Securing Data with Strong Encryption and Access Controls
description
Transcript of Securing Data with Strong Encryption and Access Controls
Securing Data with Strong Encryption and Access Controls
Blair SempleStorage Security Evangelist
Network Appliance
Sept 12, 2007
Agenda
Understanding the Risks to Stored Data
Methodologies for Securing Data
Emerging Industry Standards
How Encryption and Access Controls Reduce the Risk
1 Terabyte
Single backup tape
20 million lbs. of paper
=
=
Every credit card in world=
Storage Trends - The Scale of Exposure
Types of Attacks
Attack DescriptionSpoofing Defeats authentication by faking or stealing credentials
Sniffing Silent interception of messages on the wire (confidentiality)
Man-in-the-middle Interception attack, where a third party actively fools a sender and receiver to enable unauthorized access (AAA, integrity)
Privilege escalation Attack that increases allowed functions for a user acct (ACLs)
Social engineering Deceiving human processes and gatekeepers (authentication)
Spear phishing Targeted social engineering + malware attack (authentication)
Root attack Taking control of “root administrator” account on server, and using this position to enable access (integrity, authentication)
Media theft/access Direct electronic or physical compromise of disk/tape (confidentiality)
Consider Who Has Access to Sensitive Data
CustomerData
CustomerData
IntellectualProperty
IntellectualProperty
Salariesand
Reviews
Salariesand
Reviews
LitigationDocs
LitigationDocs
CEO
GeneralCounsel
CFO
NetworkAdministrators
SystemAdministrators
BackupAdministrators
DR StorageAdministrators
TapeCourier
Storage
OutsourcingVendors
StorageAdministrators
Storage Repair/Service Staff
Steps To Managing Information Risk
Assess Exposure Potential damage from data
security/privacy breach
Review People/ Processes Classification, Role Separation,
Authentication, Quorum requirements, Need to know, Auditing
Enforce using Technology Encryption based storage
security Strong Access Controls Audit Logging
Evaluate Threats External Internal
Defense in Depth
Multi-faceted security approach that includes both technical and non-technical layers of security to protect resources.
Defensive countermeasures are used to reinforce each other, protecting information and resources while allowing response activities to be undertaken quickly and efficiently.
No single security technique or mechanism is solely relied upon to protect valuable resources, resulting in a higher degree of security.
Elements of Information Security
Authentication
Authorization (aka Access Control)
Accounting (aka Auditing, Logging)
Non-Repudiation (aka Integrity)
Confidentiality (aka Privacy)
Who are you?Who are you?
What are you Allowed to do?
What are you Allowed to do?
Who did that?Who did that?
Who can read it?Who can read it?
Who did that and has it been
tampered with?
Who did that and has it been
tampered with?
Storage Security with Encryption
Dramatically simplifies security planning
Ensure only authorized personnel access assets
Allow ‘maintenance’ without risking exposure
Audit and track access to valuable assets
Copies automatically protected
Loss of physical custody no longer a threat
Encryption Approaches
Host / Application Network Storage
Pros:• Granular options• Encrypted at host• Lower cost (SW)
Cons:• CPU intensive, slow• Weak Key Management• Keys exposed in OS• Complex to implement and
manage• Poor coverage for
heterogeneous OS/app environments
Pros:• Transparent to host, storage,
and applications• Wire-speed encryption and
compression • Strong logging and Access
Control• HW-based encryption and
key mgmt provide strong security
Cons:• May require additional device
Pros:• Transparent to host• Bundled with HW
Cons:• Immature key mgmt• No support for
heterogeneous, multi-vendor environments
• Lock-in to storage vendor• “Forklift upgrade”• Not backwards compatible
in many cases
Information Security Compromises
Performance degradation
Key management complexity & security
High availability issues
Application changes and downtime
Database changes required
Increased tape media usage
Changes to desktops, servers, workflow
A proper solution must address all of these concerns.
Emerging Standards for Storage Security
The IEEE Security in Storage workgroup (SISWG) is working on standards for encrypted storage media.
Members of the groups include:Brocade Cisco NetApp/DecruEMC Hifn Hitachi HP IBM NeoScale
Optica PGP Quantum Seagate Stanford SUN
P1619 (disk)– Draft 17 in Ballot, with due date of 9 Aug
P1619.1 (tape)– Draft 21 expected to enter Ballot in mid-Aug
P1619.2 (wide block for disk)– Drafts in progress
P1619.3 (key management)– Draft 1 being worked
IEEE P1619.3 - Key Management Infrastructure for Cryptographic Protection of Stored Data
HP and NetApp/Decru have jointly submitted a draft proposal for key APIs (largely based on our OpenKey standard) to the IEEE P1619.3 committee.
This draft was accepted unanimously.
Decru will continue to work with HP, and other storage vendors, to ensure interoperability, as well as continue working toward an industry standard.
Value of Information Security
As back-end IT complexity increases (e.g. replication, networking, sharing…), this dramatically increases the “attack surface”
Data encryption reduces attack surface: everything behind the encryption is opaque
By narrowing the number of people and devices that can see data, encryption can simplify overall system security
Separates ability to manage data from ability to read it
Encryption and AAA (Authentication, Authorization, Auditing) can be combined in a single device, or can be deployed in adjacent layers (e.g. storage and application layers)
Consider who has access to sensitive data
CustomerData
CustomerData
IntellectualProperty
IntellectualProperty
Salariesand
Reviews
Salariesand
Reviews
LitigationDocs
LitigationDocs
CEO
GeneralCounsel
CFO
NetworkAdministrators
SystemAdministrators
BackupAdministrators
DR StorageAdministrators
TapeCourier
Storage
OutsourcingVendors
StorageAdministrators
Storage Repair/Service Staff
About Network Appliance
Delivering Customer Success
Worldwide, enterprise customers
Fastest growing storage company– Outpacing the industry by 3x
Data Center proven solutions portfolio
Industry-leading partners
Comprehensive professional services
Global support
• 6500+ Employees
• Distributed in 138+ countries
• 94,000+ installed systems
FY07:$2.8 Billion
FY07:$2.8 Billion
• Fortune 1000
• S&P 500
• NASDAQ 100
$1B
$2.0B
$3.0B