Designing Secure Storage for the Cloud Jesus Molina Fujitsu Laboratories of America

Similar documents
Trusted Storage. Putting Security and Data Together. Michael Willett Seagate Technology

Consumerization of. Trusted Computing

Implementing. Stored-Data Encryption

Implementing Stored-Data Encryption (with a bias for self-encrypting drives) Michael Willett SAMSUNG

WHITEPAPER E-SERIES ENCRYPTION

Trusted Computing Group Trusted Storage Specification. Michael Willett, Seagate Technology

Trusted Computing Today: Benefits and Solutions

TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION. Michael Willett, Seagate Technology

Challenges Managing Self-Encrypting NAND Flash Devices

IBM System Storage Data Protection and Security Chen Chee Khye ATS Storage

ATA DRIVEN GLOBAL VISION CLOUD PLATFORM STRATEG N POWERFUL RELEVANT PERFORMANCE SOLUTION CLO IRTUAL BIG DATA SOLUTION ROI FLEXIBLE DATA DRIVEN V

SECURITY & PRIVACY DOCUMENTATION

Storage Security Best Practices Martin Borrett, Lead Security Architect NE Europe, WW Tivoli Tiger Team IBM Corporation

Who s Protecting Your Keys? August 2018

Click to edit Master. Trusted Storage. title style. Master subtitle style Seagate Technology

Whose Cloud Is It Anyway? Exploring Data Security, Ownership and Control

Storage as an IoT Device Roundtable Walt Hubis, CISSP Tom Coughlin

Cloud Computing. Faculty of Information Systems. Duc.NHM. nhmduc.wordpress.com

Trusted Optical Disc March 2008

Trusted Computing in Drives and Other Peripherals Michael Willett TCG and Seagate 12 Sept TCG Track: SEC 502 1

SEAhawk and Self Encrypting Drives (SED) Whitepaper

Advances in Storage Security Standards

Complete document security

Agenda GDPR Overview & Requirements IBM Secure Virtualization Solution Overview Summary / Call to Action Q & A 2

WHITE PAPER. Data Erasure for Enterprise SSD: Believe It and Achieve It

Trusted Computing As a Solution!

TRUSTED COMPUTING GROUP TRUSTED STORAGE SPECIFICATION. Jason Cox, Seagate Technology

The simplified guide to. HIPAA compliance

Personal Cloud Self Protecting Self Encrypting Storage Devices

Automated Mobile Security (ESUKOM)

IBM PowerSC. Designed for Enterprise Security & Compliance in Cloud and Virtualised environments. Highlights

HIPAA Security and Privacy Policies & Procedures

EXHIBIT A. - HIPAA Security Assessment Template -

Controlled Document Page 1 of 6. Effective Date: 6/19/13. Approved by: CAB/F. Approved on: 6/19/13. Version Supersedes:

Xerox Product Data Overwrite Security Whitepaper

Seagate Secure TCG Enterprise SSC Pulsar.2 Self-Encrypting Drive FIPS 140 Module Security Policy

Security Models for Cloud

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

GDPR: A technical perspective from Arkivum

Deploying Simple Secure Storage Systems

Security+ SY0-501 Study Guide Table of Contents

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Hypervisor Security First Published On: Last Updated On:

SafeNet Authentication Client

HDD Based Full Disc Encryption

Virtual Machine Encryption Security & Compliance in the Cloud

No Country for Old Security Compliance in the Cloud. Joel Sloss, CDSA Board of Directors May 2017

Implementing Disk Encryption on System x Servers with IBM Security Key Lifecycle Manager Solution Guide

efolder White Paper: HIPAA Compliance

Top Five Privacy and Data Security Issues for Nonprofit Organizations

Lecture Embedded System Security Introduction to Trusted Computing

Hitachi Align Tool. User's Guide

Mobility Windows 10 Bootcamp

Kroll Ontrack VMware Forum. Survey and Report

Vaultive and SafeNet KeySecure KMIP Integration Guide v1.0. September 2016

The Intel SSD Pro 2500 Series Guide for Microsoft edrive* Activation

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

[NEC Group Internal Use Only] IoT Security. - Challenges & Standardization status. Sivabalan Arumugam.

A Promise Kept: Understanding the Monetary and Technical Benefits of STaaS Implementation. Mark Kaufman, Iron Mountain

Policy & Procedure HIPAA / PRIVACY DESTRUCTION

Data Processing Amendment to Google Apps Enterprise Agreement

Accelerate with ATS Encrypting Data at Rest with the DS8000

Internet of Things Toolkit for Small and Medium Businesses

Accelerate GDPR compliance with the Microsoft Cloud

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

UNIVERSITY OF WISCONSIN MADISON POLICY AND PROCEDURE

Secure Messaging Large File Sharing

Lecture Embedded System Security Introduction to Trusted Computing

The Road to a Secure, Compliant Cloud

HIPAA Security. 3 Security Standards: Physical Safeguards. Security Topics

R E F E R E N C E TCG. Trusted Multi-Tenant Infrastructure Work Group. Use Cases. Version 1.1. November 15, 2013

TNC EVERYWHERE. Pervasive Security

Service Description VMware Workspace ONE

WHITE PAPER DECEMBER VMWARE vsphere VIRTUAL MACHINE ENCRYPTION. Virtual Machine Encryption Management

Employee Security Awareness Training Program

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Bringing Core-Level Data Protection Solutions to the Tactical Field. January 2018

Document No.: VCSATSP Restricted Data Protection Policy Revision: 4.0. VCSATS Policy Number: VCSATSP Restricted Data Protection Policy

Building Cloud Trust. Ioannis Stavrinides. Technical Evangelist MS Cyprus

Security Information & Policies

VMware, SQL Server and Encrypting Private Data Townsend Security

Trusted Computing Group

Empowering Business Adoption of the Cloud through Intelligent Security Solutions and Active Defense Platforms

Guide. A small business guide to data storage and backup

Windows 10 IoT Core Azure Connectivity and Security

UNCLASSIFIED. Mimecast UK Archiving Service Description

HIPAA Compliance Checklist

KantanMT.com. Security & Infra-Structure Overview

Network Performance, Security and Reliability Assessment

Table of Contents. Table of Figures. 2 Wave Systems Corp. Client User Guide

Why Implement Endpoint Encryption?

Moving From Reactive to Proactive Storage Management with an On-demand Cloud Solution

Seagate Momentus Thin Self-Encrypting Drives TCG Opal FIPS 140 Module Security Policy

Seagate Secure TCG Enterprise SSC Self-Encrypting Drives FIPS 140 Module Security Policy

*XLGHOLQHV IRU 0HGLD 6DQLWL]DWLRQ )URP WKH 1DWLRQDO,QVWLWXWH RI 6WDQGDUGV DQG 7HFKQRORJ\ V 11, HY 1 of 18

Secure Erasure of Flash Memory

IFIP World Computer Congress (WCC2010)

Business Advantages. In this age of heightened awareness of information security issues...

Fujitsu World Tour 2018

Automate to Win: The Business Case for Standards-based Security. An InformationWeek Webcast Sponsored by

Transcription:

Designing Secure Storage for the Cloud Jesus Molina Fujitsu Laboratories of America

Introduction Trusted Computing and Cloud Overview of Trusted Computing CSA guidelines and TCG standards Trusted Storage WG Practical Applications Other Working Groups

Trusted Computing and Cloud So what is the root problem of cloud security? TRUST In cloud you cant verify directly the Trusted Computing Base

TCG standards and cloud In the cloud you can Standards VERIFY THEN TRUST OR JUST TRUST Certification Technology Lawyers

Introduction to TCG

TCG: Standards for Trusted Systems Virtualized Platform Mobile Phones Printers & Hardcopy Authentication Network Security Storage Security Hardware Applications Software Stack Operating Systems Web Services Authentication Data Protection Desktops & Notebooks Servers Infrastructure

Trusted Clients Security Built In Trusted Platform Module (TPM) Mobile Trusted Module (MTM) Features Authentication Encryption Attestation

Trusted Servers Security Built In Trusted Platform Module (TPM) Secure Virtualization Secure Cloud Features Authentication Encryption Attestation

Trusted Storage Security Built In Self Encrypting Drive (SED) Features Encryption Authentication

Trusted Networks Security Built In & Coordinated Trusted Network Connect (TNC) Features Authenticate Health Check Behavior Monitor Enforce

CSA Guidelines and TCG CSA Domain (Number) Type Examples (2) Governance/Risk Management Decrease risk exposure (3) Legal and Electronic Discovery Data Recovery and Encryption (4) Compliance and Audit Server Attestation (5) Information Lifecycle Management Safe Data Retirement (6) Portability and Interoperability Metadata Access Policy (7) Traditional Security Network Access Control (8) Incident Response Coordinated Security (11) Encryption / Key Management SED, Hardware Key storage (12) Identity/ Access Management Hardware Token Authentication (13) Virtualization Trusted Multitenancy

Trusted Storage Working Group

Enterprise Support ISV Application (on the Host) Implementation Overview TCG/T10/T13 Trusted Send and Receive Container Commands ATA or SCSI TRUSTED STORAGE Firmware/hardware enhancements for security and cryptography Firmware Hidden Storage Security Providers SP Controller Storage (Partitioned) Hidden Memory Security firmware/hardware Trusted Send/Receive Commands Assign Hidden Memory to Applications TRUSTED Assign Hidden Memory to Applications SED CHIP 13

Trusted Storage with Trusted Platform Trusted Storage Root Of Trust Secure Communications Trusted Platform TPM OR Trusted Element Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, 14

Trusted Storage with Trusted Platform Trusted Storage Root Of Trust Secure Communications Trusted Platform TPM OR Trusted Element Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, 15

TCG Storage WG Core Specification SPs (Security Providers) Logical Groupings of Features SP = Tables + Methods + Access Controls Tables Like registers, primitive storage and control Methods Get, Set Commands kept simple with many possible functions Access Control over Methods on Tables 16

TCG Storage WG Core Specification SPs (Security Providers) Tables Logical Groupings of Features SP = Tables + Methods + Access Controls Like registers, primitive storage and control Methods Get, Set Commands kept simple with many possible functions Access Control over Methods on Tables 17

TCG Storage: Document Structure General Documents Specific Documents PUBLISHED Core Spec Interface PC SSC (OPAL) Optical SSC Enterprise SSC Auxiliary Documents IN PROCESS Compliance and Security Evaluation SSC = Security Subsystem Class 18

Authentication in the Drive Storage Server Correct AK? Clear Data AK Authentication Key DEK Data Encryption Key Drive responds to No Read or Write Reqs Hash AK No = Yes Clear AK decrypts DEK Unlock HDD DEK encrypts and decrypts User Data Hashed AK Encrypted DEK Encrypted User Data 19

Practical Applications

How the Drive Retirement Process Works Retire Drive Replace Repair Repurpose Remove ALL drives Send even dead" drives through Queue in Secure Area Transport Offsite Queue in secure area People make mistakes Because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes. which lost a tape with 150,000 Social Security numbers stored at an Iron Mountain warehouse, October 2007 1 Retirement Options Overwriting takes days and there is no notification of completion from drive Hard to ensure degauss strength matched drive type Shredding is environmentally hazardous Not always as secure as shredding, but more fun 99% of Shuttle Columbia's hard drive data recovered from crash site S E C U R E? Data recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period. - May 7, 2008 (Computerworld) 1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_ 21

How the Drive Retirement Process Works Retire Drive Replace Repair Repurpose Remove ALL drives Drive Retirement is: Queue in Transport Queue in Secure Area Offsite secure area Send even dead" drives through Expensive Time-consuming People make mistakes Because of the volume of information we handle and the fact people are involved, we have occasionally made mistakes. Error-prone which lost a tape with 150,000 Social Security numbers stored at an Iron Mountain warehouse, October 2007 1 Retirement Options Overwriting takes days and there is no notification of completion from drive Hard to ensure degauss strength matched drive type Shredding is environmentally hazardous Not always as secure as shredding, but more fun 99% of Shuttle Columbia's hard drive data recovered from crash site S E C U R E? Data recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period. - May 7, 2008 (Computerworld) 1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_ 22

Drive Retirement: Self-Encrypting Drives Retire Drive Replace Repair Repurpose Self-Encrypting Drives Remove ALL drives Send even dead" drives through Queue in secure area Transport Offsite Queue in secure area Power Off = Locked and Encrypted = Secure Reduces IT operating expense Eliminates the need to overwrite or destroy drive Secures warranty and expired lease returns Enables drives to be repurposed securely Provides safe harbor for most data privacy laws S E C U R E 23

Other Working Groups

Should you care? Storing data in the cloud is more than hardware storage Where does the data reside? How do yu handle information dispersal? Can you verify hardware? Remote integrity is also of importance How your data being erased? If so, when, how and utilizing what method? How do you make sure your data is not corrupted

Securing Multitenant Platforms Using TCG Some goals Protection of processing and information in motion and at rest Ability to share physical platforms among tenant domain components (shared services) Visibility and auditability of actions Management of physical resources independently of domain resources Loosely coupled architecture managed using application of appropriate policy and trust Ability to control the flow of information between tenant domains within policy constraints Ability to address various security models to protect integrity and confidentiality of services and data exchanges within enterprise Relevant Working Groups Virtualization work group (virtual certificates, virtual TPM, migration) TPM working Group (Server Attestation) Storage workgroup (multilevel storage) Trusted Network Connect (Policy definitions and enforcement)

Support Slides

NAC, IF-MAP VM VM VM VTPM Virtual Machine Monitor TPM Multilevel Storage

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback