VMAX: Security Best Practices for the Modern Data … Security Best Practices for the Modern Data...
Transcript of VMAX: Security Best Practices for the Modern Data … Security Best Practices for the Modern Data...
VMAX:Security Best Practices for the Modern Data CenterGaurav Agrawal
Richard Pace
© Copyright 2017 Dell Inc.2
Agenda
• Business Drivers and Security Challenges
• VMAX approach to Security
• VMAX All Flash built in security capabilities
• Security new features– Data at Rest Encryption with external key manager– Secure Snaps
• Questions
© Copyright 2017 Dell Inc.3
Reduce costs (# of drives, power, floor space, etc.)
Consistent and predictable performance
Lower entry costs and scale as you grow
Manage massive capacity with fewer resources
Automated provisioning and business agility
Flexible and programmable data services
Policy driven service delivery
On/off premises data and/or application mobility
Pillars of the Modern Data Center
Scale-out Software-defined Cloud-enabledFlash
Protection and trustSecurity/Governance | Encryption | Data Protection | Services/Support
© Copyright 2017 Dell Inc.4
Cyber attacks evolvingAre you staying ahead of the criminal evolution?
Theft Denial of Service Ransomware Destruction
Traditional Threats Emerging Threats
© Copyright 2017 Dell Inc.5
Top threat to sensitive data: employee mistakes
54%
30%
24%
29%
22%
19%
18%
12%
Employee mistakes
Hackers
Malicious insiders
System or process malfunction
Temporary or contract workers
Third party service providers
Government eavesdropping
Lawful data request(e.g. by police)
54%
Threat of employee mistakes is the same as the threats of hackers and malicious insiders combined!
Source: Ponemon Institute: Global Encryption Trends April, 2017
© Copyright 2017 Dell Inc.6
Why are employee mistakes increasing?Threat vectors are increasing
156 million phishing emails sent WW every day
16 million make it through filters
8 million are opened
800,000 links are clicked
All it takes is ONE
* By cartoonist John Klossner – May 2016
© Copyright 2017 Dell Inc.7
What happens when they get in?
“It erased everything stored on
3,262 of the company’s 6,797
personal computers and 837 of
its 1,555 servers. The studio was
reduced to using fax machines,
communicating through posted
messages, and paying its 7,000
employees with paper checks.”
- Fortune, July 2015
© Copyright 2017 Dell Inc.8
What happens when they get in?
Shut down company's email and application servers and deleted systems controlling the ability to take orders
Boots could not be shipped and customers were unable to place orders online
Lucchese officials estimated losses at about $100,000 in sales, plus the cost of halting production and hiring extra IT staff to rebuild the company’s system
Source:usatoday.com
© Copyright 2017 Dell Inc.9
Data breaches can cost in many ways
Brand/Reputation Damage
Lawsuit and Legal Fees
Customer Attrition
Remediation Expenses
The average TOTAL COST of a breach is $4 million…29% since 2013
Only takes 6 mins for an attacker to compromise
an organization
© Copyright 2017 Dell Inc.10
VMAX’s Approach to Security
© Copyright 2017 Dell Inc.11
VMAX approach to security
BLOCK FILE
Sensitive Data
Secure Snaps
Access Controls
User & Access Management
Remote Support
Certifications
Your Home
© Copyright 2017 Dell Inc.12
VMAX All Flash built in security capabilities
Certified Data Erasure
Full frame or failed disk service
VMAX Access Control Lists
&Unisphere and
Solutions Enabler User Authorization
Secure Remote Support
Secure remote service and
support
D@REData at Rest Encryption
VMAX Service Credentials
Service through MMCS Secured by RSA
Security for Access, Data, Service, Audit and Erasure
Common Criteria
EAL 2+ Certified
VMAX Secure Audit LogSyslog server
integration
Secure SnapsProtect against
malicious deletion
© Copyright 2017 Dell Inc.
© Copyright 2017 Dell Inc.13
Data at Rest Encryption(D@RE)
© Copyright 2017 Dell Inc.14
Powerful, Trusted and Smart(Easy to deploy & worry-free flexible key management)
Helps with compliance & regulations(FIPS 140-2, HIPAA, PCI, SOX etc.)
Protect against unauthorized access(Drive loss and theft are the primary risk factors)
Why deploy VMAX Data at Rest Encryption
© Copyright 2017 Dell Inc.15
Most important features of encryption
74%
68%
66%
65%
64%
56%
56%
55%
54%
System performance and latency
Management of Keys
System scalability
Support for emerging algorithims
Integration with other security tools (e.g. SIEM)
Formal product security certification (e.g. FIPS 140)
Tamper resistance by deciated hardware (e.g. HSM)
Support for multiple applications or enviornments
Seperation of dutuies and role-based controls
74%
68%
66%
65%
64%
56%
56%
55%
54%
System performance and latency
Management of Keys
System scalability
Support for emerging algorithims
Integration with other security tools (e.g. SIEM)
Formal product security certification (e.g. FIPS 140)
Tamper resistance by deciated hardware (e.g. HSM)
Support for multiple applications or enviornments
Seperation of dutuies and role-based controls
Source: Ponemon Institute: Global Encryption Trends April, 2017
© Copyright 2017 Dell Inc.16
World’s most trusted storage platform
No Encryption
I/Os per second
Res
pons
e tim
e (m
s)
0
0.4
0.8
1.2
0 20,000 40,000 60,000 80,000 100,000
No Encryption
With Encryption (D@RE)
No Performance Impact
700+ VMAX All Flash arrays sold with Encryption
Trusted by customers in Financial, Healthcare, Government Sectors to name a few
© Copyright 2017 Dell Inc.17
Key management to suit your needs
• Automatic Internal Key Management• Set it and forget it• Keys encapsulated in array• Highly redundant• Built-in encryption and key management
• Enterprise Key Management– Integrates with existing external key management
infrastructure– External, centralized key storage and management– Remove keys for secure transport
© Copyright 2017 Dell Inc.18
External key manager data encryption
External (KMIP)Key Manager
KMIP
• Gemalto KeySecure• IBM SKLM• Others - future
KMIP Client
Key Management
Key Trust Platform (KTP)
DirectorI/O
ModuleI/O
ModuleI/O
ModuleI/O
Module
Director
Key per physical disk
MMCS• Industry Standard
• Centralized Key Mgmt
• VMAX AF & VMAX3
• Non Disruptive Migration
internal to external
FEATURE HIGHLIGHTS
© Copyright 2017 Dell Inc.19
External key management benefits
• Centralized Key Management– Simplifies key management (e.g. key generation,
escrow, recovery) for VMAX and other KMIP compatible encryption solution like Unity
• Simplify Compliance– Centralized audit log and get FIPS 140-2 Level 3
compliance with HSM integration
• Configure in High Availability – Multiple key server appliances can be clustered even
in geographically dispersed data centers
• Separation in duties– Supports segmented key ownership and
management by individuals and group owners
VMAX 250F Unity
HSM FIPS Level 3
Audit Log
© Copyright 2017 Dell Inc.20
D@RE scalability and availabilityNEW
VMAX 250F
1M+ IOPS
VMAX 450F
1.5M+ IOPS
VMAX 850F
4M+ IOPS
6.7M IOPS
VMAX 950F
More IOPS~68%UP TO
© Copyright 2017 Dell Inc.21
D@RE use cases
• Drive Replacement– Faster than erasure; works on badly failed drives as well– Eliminates disk retention
• Drive Theft or Loss– No recoverable data
• Secure Transport– Temporary just destroy keys in the VMAX
• Permanent Key removal– Crypto-shred your data in minutes– Certificate file produced detailing all key destruction
© Copyright 2017 Dell Inc.22
Array decommission
DELL EMC Permanent Array Decommission Service
© Copyright 2017 Dell Inc.23
VMAX D@RE best encryption choice
Feature EMC VMAX Self Encrypting Drives (SED)
Encryption type Controller based Disk based
Drive Segregation Yes, one key per drive. Yes, one key per drive.
Drive types and Capacities supported
All Limited
Performance Impact None Slight Performance Impact
Impact to arrayfunctionality
None Yes
Cost factor Low (per array) High as system scales
© Copyright 2017 Dell Inc.24
Customer benefitsVMAX All Flash D@RE flexibility
All Data
All user dataAll file and block data
Entire array
All Drives
All drive capacities including
NVMe flash drives
Simple
Easy to enable & Flexible key management
options
All Services
All VMAX All Flash Data Services including
Compression
© Copyright 2017 Dell Inc.25
VMAX All Flash Software Packaging
• HYPERMAX OS• Migration Tools, VVOLs, QoS***• Non-disruptive Migration
• Embedded Management• Unisphere, DB Storage Analyzer, REST APIs
• Compression• Local Replication Suite
• TimeFinder SnapVX• AppSync Starter Pack
A la carte:• SRDF/S, SRDF/A,…• SRDF/Metro• D@RE• Unisphere 360• ViPR SRM & Controller• RecoverPoint
• PowerPath• eNAS• CloudArray• ProtectPoint• AppSync Full Suite• EMC Storage Analytics
*FX includes software license, hardware must be configured and ordered. **Factory configured, must be enabled during ordering process.***Service levels plus host IO limits.
250F/950F• Everything in F Suite• SRDF/S/A/STAR Replication Suite*• SRDF/Metro*• Data @ Rest Encryption**• Unisphere 360• ViPR Suite• PowerPath (75 licenses)• eNAS*• CloudArray Enabler*
A la carte:• ProtectPoint• AppSync Full Suite• EMC Storage Analytics• RecoverPoint
250FX/950FX
© Copyright 2017 Dell Inc.26
VMAX All Flash: Data at rest encryptionCONTROLLER-BASED ENCRYPTION FOR MAXIMUM PROTECTION
• Encrypts all user data on the array• One key per drive
• Advanced Encryption Standard (AES-256) encryption• Zero performance impact (on SAS module)
• All VMAX data services supported• Embedded RSA encryption key manager• Compliant with external KMIP server• FIPS-140-2 (validation #2479 & #2871)
Protects againstDRIVE LOSS
Federal mandate Industry compliance Eliminates drive shredding
© Copyright 2017 Dell Inc.27
Secure Snaps
© Copyright 2017 Dell Inc.28
TimeFinder SnapVX in-a-nutshell
• Targetless Snapshots– Up to 256 Snapshots per Source LUN– Conserve resources– Snapshots identified by user-defined name– Optional automatic expiration
• Target LUN only required for host access
– Up to 1024 Linked Targets per Source LUN
– Unlimited Cascading
Snapshot
Snapshot
ProductionVolume
LinkedTarget
Snapshot
© Copyright 2017 Dell Inc.29
Introducing Secure Snaps
THEEND
© Copyright 2017 Dell Inc.30
Why have a safe in your house?!? “It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.”
- Fortune, July 2015
“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”
- Letter from CEO, Feb 17, 2016
In November of 2014, Sony was breached and lost data throughout their environment. Hackers were inside Sony’s network for as long as 6 months before the attack was initiated. The ability to recover data was targeted first – backups were destroyed. Sony was never able to recover much data.
http://fortune.com/sony-hack-part-1/
In February of 2016, Hollywood Presbyterian was breached and their EMR data was encrypted and held for ransom. 900 patients had to be moved to other care facilities, costing HPMC millions of dollars. They were forced to pay the ransom to get the encryption key.
http://hollywoodpresbyterian.com/default/assets/File/20160217%20Memo%20from%20the%20CEO%20v2.pdf
In May of 2016, Kansas hospital pays ransomware demand. Attackers asked for second ransom, Kansas Heart never gets their files back
http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html
“Regular, air-gapped backups could seriously dull the power of such software. If you've got another copy of your data, there's no need to pay off ransomware. For our money, that's the solution hospitals, and every organization, should be looking at.”
- President, Dr. Greg Duick
© Copyright 2017 Dell Inc.31
Why Secure Snaps
• Protects against intentional deletion of point in time data
• Oops!! (Also protects against accidental deletion)
• Enforces data retention policy for snapshots
• Ensures snapshot availability– Test and Dev, QA, training, etc.
© Copyright 2017 Dell Inc.32
Secure Snaps with TimeFinder SnapVX
• Retention time is a required field
• Once expiration time has elapsed, snapshot will be automatically deleted
• Retention time can be extended
• Does not affect other SnapVX operations– Link / Relink / Unlink– Restore– Set mode
30 day retention
45 day retention 60 day retention
© Copyright 2017 Dell Inc.33
Secure SnapsTime to Must Live
• Retention Time defined during snapshot creation
• Standard Snapshot can be converted to Secure Snapshot– Not vice versa
• No user can reduce or remove the Retention Time– Can be extended
• Automatically terminates when the Retention Time expires– As long as the snapshot has no linked targets or restore sessions– Same rules as traditional time to live
© Copyright 2017 Dell Inc.34
Secure SnapsAs always, proper planning required for any feature!
• Preserving secure snaps is the highest priority
• User cannot terminate Secure Snaps to free-up system resources
• Users may want to consider setting Retention Time only on a subset of their snapshots
– Specific points-in-time– Specific number of snaps per day– Critical applications
© Copyright 2017 Dell Inc.35
Easy to Use!Unisphere for VMAX
© Copyright 2017 Dell Inc.36
Easy to See!Unisphere for VMAX
© Copyright 2017 Dell Inc.37
A little Deeper ViewUnisphere for VMAX
© Copyright 2017 Dell Inc.38
It Works!!!What happens when trying to terminate a secure snap?
© Copyright 2017 Dell Inc.39
• Both Open Systems and Mainframe
• Managed via− Solutions Enabler 8.4− Unisphere 8.4− Mainframe Enabler− REST API
• Included in VMAX All Flash F/FX
Availability and Management
© Copyright 2017 Dell Inc.40
Slight Recap
• Secure from intentional or non intentional deletion− Even highest level admin cannot delete
• All other SnapVX operations are available
• Retention time can be extended
• Preserving snapshot is highest priority− Protection from failure when out of resources
© Copyright 2017 Dell Inc.41
Deploy Securely • Refer to the Security Configuration Guide (SCG) for each product on how to configure the product to maximize its security posture in your environment
Stay Informed • Subscribe to Dell EMC Security Advisories through the support portal: https://support.emc.com/preferences/subscriptions
Stay Secure • Upgrade to the latest version of your Dell EMC product and/or apply the latest security patches
• NEW: Visit the Dell EMC Product Security Information page (https://support.emc.com/security) where you can search security advisories by Common Vulnerability Exposures (CVE), view all SCGs, and get the latest information on high profile vulnerability alerts
Keep your Dell EMC Products Deployments Secure
© Copyright 2017 Dell Inc.42
Want to win a Levitating Death Star Speaker?
• Follow @DellEMCStorage while at Dell EMC World
• 2 Winners will be chosen daily from Monday May 8 through Thursday May 11
• All winners will be notified through Twitter Direct Message
NO PURCHASE NECESSARY. Ends 05/11/2017. To enter and for Official Rules, visit http://thecoreblog.emc.com/dell-emc-world-follow-win-sweepstakes-2017/
© Copyright 2017 Dell Inc.43
Related Dell EMC World sessions
• Other VMAX sessions:– What's New With VMAX All Flash & What's Up With NVMe– What’s new with HYPERMAX OS– Unisphere– All Flash performance– Local and remote replication performance– Compression– NDM– VMAX and VMware– VMAX and Oracle– VMAX REST APIs– Mainframe (many)
© Copyright 2017 Dell Inc.44
Questions?