IBM System Storage Data Protection and Security Chen Chee Khye ATS Storage chenck@my.ibm.com
Information is Exploding Data Types Data Growth Data Impact Structured PB shipped 1TB/4D image Unstructured 2005 2006 2007 2008 2009 2010 1MB/2D image 2004 2007 Today... Up to 80% of data is unstructured content (email, video, images) Through 2012... Storage capacity shipments are growing at 54% a year By 2010... Example: Medical images will take up 30% of the world s storage IBM Security 2
Impact on Data Storage Data volumes doubling every 18 months Devices accessing data doubling every 2.5 years 70% of the digital universe is created by individuals but enterprises are responsible for the security, privacy, reliability and compliance of 85% Information created, captured, or replicated exceeded available storage for the 1 st time in 2007 Structured data growing at 32% Unstructured data growing at 63% Replicated data growing at 49% Source: IDC worldwide enterprise disk in Exabytes from Changing Enterprise Data Profile, December 2007 Current economic climate will push for storage services which raises the need for security IBM Security
IBM Information Infrastructure Data Loss is Top of Mind 4
IBM Information Infrastructure The Cost of Data Loss The impact of data loss is significant Totaling $66.9M in 2007 ± Average data breach costs a company $5M Average annual loss per company is $350,000 ± Breaches costs companies an average of $185 per record 327 data breaches were reported in 2006* More than 100M data points exposed in 2006* Requirement for data privacy and encryption is mandatory Customers will not have a choice on storage security spending ±Computer Security Institute 2007 Network World Magazine *Source: privacyrights.org 5
We Need IT Infrastructure Able to Handle Data Growth Reduce reputation risks and audit deficiencies Average US legal discovery request can cost organizations from $150K to $250K. Deliver continuous, reliable access to information Downtime costs can amount up to 16% of revenue in some industries. Support information retention policies 37% of data is expired or inactive. Secure sharing of information Average cost of a privacy breach is around $200 per compromised record Information Compliance Information Availability Information Retention Information Security Sources: CIO Magazine survey 2007; IBM Tivoli Market needs and profiling study 2005; The Costs of Enterprise Downtime: NA Vertical Markets 2005" Information Research; IBM Market Intelligence. SNIA Data Management Forum, 100 Year Archive Requirements Survey, Storage Networking Industry Association (SNIA), 2007 6
IBM Software Group View of the IBM s data protection technology encryption everywhere SAN Encryption Key Management File system encryption Database encryption Switch encryption Encryption choices why should encryption be built into storage Performance cryptography can be computationally intensive Efficiency - encrypted data is not able to be compressed or de-duplicated Security - Data in transit should use temporary keys, data at rest should have long term retention and robust management Scalability best to distribute cryptography across many devices Disk Storage Array Encryption Enterprise Tape Library 3592 Encryption Encryption IBM has launch encrypting tape systems, moving to encrypting storage arrays (Full Disk Encryption), with plans to extend to the rest of the infrastructure (Switch/Base/Backup components)
Why Wouldn t You Encrypt Data at Rest? Your Concerns: 1. Performance Encryption that isn t built into the storage infrastructure could cause serious performance penalties 2. Potential to Lose data If you encrypt the data and lose the key then the data is lost 3. Complexity Some solutions add extra boxes on the wire, classification, constant configuration, application changes 4. Total cost of ownership Some solutions can double the cost of the storage solution IBM s Response: Our encrypting storage solutions have an impact on performance that is less than 1% Our key management is proven with thousands of customers today Our solution is simple to install, configure, with no application or server changes required Our Encryption and key management adds small incremental cost Our solution is high performance, robust, safe, simple, and cost effective IBM Security
IBM Vision for Encryption and Key Management Encryption built into the infrastructure (not on top of it) B IBM s 3 rd generation tape drive with encryption: TS1130 TS1120 LTO Gen 4 Full Disk Encryption (FDE) Over 3,500 security professionals worldwide B $1.5B investment in security in 2008 Tivoli Key Lifecycle Manager TS1130 Tape Drive Disk Encryption Security and Privacy Services What separates IBM from the pack is its ability to provide a complete and extensible Storage Encryption architecture, including an enterprise key management capability. Jon Oltsik, Enterprise Strategy Group, August 2008 IBM Security
The Future of Storage Encryption is built in just like compression, and increasingly de-duplication IBM has shipped tape systems with built in encryption for 2 years IBM has shipped encrypting disk systems Enterprise Tape Library 3592 You will need unified key management for operational simplicity, security, and compliance Transparent to applications no changes or upgrades required Simple, easy to install and use Adheres to regulations Fits into your environment no new appliances Disk Storage Array IBM Tivoli Key Lifecycle Manager is the answer! IBM Security
IBM Information Infrastructure IBM Tivoli Key Lifecycle Manager v.1.0 Simplified key management across distributed and mainframe Client Value Reduces encryption management costs related to set up, use and expiration of keys Enables organizations to comply with disclosure laws and regulations Ensures against loss of information due to key mismanagement Transparently detects encryptioncapable media to assign necessary authorization keys Runs on most existing server platforms to leverage resident server s existing access control/high availability/disaster recovery configs Its predecessor EKM is proven key management system with 2000 customers worldwide! Simple, Secure and Cost-effective Key Storage, Key Serving and Key Management
IBM Information Infrastructure IBM Tivoli Key Lifecycle Manager v.1.0 Feature Function Focused on device key serving IBM encrypting tape TS1120, TS1130, LTO gen 4 IBM encrypting disk DS4000/DS5000/DS6000/DS8000 Lifecycle functions Notification of certificate expiry Automated rotation of certificates Automated rotation of groups of keys Platforms for V1 AIX 5.3 64 bit Red Hat AS 4.0 x86-32 bit Suse Linux 9.0 and 10 x86-32 bit Solaris 10 Sparc -64 bit. Windows Server 2003-32 bit. z/os 1.9 Designed to be Easy to use Provide a Graphical User Interface Initial configuration wizards Easy backup and restore of TKLM files One button operation Installer to simplify installation experience Simple to use install for Windows, Linux, AIX, Solaris Can be silent install 12
IBM Information Infrastructure With TKLM Solution. IBM Solution offering includes
IBM Information Infrastructure IBM s Tape System Offerings TS1040 (LTO4) Tape Drive Standard feature on all FC & SAS LTO4 Tape Drives Supports traditional and encrypted modes of operation TS1130 / TS1120 Tape Drive Standard feature on all new TS1130 Tape Drives Supports traditional and encrypted modes of operation TKLM Tivoli Key Lifecycle Manager EKM follow-on AIX, Sun, Linux and Windows z/os Statement of Direction Serves keys
Tivoli Key Lifecycle Manager IBM Information Infrastructure Flexible IBM Tape Encryption Methods 15
IBM Software Group Like Tape, Self-Encrypting Drives Have Virtually No Performance Degradation Encryption engine speed Matches Port s max speed The encryption engine is in the controller ASIC Scales Linearly, Automatically Storage System Storage System All data can be encrypted, with no performance degradation No need to classify which data to encrypt
17 IBM Software Group IBM s Disk Storage Offering with Full Disk Encryption DS5000 Real-world performance Sustainable, scalable with Full Disk Encryption Support Green efficiency Do more with less, support of intermix with normal disk drives and FDE drives! Interface adaptability 4 Gbps FC, 8 Gbps FC, iscsi Continuous and reliable access to Information Online administration, active-active redundancy, advanced diagnostics Application integration Certifications, solutions, meet SLAs * 2H 2009 feature
IBM Software Group EXP5000 Expansion Unit 16 drives in 3U enclosure 4 Gbps FC interfaces / ESMs High-speed, low-latency interconnect from controllers to drives Supports intermixing FC, FDE and SATA drives More efficient use of enclosures Unique speed-matching technology 3 Gbps SATA II drives effectively run at 4 Gbps speeds Switched architecture Drive isolation, better diagnostics Higher performance, lower latency 18
IBM Software Group Secure DS5000 Encryption Services Comprehensive security for data-at-rest Full Disk Encryption (FDE) Encryption takes place at the drive level Robust management tools Integrated local key management DS5000 Series Drive Support Drives supported: 4Gbps FDE 15K FC 146GB, 300GB, and 450GB
IBM Software Group DS5000 Encryption Benefits Bullet-proof security throughout the drive s lifecycle Unparalleled security assurance with government-grade encryption Instant secure erase for a higher security level than other common methods Automatically protects data on drives returned for repair, retired, or repurposed High performance Drive-based encryption engine maintains our exceptional performance Robust yet easy-to-understand management FDE key management is transparent to day-to-day storage administration, making FDE drives as easy to manage as traditional drives A single DS5000 system can support all tiers and classifications of data No application/operating system changes or modifications required
Disposal Options Are Riddled with Shortcomings Format the drive or delete the data Doesn t remove the data - data is still readable Over-writing Takes hours-to-days Error-prone; no notification from the drive of overwrite completion Shredding Very costly, time-consuming Environmentally hazardous Degaussing Very costly, time-consuming Difficult to ensure degauss strength matched type of drive Smash the disk drive Not always as secure as shredding, but more fun Professional offsite disposal services Drive is now exposed to the tape s falling-off-the-truck issue IBM Security
With IBM Storage Systems Data protection IBM has build Storage Security into the infrastructure Will fit into your existing server management Will leverage existing high availability and disaster recovery solutions you have thought of! Adding IBM s storage security option is: Simple Transparent to existing applications Cost effective Leverage existing investments IBM Security
Questions? IBM Security
IBM Storage Systems offerings IBM Security