of data is expired or inactive.

Average US legal discovery request can cost

organizations from $150K to $250K.

Average cost of a privacy breach is around $200 per

compromised record

Downtime costs can amount up to 16% of revenue in

some industries.

Sources: CIO Magazine survey 2007; IBM Tivoli Market needs and profiling study 2005;

The Costs of Enterprise Downtime: NA Vertical Markets 2005" Information Research; IBM Market Intelligence.

SNIA Data Management Forum, 100 Year Archive Requirements Survey, © Storage Networking Industry Association (SNIA), 2007

Information

Compliance

Information

Availability

Information

Retention

Information

Security

IBM Software Group

View of the IBM’s data protection technology– encryption everywhere

Encryption choices – why should

encryption be built into storage

– Performance – cryptography can be

computationally intensive

– Efficiency - encrypted data is not able

to be compressed or de-duplicated

– Security - Data in transit should use

temporary keys, data at rest should

have long term retention and robust

management

– Scalability – best to distribute

cryptography across many devices

IBM has launch encrypting tape

systems, moving to encrypting

storage arrays (Full Disk Encryption),

with plans to extend to the rest of the

infrastructure (Switch/Base/Backup

components)Disk Storage Array Enterprise Tape

Library

3592

SAN

Switch encryption

File system encryption

Database encryption

Encryption Encryption

Encryption

Encryption

Key

Management


Why Wouldn’t You Encrypt Data at Rest?

1. Performance

• Encryption that isn’t built into the

storage infrastructure could cause

serious performance penalties

2. Potential to Lose data

• If you encrypt the data and lose the

key then the data is lost

3. Complexity

• Some solutions add extra boxes on

the wire, classification, constant

configuration, application changes

4. Total cost of ownership

• Some solutions can double the

cost of the storage solution

• Our encrypting storage solutions

have an impact on performance that is

less than 1%

• Our key management is proven with

thousands of customers today

• Our solution is simple to install,

configure, with no application or

server changes required

• Our Encryption and key management

adds small incremental cost

Our solution is high performance, robust, safe, simple, and cost effective

Your Concerns: IBM’s Response:


– Encryption built into the infrastructure (not on top

of it)

• IBM’s 3rd generation tape drive with encryption: TS1130

• TS1120

• LTO Gen 4

• Full Disk Encryption (FDE)

B Over 3,500 security professionals worldwide

B $1.5B investment in security in 2008

Tivoli Key Lifecycle

Manager

•TS1130 Tape Drive

•Disk Encryption

•Security and Privacy

Services

“ What separates IBM from the pack is its ability to provide a complete and extensible Storage Encryption

architecture, including an enterprise key management capability.”

Jon Oltsik, Enterprise Strategy Group, August 2008

IBM Vision for Encryption and Key Management


The Future of Storage

Encryption is built in – just like compression,

and increasingly de-duplication

• IBM has shipped tape systems with built in

encryption for 2 years

• IBM has shipped encrypting disk systems

You will need unified key management for

operational simplicity, security, and

compliance

• Transparent to applications – no changes or

upgrades required

• Simple, easy to install and use

• Adheres to regulations

• Fits into your environment – no new

appliances

• IBM Tivoli Key Lifecycle Manager is

the answer!

Disk Storage Array

Enterprise Tape

Library

3592



IBM Tivoli Key Lifecycle Manager v.1.0Simplified key management across distributed and mainframe

Client Value

• Reduces encryption management costs related to set up, use and expiration of keys

• Enables organizations to comply with disclosure laws and regulations

• Ensures against loss of information due to key mismanagement

• Transparently detects encryption-capable media to assign necessary authorization keys

• Runs on most existing server platforms to leverage resident server’s existing access control/high availability/disaster recovery configs

Its predecessor EKM is proven key management system with 2000 customers worldwide!

Simple, Secure and Cost-effective Key Storage, Key Serving and Key Management


© 2008 IBM Corporation12

IBM Tivoli Key Lifecycle Manager v.1.0Feature Function

Focused on device key serving

• IBM encrypting tape – TS1120, TS1130, LTO gen 4

• IBM encrypting disk

– DS4000/DS5000/DS6000/DS8000

Lifecycle functions

• Notification of certificate expiry

• Automated rotation of certificates

• Automated rotation of groups of keys

Designed to be Easy to use

Provide a Graphical User Interface

Initial configuration wizards

Easy backup and restore of TKLM files

– One button operation

Installer to simplify installation experience

– Simple to use install for Windows, Linux, AIX, Solaris

– Can be silent install

Platforms for V1– AIX 5.3 64 bit

– Red Hat AS 4.0 x86 - 32 bit

– Suse Linux 9.0 and 10 x86 - 32 bit

– Solaris 10 Sparc -64 bit.

– Windows Server 2003 - 32 bit.

– z/OS 1.9



With TKLM Solution….

… IBM Solution offering includes



IBM’s Tape System Offerings

TS1040 (LTO4) Tape Drive

– Standard feature on all FC & SAS LTO4 Tape Drives

– Supports “traditional” and “encrypted” modes of operation

TS1130 / TS1120 Tape Drive

– Standard feature on all new TS1130 Tape Drives

– Supports “traditional” and “encrypted” modes of operation

TKLM – Tivoli Key Lifecycle Manager

– EKM follow-on

– AIX, Sun, Linux and Windows

– z/OS – Statement of Direction

– Serves keys


© 2008 IBM Corporation15

Flexible IBM Tape Encryption MethodsT

ivo

li K

ey L

ifecycle

Man

ager

IBM Software Group

The encryption

engine is in the

controller ASIC

Storage System

Like Tape, Self-Encrypting Drives Have Virtually No Performance Degradation

Encryption engine speedMatches

Port’s max speed

Scales Linearly, Automatically

Storage System

All data can be encrypted, with no performance degradation No need to classify which data to encrypt

IBM Software Group

17

IBM’s Disk Storage Offering withFull Disk Encryption – DS5000

Real-world performanceSustainable, scalable with Full Disk

Encryption Support

Interface adaptability4 Gbps FC, 8 Gbps FC, iSCSI

Continuous and reliable

access to InformationOnline administration, active-active

redundancy, advanced diagnostics

Application integrationCertifications, solutions, meet SLAs

Green efficiencyDo more with less, support of intermix

with normal disk drives and FDE drives!

* 2H 2009 feature

IBM Software Group

18

EXP5000 Expansion Unit

16 drives in 3U enclosure

4 Gbps FC interfaces / ESMs

– High-speed, low-latency interconnect

from controllers to drives

Supports intermixing FC, FDE and SATA drives

– More efficient use of enclosures

Unique speed-matching technology

– 3 Gbps SATA II drives effectively run at 4 Gbps speeds

Switched architecture

– Drive isolation, better diagnostics

– Higher performance, lower latency

IBM Software Group

Secure DS5000 Encryption Services

Comprehensive security for data-at-rest

Full Disk Encryption (FDE)

– Encryption takes place at the drive level

Robust management tools

– Integrated local key management

DS5000 Series Drive Support

– Drives supported: 4Gbps FDE 15K FC

146GB, 300GB, and 450GB

IBM Software Group

DS5000 Encryption Benefits

Bullet-proof security throughout the drive’s lifecycle

– Unparalleled security assurance with government-grade encryption

– Instant secure erase for a higher security level than other common methods

– Automatically protects data on drives returned for repair, retired, or repurposed

High performance

– Drive-based encryption engine maintains our exceptional performance

Robust yet easy-to-understand management

– FDE key management is transparent to day-to-day storage administration,

making FDE drives as easy to manage as traditional drives

– A single DS5000 system can support all tiers and classifications of data

– No application/operating system changes or modifications required


Disposal Options Are Riddled with Shortcomings

Format the drive or delete the data

Doesn’t remove the data -data is still readable

Over-writing

Takes hours-to-days

Error-prone; no notification from the drive of overwrite completion

Degaussing

Very costly, time-consuming

Difficult to ensure degauss strength matched type of drive

Shredding

Very costly, time-consuming

Environmentally hazardous

Smash the disk drive

Not always as secure as shredding, but more fun

Professional offsite disposal services

• Drive is now exposed to the tape’s falling-off-the-truck issue


… With IBM Storage Systems Data protection

IBM has build Storage Security into the infrastructure

– Will fit into your existing server management

– Will leverage existing high availability and disaster recovery solutions

you have thought of!

Adding IBM’s storage security option is:

– Simple

– Transparent to existing applications

– Cost effective

– Leverage existing investments


Questions?


IBM Storage Systems offerings

IBM System Storage Data Protection and Security · IBM has build Storage Security into the...

Documents

Transcript of IBM System Storage Data Protection and Security · IBM has build Storage Security into the...