Trusted Storage. Putting Security and Data Together. Michael Willett Seagate Technology

Transcription

1 Trusted Storage Putting Security and Data Together Michael Willett Seagate Technology

2 Why Encrypt Data-At-Rest? Compliance 42+ states have data privacy laws with encryption safe harbors New data breach bills have explicit encryption safe harbors PCI DSS requires rendering stored cardholder data unreadable Exposure of data loss is expensive Data center disk drives are mobile Nearly ALL drives leave the security of the data center The vast majority of decommissioned drives are still readable Not all leave under the owner s control

3 Board of Directors Scott Rotondo, Sun, President and Chairman Marketing Workgroup Brian Berger, Wave Technical Committee Graeme Proudler, HP Best Practices Jeff Austin, Intel Advisory Council Invited Participants Administration VTM, Inc. Public Relations Anne Price, PR Works TPM Work Group David Grawrock, Intel TSS Work Group David Challener, Lenovo Conformance WG Manny Novoa, HP PC Client WG Monty Wiseman, Intel Events Marketing Support VTM, Inc. Mobile Phone WG Panu Markkanen, Nokia Peripherals WG (dormant) Infrastructure WG Thomas Hardjono, SignaCert PDA WG Jonathan Tourzan, Sony Server Specific WG Larry McMahan, HP User Auth WG Laszlo Elteto, Safenet BOLD: Most Relevant to Storage Work Storage WG Robert Thibadeau Seagate Key Management Services Walt Hubis LSI Storage Interface Interactions James Hatfield Seagate Optical Storage Bill McFerrin DataPlay

4 Joint Work T10 (SCSI) and T13 (ATA) TRUSTED SEND/IN (Protocol ID = xxxx..) TRUSTED RECEIVE/OUT T10/T13 defined the container commands TCG/Storage defining the TCG payload Protocol IDs assigned to TCG, T10/T13, or reserved

5 Enterprise Support ISV Application (on the Host) Implementation Overview TCG/T10/T13 Trusted Send and Receive Container Commands (Partitioned) Hidden Memory Security firmware/hardware ATA or SCSI Trusted Send/Receive Commands Assign Hidden Memory to Applications TRUSTED STORAGE Firmware/hardware enhancements for security and cryptography Firmware Hidden Storage Security Providers TRUSTED Assign Hidden Memory to Applications SP FDE Controller Storage

6 Trust System behaves as designed Trust Toolkit : Cryptographic SIGNING CREDENTIALS (eg, signed X.509 Certificates)

7 Trusted Storage with Trusted Platform Trusted Storage Secure Communications Root Of Trust Trusted Platform TPM OR Trusted Element Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use,

8 Why Security in STORAGE (hard drive) 3 Simple reasons Storage for secrets with strong access control Inaccessible using traditional storage access Arbitrarily large memory space Gated by access control Unobservable cryptographic processing of secrets Processing unit welded to storage unit Closed, controlled environment Custom logic for faster, more secure operations Inexpensive implementation of modern cryptographic functions Complex security operations are feasible

9 TCG Storage Use Case Examples Full Disc Encryption -Laptop Loss or Theft -Re-Purposing -End of Life -Rapid Erase DriveLocking ALL Encrypted Crypto Key Management Crypto Chip Personal Video Recorders Forensic Logging DRM Building Blocks

10 Specification Overview TCG Storage Workgroup Specification Overview and Core Architecture Specification Specification Version 1.0 Revision 19 June (DRAFT)

11 TCG Storage WG Core Specification SPs (Security Providers) Logical Groupings of Features SP = Tables + Methods + Access Controls Tables Like registers, primitive storage and control Methods Get, Set Commands kept simple with many possible functions Access Control over Methods on Tables

12 Security Subsystem Classes Storage Security Subsystem Class = SSC Storage Architecture Core Specification HDD SSC - Notebook HDD SSC - Enterprise Optical SSC (OSSC)

13 Home Banking (or Remote Medical, or ) Trusted Platform w/ Trusted Storage - Multi-factor authentication: password, biometrics, dongles - Secure/hardware storage of credentials, confidential financial/medical data -Trusted life cycle management of personal information - Integrity-checking of application software - Cryptographic functions for storage and communications security - Secure computation of high-value functions (protection from viruses/etc)

14 Self-Encrypting Drives For when a drive leaves the owner's control Simple Transparent Integrated Scalable Interoperable Learn more at: - Webcast from architects - Overview whitepaper - On-line performance demo IT policy: All future drive purchases to be selfencrypting drives when available 2008 Insert 14 Copyright Information Here. All Rights Reserved.

15 Self-Encrypting Drive Basics Write Authentication The drive and LOCKS remains Read Key data automatically LOCKED (Password) normally when while Unlocks when it drive is powered the is unlocked drive OFF back ON Authentication Key Management Service Here is the un-encrypted text Write Read Here is the P%k5t$ text #&% 100% performance encryption engine in the drive Data protected from loss, disclosure 2008 Insert 15 Copyright Information Here. All Rights Reserved. 15

16 Enterprise Management of Self-Encrypting Drives SP FDE -Enterprise Server: Key generation and distribution Key/Password archive, backup and recovery -Laptop (Application): Master/User passwords, multi-factor authentication, TPM support Secure log-in, Rapid Erase -Trusted Drive (self-encrypting): Disk or sector encryption, sensitive credential store, drive locking Self-Encrypting Drive

17 NSA-Accepted Security: Sensitive and Secret Govt Data The National Security Agency (NSA) has qualified the Momentus 5400 FDE hard drive, for protection of information in computers deployed by U.S. government agencies and contractors for national security purposes. With the NSA qualification, the Momentus 5400 FDE.2 hard drive meets one of the highest standards for securing sensitive information the National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11. NSTISSP #11 defines requirements for a wide variety of products that satisfy a diversity of security requirements to include providing confidentiality for data, as well as authenticating the identities of individuals or organizations exchanging sensitive information. * The National Institute of Standards and Technology (NIST), the U.S. federal agency focused on promoting product innovation by establishing technical standards for government and business, certified the Advanced Encryption Standard (AES) encryption algorithm that powers the Momentus 5400 FDE.2 hard drive. *More information on NSTISSP #11 is available at Insert 17 Copyright Information Here. All Rights Reserved.

18 Why standards are important Customer choice Best product, best price, long term supplier viability Multiple vendor options Data at rest needs long term recoverability Media lifetime may exceed supplier lifetime Security requires Well tested and examined practices Separation of duties Consistency of policy enforcement

19 -Trusted Storage Specification - Key Management Services Application Notes

20 IEEE P (Key Management)

21 Key Lifecycle Model 21

22 What Does the Future Look Like? Encryption everywhere! Automatic performance scaling, manageability, security Standards-based Multiple vendors; interoperability Unified key management Handles all forms of storage

23 50,000 Hard Drives Leave the Data Center Every Day 90% of returned drives were still readable (IBM study) Decommission system Replace Repair Repurpose Self-Encrypting Drives Remove ALL drives It s Simple, Clean and Complete Send even dead drives through Queue in secure area Transport Offsite Queue in secure area Secure the moment the drive is unplugged Comply with data privacy laws Warranty and expired lease secure drive returns Repurpose drives securely; Cut decommissioning costs People make mistakes Because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes. which lost a tape with 150,000 Social Security numbers stored at an Iron Mountain warehouse, October Overwriting takes days and there is no notification of completion from drive Hard to ensure degauss strength matched drive type Shredding is environmentally hazardous Not always as secure as shredding, but more fun 99% of Shuttle Columbia's hard drive data recovered from crash site S E S C E U C R U E R E Data recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period. - May 7, 2008 (Computerworld) Insert 23 Copyright Information Here. All Rights Reserved.

24 Disposal Options: Riddled with Shortcomings Format the drive or delete the data Doesn t remove the data - data is still readable Over-writing Takes hours-to-days Error-prone; no notification from the drive of overwrite completion Shredding Very costly, timeconsuming Environmentally hazardous Degaussing Very costly, time-consuming Difficult to ensure degauss strength matched type of drive Smash the disk drive Not always as secure as shredding, but more fun Professional offsite disposal services Drive is now exposed to the tape s falling-off-thetruck issue

25 IBM, LSI and Seagate Lead the Industry to an Enterprise Encryption Solution Authentication Key Management Service IEEE Standard Key Mgmt Protocol Application Server Network TCG /T10/T13 Security Protocol Storage System Authentication Key Flow Data Flow 25

26 Self-Encrypting Drive: Manageability and Security Manageability Don t need to escrow the encryption key to maintain data recoverability Less re-encryption required Security No clear text secrets anywhere on the drive We assume the attacker has complete knowledge of secrets design and location No cipher text exposure The drive can self power down after x authentication attempts Protected firmware downloads No back doors in the Trusted Storage Spec

27 No Performance Degradation Encryption engine speed Matches Port s max speed The encryption engine is in the controller ASIC Scales Linearly, Automatically Storage System Storage System All data can be encrypted, with no performance degradation Less need for data classification 2008 Insert 27 Copyright Information Here. All Rights Reserved.

28 Transparent to the Storage System Key Management Service Application Server Network Storage System At Initialization: Bring in new volume Set up Authentication Key Power-up: Authenticate with the key source Pass key to the disk drive After Power-up: The storage system virtualizes the disk drives and provides: Data protection through RAID and copy services, Availability through redundancy, failover drivers, robust error handling Capacity sharing through partitioning and network connectivity Management reporting Storage systems are optimized for unencrypted data for data compression and de-duplication 2008 Insert 28 Copyright Information Here. All Rights Reserved.

29 Simplify Management Self-Encrypting Drives Encrypting outside the drive Storage Systems Storage Systems Implement Re-key Exposed Keys Recover Data Retire HDD Transparent to OS, applications, databases Automatic Scalability No re-encryption needed Encryption keys don t leave drives. No need to track or manage them. Delete encryption key May need to change OS, applications, databases Re-encrypt all data Track, manage, escrow encryption keys, maintain interoperability Key compromised; Could make data across multiple drives unreadable 2008 Insert 29 Copyright Information Here. All Rights Reserved.

30 Thank You!