VMAX:Security Best Practices for the Modern Data CenterGaurav Agrawal

Richard Pace

© Copyright 2017 Dell Inc.2

Agenda

• Business Drivers and Security Challenges

• VMAX approach to Security

• VMAX All Flash built in security capabilities

• Security new features– Data at Rest Encryption with external key manager– Secure Snaps

• Questions

© Copyright 2017 Dell Inc.3

Reduce costs (# of drives, power, floor space, etc.)

Consistent and predictable performance

Lower entry costs and scale as you grow

Manage massive capacity with fewer resources

Automated provisioning and business agility

Flexible and programmable data services

Policy driven service delivery

On/off premises data and/or application mobility

Pillars of the Modern Data Center

Scale-out Software-defined Cloud-enabledFlash

Protection and trustSecurity/Governance | Encryption | Data Protection | Services/Support

© Copyright 2017 Dell Inc.4

Cyber attacks evolvingAre you staying ahead of the criminal evolution?

Theft Denial of Service Ransomware Destruction

Traditional Threats Emerging Threats

© Copyright 2017 Dell Inc.5

Top threat to sensitive data: employee mistakes

54%

30%

24%

29%

22%

19%

18%

12%

Employee mistakes

Hackers

Malicious insiders

System or process malfunction

Temporary or contract workers

Third party service providers

Government eavesdropping

Lawful data request(e.g. by police)

54%

Threat of employee mistakes is the same as the threats of hackers and malicious insiders combined!

Source: Ponemon Institute: Global Encryption Trends April, 2017

© Copyright 2017 Dell Inc.6

Why are employee mistakes increasing?Threat vectors are increasing

156 million phishing emails sent WW every day

16 million make it through filters

8 million are opened

800,000 links are clicked

All it takes is ONE

* By cartoonist John Klossner – May 2016

© Copyright 2017 Dell Inc.7

What happens when they get in?

“It erased everything stored on

3,262 of the company’s 6,797

personal computers and 837 of

its 1,555 servers. The studio was

reduced to using fax machines,

communicating through posted

messages, and paying its 7,000

employees with paper checks.”

- Fortune, July 2015

© Copyright 2017 Dell Inc.8

What happens when they get in?

Shut down company's email and application servers and deleted systems controlling the ability to take orders

Boots could not be shipped and customers were unable to place orders online

Lucchese officials estimated losses at about $100,000 in sales, plus the cost of halting production and hiring extra IT staff to rebuild the company’s system

Source:usatoday.com

© Copyright 2017 Dell Inc.9

Data breaches can cost in many ways

Brand/Reputation Damage

Lawsuit and Legal Fees

Customer Attrition

Remediation Expenses

The average TOTAL COST of a breach is $4 million…29% since 2013

Only takes 6 mins for an attacker to compromise

an organization

© Copyright 2017 Dell Inc.10

VMAX’s Approach to Security

© Copyright 2017 Dell Inc.11

VMAX approach to security

BLOCK FILE

Sensitive Data

Secure Snaps

Access Controls

User & Access Management

Remote Support

Certifications

Your Home

© Copyright 2017 Dell Inc.12

VMAX All Flash built in security capabilities

Certified Data Erasure

Full frame or failed disk service

VMAX Access Control Lists

&Unisphere and

Solutions Enabler User Authorization

Secure Remote Support

Secure remote service and

support

D@REData at Rest Encryption

VMAX Service Credentials

Service through MMCS Secured by RSA

Security for Access, Data, Service, Audit and Erasure

Common Criteria

EAL 2+ Certified

VMAX Secure Audit LogSyslog server

integration

Secure SnapsProtect against

malicious deletion

© Copyright 2017 Dell Inc.

© Copyright 2017 Dell Inc.13

Data at Rest Encryption(D@RE)

© Copyright 2017 Dell Inc.14

Powerful, Trusted and Smart(Easy to deploy & worry-free flexible key management)

Helps with compliance & regulations(FIPS 140-2, HIPAA, PCI, SOX etc.)

Protect against unauthorized access(Drive loss and theft are the primary risk factors)

Why deploy VMAX Data at Rest Encryption

© Copyright 2017 Dell Inc.15

Most important features of encryption

74%

68%

66%

65%

64%

56%

56%

55%

54%

System performance and latency

Management of Keys

System scalability

Support for emerging algorithims

Integration with other security tools (e.g. SIEM)

Formal product security certification (e.g. FIPS 140)

Tamper resistance by deciated hardware (e.g. HSM)

Support for multiple applications or enviornments

Seperation of dutuies and role-based controls

74%

68%

66%

65%

64%

56%

56%

55%

54%

System performance and latency

Management of Keys

System scalability

Support for emerging algorithims

Integration with other security tools (e.g. SIEM)

Formal product security certification (e.g. FIPS 140)

Tamper resistance by deciated hardware (e.g. HSM)

Support for multiple applications or enviornments

Seperation of dutuies and role-based controls

Source: Ponemon Institute: Global Encryption Trends April, 2017

© Copyright 2017 Dell Inc.16

World’s most trusted storage platform

No Encryption

I/Os per second

Res

pons

e tim

e (m

s)

0

0.4

0.8

1.2

0 20,000 40,000 60,000 80,000 100,000

No Encryption

With Encryption (D@RE)

No Performance Impact

700+ VMAX All Flash arrays sold with Encryption

Trusted by customers in Financial, Healthcare, Government Sectors to name a few

© Copyright 2017 Dell Inc.17

Key management to suit your needs

• Automatic Internal Key Management• Set it and forget it• Keys encapsulated in array• Highly redundant• Built-in encryption and key management

• Enterprise Key Management– Integrates with existing external key management

infrastructure– External, centralized key storage and management– Remove keys for secure transport

© Copyright 2017 Dell Inc.18

External key manager data encryption

External (KMIP)Key Manager

KMIP

• Gemalto KeySecure• IBM SKLM• Others - future

KMIP Client

Key Management

Key Trust Platform (KTP)

DirectorI/O

ModuleI/O

ModuleI/O

ModuleI/O

Module

Director

Key per physical disk

MMCS• Industry Standard

• Centralized Key Mgmt

• VMAX AF & VMAX3

• Non Disruptive Migration

internal to external

FEATURE HIGHLIGHTS

© Copyright 2017 Dell Inc.19

External key management benefits

• Centralized Key Management– Simplifies key management (e.g. key generation,

escrow, recovery) for VMAX and other KMIP compatible encryption solution like Unity

• Simplify Compliance– Centralized audit log and get FIPS 140-2 Level 3

compliance with HSM integration

• Configure in High Availability – Multiple key server appliances can be clustered even

in geographically dispersed data centers

• Separation in duties– Supports segmented key ownership and

management by individuals and group owners

VMAX 250F Unity

HSM FIPS Level 3

Audit Log

© Copyright 2017 Dell Inc.20

D@RE scalability and availabilityNEW

VMAX 250F

1M+ IOPS

VMAX 450F

1.5M+ IOPS

VMAX 850F

4M+ IOPS

6.7M IOPS

VMAX 950F

More IOPS~68%UP TO

© Copyright 2017 Dell Inc.21

D@RE use cases

• Drive Replacement– Faster than erasure; works on badly failed drives as well– Eliminates disk retention

• Drive Theft or Loss– No recoverable data

• Secure Transport– Temporary just destroy keys in the VMAX

• Permanent Key removal– Crypto-shred your data in minutes– Certificate file produced detailing all key destruction

© Copyright 2017 Dell Inc.22

Array decommission

DELL EMC Permanent Array Decommission Service

© Copyright 2017 Dell Inc.23

VMAX D@RE best encryption choice

Feature EMC VMAX Self Encrypting Drives (SED)

Encryption type Controller based Disk based

Drive Segregation Yes, one key per drive. Yes, one key per drive.

Drive types and Capacities supported

All Limited

Performance Impact None Slight Performance Impact

Impact to arrayfunctionality

None Yes

Cost factor Low (per array) High as system scales

© Copyright 2017 Dell Inc.24

Customer benefitsVMAX All Flash D@RE flexibility

All Data

All user dataAll file and block data

Entire array

All Drives

All drive capacities including

NVMe flash drives

Simple

Easy to enable & Flexible key management

options

All Services

All VMAX All Flash Data Services including

Compression

© Copyright 2017 Dell Inc.25

VMAX All Flash Software Packaging

• HYPERMAX OS• Migration Tools, VVOLs, QoS***• Non-disruptive Migration

• Embedded Management• Unisphere, DB Storage Analyzer, REST APIs

• Compression• Local Replication Suite

• TimeFinder SnapVX• AppSync Starter Pack

A la carte:• SRDF/S, SRDF/A,…• SRDF/Metro• D@RE• Unisphere 360• ViPR SRM & Controller• RecoverPoint

• PowerPath• eNAS• CloudArray• ProtectPoint• AppSync Full Suite• EMC Storage Analytics

*FX includes software license, hardware must be configured and ordered. **Factory configured, must be enabled during ordering process.***Service levels plus host IO limits.

250F/950F• Everything in F Suite• SRDF/S/A/STAR Replication Suite*• SRDF/Metro*• Data @ Rest Encryption**• Unisphere 360• ViPR Suite• PowerPath (75 licenses)• eNAS*• CloudArray Enabler*

A la carte:• ProtectPoint• AppSync Full Suite• EMC Storage Analytics• RecoverPoint

250FX/950FX

© Copyright 2017 Dell Inc.26

VMAX All Flash: Data at rest encryptionCONTROLLER-BASED ENCRYPTION FOR MAXIMUM PROTECTION

• Encrypts all user data on the array• One key per drive

• Advanced Encryption Standard (AES-256) encryption• Zero performance impact (on SAS module)

• All VMAX data services supported• Embedded RSA encryption key manager• Compliant with external KMIP server• FIPS-140-2 (validation #2479 & #2871)

Protects againstDRIVE LOSS

Federal mandate Industry compliance Eliminates drive shredding

© Copyright 2017 Dell Inc.27

Secure Snaps

© Copyright 2017 Dell Inc.28

TimeFinder SnapVX in-a-nutshell

• Targetless Snapshots– Up to 256 Snapshots per Source LUN– Conserve resources– Snapshots identified by user-defined name– Optional automatic expiration

• Target LUN only required for host access

– Up to 1024 Linked Targets per Source LUN

– Unlimited Cascading

Snapshot

Snapshot

ProductionVolume

LinkedTarget

Snapshot

© Copyright 2017 Dell Inc.29

Introducing Secure Snaps

THEEND

© Copyright 2017 Dell Inc.30

Why have a safe in your house?!? “It erased everything stored on 3,262 of the company’s 6,797 personal computers and 837 of its 1,555 servers. The studio was reduced to using fax machines, communicating through posted messages, and paying its 7,000 employees with paper checks.”

- Fortune, July 2015

“The quickest and most efficient way to restore our systems and administrative functions was to pay the ransom and obtain the decryption key. In the best interest of restoring normal operations, we did this.”

- Letter from CEO, Feb 17, 2016

In November of 2014, Sony was breached and lost data throughout their environment. Hackers were inside Sony’s network for as long as 6 months before the attack was initiated. The ability to recover data was targeted first – backups were destroyed. Sony was never able to recover much data.

http://fortune.com/sony-hack-part-1/

In February of 2016, Hollywood Presbyterian was breached and their EMR data was encrypted and held for ransom. 900 patients had to be moved to other care facilities, costing HPMC millions of dollars. They were forced to pay the ransom to get the encryption key.

http://hollywoodpresbyterian.com/default/assets/File/20160217%20Memo%20from%20the%20CEO%20v2.pdf

In May of 2016, Kansas hospital pays ransomware demand. Attackers asked for second ransom, Kansas Heart never gets their files back

http://www.networkworld.com/article/3073495/security/kansas-heart-hospital-hit-with-ransomware-paid-but-attackers-demanded-2nd-ransom.html

“Regular, air-gapped backups could seriously dull the power of such software. If you've got another copy of your data, there's no need to pay off ransomware. For our money, that's the solution hospitals, and every organization, should be looking at.”

- President, Dr. Greg Duick

© Copyright 2017 Dell Inc.31

Why Secure Snaps

• Protects against intentional deletion of point in time data

• Oops!! (Also protects against accidental deletion)

• Enforces data retention policy for snapshots

• Ensures snapshot availability– Test and Dev, QA, training, etc.

© Copyright 2017 Dell Inc.32

Secure Snaps with TimeFinder SnapVX

• Retention time is a required field

• Once expiration time has elapsed, snapshot will be automatically deleted

• Retention time can be extended

• Does not affect other SnapVX operations– Link / Relink / Unlink– Restore– Set mode

30 day retention

45 day retention 60 day retention

© Copyright 2017 Dell Inc.33

Secure SnapsTime to Must Live

• Retention Time defined during snapshot creation

• Standard Snapshot can be converted to Secure Snapshot– Not vice versa

• No user can reduce or remove the Retention Time– Can be extended

• Automatically terminates when the Retention Time expires– As long as the snapshot has no linked targets or restore sessions– Same rules as traditional time to live

© Copyright 2017 Dell Inc.34

Secure SnapsAs always, proper planning required for any feature!

• Preserving secure snaps is the highest priority

• User cannot terminate Secure Snaps to free-up system resources

• Users may want to consider setting Retention Time only on a subset of their snapshots

– Specific points-in-time– Specific number of snaps per day– Critical applications

© Copyright 2017 Dell Inc.35

Easy to Use!Unisphere for VMAX

© Copyright 2017 Dell Inc.36

Easy to See!Unisphere for VMAX

© Copyright 2017 Dell Inc.37

A little Deeper ViewUnisphere for VMAX

© Copyright 2017 Dell Inc.38

It Works!!!What happens when trying to terminate a secure snap?

© Copyright 2017 Dell Inc.39

• Both Open Systems and Mainframe

• Managed via− Solutions Enabler 8.4− Unisphere 8.4− Mainframe Enabler− REST API

• Included in VMAX All Flash F/FX

Availability and Management

© Copyright 2017 Dell Inc.40

Slight Recap

• Secure from intentional or non intentional deletion− Even highest level admin cannot delete

• All other SnapVX operations are available

• Retention time can be extended

• Preserving snapshot is highest priority− Protection from failure when out of resources

© Copyright 2017 Dell Inc.41

Deploy Securely • Refer to the Security Configuration Guide (SCG) for each product on how to configure the product to maximize its security posture in your environment

Stay Informed • Subscribe to Dell EMC Security Advisories through the support portal: https://support.emc.com/preferences/subscriptions

Stay Secure • Upgrade to the latest version of your Dell EMC product and/or apply the latest security patches

• NEW: Visit the Dell EMC Product Security Information page (https://support.emc.com/security) where you can search security advisories by Common Vulnerability Exposures (CVE), view all SCGs, and get the latest information on high profile vulnerability alerts

Keep your Dell EMC Products Deployments Secure

© Copyright 2017 Dell Inc.42

Want to win a Levitating Death Star Speaker?

• Follow @DellEMCStorage while at Dell EMC World

• 2 Winners will be chosen daily from Monday May 8 through Thursday May 11

• All winners will be notified through Twitter Direct Message

NO PURCHASE NECESSARY. Ends 05/11/2017. To enter and for Official Rules, visit http://thecoreblog.emc.com/dell-emc-world-follow-win-sweepstakes-2017/

© Copyright 2017 Dell Inc.43

Related Dell EMC World sessions

• Other VMAX sessions:– What's New With VMAX All Flash & What's Up With NVMe– What’s new with HYPERMAX OS– Unisphere– All Flash performance– Local and remote replication performance– Compression– NDM– VMAX and VMware– VMAX and Oracle– VMAX REST APIs– Mainframe (many)

© Copyright 2017 Dell Inc.44

Questions?