NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture

Similar documents
Securing Data-at-Rest

STORAGE CONSOLIDATION WITH IP STORAGE. David Dale, NetApp

STORAGE CONSOLIDATION WITH IP STORAGE. David Dale, NetApp

S S SNIA Storage Networking Foundations

iscsi Technology: A Convergence of Networking and Storage

Introduction to iscsi

iscsi Target Usage Guide December 15, 2017

COSC6376 Cloud Computing Lecture 17: Storage Systems

Data-at-Rest Encryption Addresses SAN Security Requirements

HP NonStop Volume Level Encryption with DataFort

1 Quantum Corporation 1

Advanced iscsi Management April, 2008

Module 2 Storage Network Architecture

Tape Sucks for Long-Term Retention Time to Move to the Cloud. How Cloud is Transforming Legacy Data Strategies

access addresses/addressing advantages agents allocation analysis

SNIA Discussion on iscsi, FCIP, and IFCP Page 1 of 7. IP storage: A review of iscsi, FCIP, ifcp

Exam : S Title : Snia Storage Network Management/Administration. Version : Demo

PASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year

VMware vsphere with ESX 4.1 and vcenter 4.1

Symantec Backup Exec Blueprints

Exam Name: Midrange Storage Technical Support V2

A Crash Course In Wide Area Data Replication. Jacob Farmer, CTO, Cambridge Computer

SECURE CLOUD BACKUP AND RECOVERY

Storage Area Network (SAN)

CONTENTS. 1. Introduction. 2. How To Store Data. 3. How To Access Data. 4. Manage Data Storage. 5. Benefits Of SAN. 6. Conclusion

iscsi Technology Brief Storage Area Network using Gbit Ethernet The iscsi Standard

USING ISCSI AND VERITAS BACKUP EXEC 9.0 FOR WINDOWS SERVERS BENEFITS AND TEST CONFIGURATION

Snia S Storage Networking Management/Administration.

Table of Contents. Course Introduction. Table of Contents Getting Started About This Course About CompTIA Certifications. Module 1 / Server Setup

Brocade Technology Conference Call: Data Center Infrastructure Business Unit Breakthrough Capabilities for the Evolving Data Center Network

Fabric Security (Securing the SAN Infrastructure) Daniel Cohen Solutioneer Brocade Communications Systems, Inc

Symantec Reference Architecture for Business Critical Virtualization

3.1. Storage. Direct Attached Storage (DAS)

Cisco MDS 9000 Series Switches

Introducing VMware Validated Designs for Software-Defined Data Center

White Paper. A System for Archiving, Recovery, and Storage Optimization. Mimosa NearPoint for Microsoft

DELL EMC DATA DOMAIN ENCRYPTION

Hands-On Wide Area Storage & Network Design WAN: Design - Deployment - Performance - Troubleshooting

IBM Europe Announcement ZG , dated February 13, 2007

IBM IBM Storage Sales, Version 7. Download Full Version :

Encryption on IBM i. Mark Flora Ciber MRMUG 2/2014

Traditional SAN environments allow block

Virtualization with VMware ESX and VirtualCenter SMB to Enterprise

Get More Out of Storage with Data Domain Deduplication Storage Systems

IBM Spectrum Protect Version Introduction to Data Protection Solutions IBM

Cisco Storage Media Encryption Design Guide for Cisco MDS 9000 NX-OS Software Release 5.2(6)

By the end of the class, attendees will have learned the skills, and best practices of virtualization. Attendees

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

EMC Exam E Information Storage and Management Version 3 Exam Version: 6.0 [ Total Questions: 171 ]

Copyright 2010 EMC Corporation. Do not Copy - All Rights Reserved.

Cisco MDS 9000 Enhancements Fabric Manager Server Package Bundle, Mainframe Package Bundle, and 4 Port IP Storage Services Module

ECE Enterprise Storage Architecture. Fall 2016

IBM Tivoli Storage Manager Version Introduction to Data Protection Solutions IBM

CompTIA Network+ Study Guide Table of Contents

Cisco I/O Accelerator Deployment Guide

70-414: Implementing an Advanced Server Infrastructure Course 01 - Creating the Virtualization Infrastructure

Balakrishnan Nair. Senior Technology Consultant Back Up & Recovery Systems South Gulf. Copyright 2011 EMC Corporation. All rights reserved.

Title Month Year. IP Storage: iscsi and FC Extension. Introduction. IP Network Layers - In Practice. IP Network Layers

Virtualization with VMware ESX and VirtualCenter SMB to Enterprise

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

Cisco MDS 9000 Series Switches

Storage Area Networks SAN. Shane Healy

Introducing VMware Validated Designs for Software-Defined Data Center

Transport is now key for extended SAN applications. Main factors required in SAN interconnect transport solutions are:

Red Hat Enterprise Virtualization (RHEV) Backups by SEP

Introducing VMware Validated Designs for Software-Defined Data Center

A Vendor Agnostic Overview. Walt Hubis Hubis Technical Associates

SECURITY PRACTICES OVERVIEW

Change Management and Security for the Everyday SAN. AJ Casamento Solutioneer, Brocade Communications

Server and Storage Consolidation with iscsi Arrays. David Dale, NetApp Suzanne Morgan, Microsoft

Vendor must indicate at what level its proposed solution will meet the College s requirements as delineated in the referenced sections of the RFP:

Trends in Data Protection and Restoration Technologies. Mike Fishman, EMC 2 Corporation

Projectplace: A Secure Project Collaboration Solution

As enterprise organizations face the major

Resilient & Ready. May 21 23, 2018

Hálózatok üzleti tervezése

IBM IBM Storage Networking Solutions Version 1.

Oracle Database Vault

VMware vsphere with ESX 4 and vcenter

Executive Summary SOLE SOURCE JUSTIFICATION. Microsoft Integration

PrepAwayExam. High-efficient Exam Materials are the best high pass-rate Exam Dumps

EMC CLARiiON CX3-40. Reference Architecture. Enterprise Solutions for Microsoft Exchange 2007

Storage Area Networks: Performance and Security

Storage Media Encryption Overview

VMware vsphere Clusters in Security Zones

Rio-2 Hybrid Backup Server

Nutanix Tech Note. Virtualizing Microsoft Applications on Web-Scale Infrastructure

Dell Fluid Data solutions. Powerful self-optimized enterprise storage. Dell Compellent Storage Center: Designed for business results

Security Assessment Checklist

Exploring Options for Virtualized Disaster Recovery

Modernize Your Backup and DR Using Actifio in AWS

iscsi Unified Network Storage

This course prepares candidates for the CompTIA Network+ examination (2018 Objectives) N

vsan Security Zone Deployment First Published On: Last Updated On:

Title: Planning AWS Platform Security Assessment?

Exploring Options for Virtualized Disaster Recovery. Ranganath GK Solution Architect 6 th Nov 2008

HPE SimpliVity 380. Simplyfying Hybrid IT with HPE Wolfgang Privas Storage Category Manager

VMware vsphere 6.5 Boot Camp

IT Certification Exams Provider! Weofferfreeupdateserviceforoneyear! h ps://

Exam Name: XIV Replication and Migration V1

Transcription:

NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect rlockhart@neoscale.com

Why Storage Security Now? Storage Drivers Consolidation Offsite Replication Outsourcing Insiders Information Attacks Lost Tapes Data Breaches Industry National Local Regulatory Compliance Vulnerable Data * Real Threats * Liability = HIGH RISK 12/15/2005 Slide 2

Data / Storage Vulnerability Points Unauthorized Data Access Uncontrolled Host Access Media Theft Host Spoofing MAN MAN WAN WAN Eavesdropping Gartner: By year-end 2006, 85% of Fortune 1000 enterprises will encrypt most critical "data at rest" (0.9). 12/15/2005 Slide 3

Unauthorized Data Access Problem: Controlling unauthorized access to data by users and applications Solutions: Centralized Directory Services Two Factor Authentication Application Level Access Control What s missing? Application to OS access controls so that only applications have access to specific files or volumes versus users User access directly to files versus User access via applications Best solved by adding additional appliances to the mix? NO! Worst case add agents to control access to data This really needs to be in the OS and Application itself New version of Database Applications are adding field level access control 12/15/2005 Slide 4

Uncontrolled Host Access to Storage Problem: Maintaining control over data in a Storage Network Solutions: Zoning (Fancy word for VLAN on steroids), LUN Masking and LUN Mapping Stateful SAN firewalls Goes beyond traditional Zoning and LUN Masking by mapping flows similar to traditional Firewalls found in IP based environments DH-CHAP Host to Switch Authentication New Standards for SAN Security T11.3 FC-SP DH-CHAP to support authenticated connectivity between a host and the network Authentication happens between the Host HBA and SAN Switch today Long term end to end authentication will resolve access control and host spoofing issues 12/15/2005 Slide 5

Host Spoofing Problem: Host re-addressing was built into the Fibre Channel standard on purpose Originally created for clustered high performance computing environments This threat usually means malicious intent that takes planning and forethought Solutions: A combination of Hard and Soft Zoning used with LUN Mapping features found in modern arrays DH-CHAP authentication resolves by verifying system identity New Standards for Security T11.3 FC-SP DH-CHAP to support authenticated connectivity between a host and the network Authentication happens between the Host HBA and SAN Switch today 12/15/2005 Slide 6

Media Replacement, Loss or Theft Problem: Loss or theft of removable media Failed disks still contain data Solutions: Media Wiping Media Destruction Encryption Standards in Development include T11.3 FC-SP, IEEE P1619 Work Group and T10 has created a study group for Key Exchange over SCSI There has been a lot of press attention here Depreciated/old array sold on ebay with data intact Tapes lost in transport Data that leaves a site should be considered data-in-flight How do you protect your remote data connections today? 12/15/2005 Slide 7

Eavesdropping Problem: Data capture and analysis is a well known technology Optical networks can be tapped with relatively little expense Devices that macrobend fiber are used to tap into signals Solutions: Optical Loss Detectors built into devices Sealed Conduits that are pressurized end to end Link Encryption Networks have used IPSec to protect traffic for a long time New Standards are in Development Optical Loss Measurement devices at all points in a link where a tap is possible T11.3 FC-SP is also tasked with development of the FCSec standard FCSec is based on IPSec including re-keying and encryption algorithms 12/15/2005 Slide 8

Distinct Requirements for Storage Primary Storage DAS, SAN & NAS SAN Response Time High Availability Secondary Storage Meeting Backup Windows Media Management SAN Extension Enterprise Security MAN & WAN Response Time High Availability Policy & key management Security certifications 12/15/2005 Slide 9

Storage Security Encryption Options

Data Encryption Alternatives Alternatives Performance Manageability Deployment Security Application / File System Server Impact? App Response Schema Per Application Per App Strong Per App Storage Management S/W Server Impact? App Response Keys on clients or Storage Management server Per Environment Varies Fibre Channel or iscsi Switch/Router Network Device Impact Vendor differences Replace Device Varies Storage Security Appliance Bump in Wire Centralized Immediate, Transparent Strong 12/15/2005 Slide 11

Disk Encryption Appliance Solutions Host Agent Encryption Security Appliance Proxy Appliance Security Appliance Inline Appliance Agent Server SAN Disk Server SAN Disk Server SAN Security Appliance Disk Advantages: Storage agnostic Considerations: Host agent integration Patch management Server overhead Single point of failure Latency delays Advantages Encryption offload Considerations: Storage re-mapping Limited redundancy Performance impact Integrity w/caching Latency delays Advantages: Encryption offload Application invisible Native redundancy Wire-speed performance End-end integrity Minimal latency 12/15/2005 Slide 12

Primary Storage Encryption/Decryption of Payload Only FCP Command Frame No Encryption FC SoF FC Header SCSI Command CRC FC EoF 28+ Byte FCP Command 4 Bytes 24 Bytes Up to 2112 Byte Payload 4 Bytes 4 Bytes Fibre Channel Data Frame No Encryption Encryption of Payload Only Modified CRC FC SoF FC Header Data Block Data Block Data Block Data Block CRC FC EoF 512 Byte Block 512 Byte Block 512 Byte Block 512 Byte Block 4 Bytes 24 Bytes Up to 2112 Byte Payload 4 Bytes 4 Bytes 12/15/2005 Slide 13

Tape Security Alternatives Server-Based Encryption Encrypt in backup application Disk-Based Encryption Encrypt data-at-rest and backup to tape Storage Security Appliance Encrypt in network-based security appliance Disk Backup Server Tape Pros: Software add-on to backup application Cons: No compression Server CPU overhead Reduced throughput Insecure key mgmt Backup Server Tape Pros: Invisible to backup apps Cons: No compression More complex recovery Requires encrypting all sensitive data on primary storage Backup Server Security Appliance Tape Pros: Invisible to backup apps Native backup performance Secure key management Appliance simplifies security Cons: Additional hardware device 12/15/2005 Slide 14

NeoScale Tape Format Similar to Proposed GCM tape format NeoScale Tape Label 1024 Bytes NeoScale Block Header 32 Bytes Tape Header or Data Block NeoScale Block Trailer 32 Bytes NeoScale Block Header 32 Bytes Data Block Size Varies by Application and Compression NeoScale Block Trailer 32 Bytes NeoScale Block Header 32 Bytes Data Block Size Varies by Application and Compression NeoScale Block Trailer 32 Bytes NeoScale Block Header 32 Bytes Data Block Size Varies by Application and Compression NeoScale Block Trailer 32 Bytes NeoScale Labels NeoScale 1K Byte Tape Label 32 Byte per block prepend and append Label is encrypted using Pool Key Legacy Tape Support NeoScale Data Normal Tape Data File Mark Existing unencrypted tapes will pass data through CryptoStor without requiring additional configuration 12/15/2005 Slide 15

Fibre Channel Link Security - FCSec Deployment: Looks like traditional link encryption Acts like traditional link encryption Except it uses Fibre Channel instead of IP Replication Protocol Primary Remote 12/15/2005 Slide 16

Native SAN Encryption Optional compression, Encapsulation, and encryption of entire Fibre Channel frame Equivalent of IPSec Tunnel Mode Referred to as FCSec Tunnel Mode No conversion to IP required to provide encryption Lower latency for real time applications such as synchronous mirroring and remote storage Recommended encryption modes are CBC or potentially GCM Support for Fibre Channel Layer 4 Protocols Proprietary and Interoperability Modes FC SoF FCSec FC Header E S P FC Header Upper Level Protocols SCSI, FiCON, IP, VI, HiPPI FC CRC FCSec CRC FC EOF Tunnel Mode (FC Frame Encapsulation) 12/15/2005 Slide 17

Encryption Modes Being Proposed for Data at Rest

Modes of Operation LRW Proposed for Primary Storage Tweaked Narrow Block Mode 1 2 32 TK TK TK Encryption Operation Encryption Operation Encryption Operation TK = Tweak Key Based on 2 nd Disk Key and Physical Block Number 12/15/2005 Slide 19

Modes of Operation GCM Proposed for Tape Based Storage Galois/Counter Mode Header Sequence Clear Text Block of Data GCM Encryption Header Sequence Encrypted Block of Data ICV ICV is the Cryptographic Authentication Information about the block 12/15/2005 Slide 20

Key Management The Real Problem to Resolve

Key Management Objectives Key Repository Must be capable of storing Keys for an indefinite period of time A lot of problems were discovered with the advent of PKI Security Access to Keying material is paramount in any Key Management scheme Transport and use of the keys must be properly maintained Types of Keys Public or Private? Which is best for Application? File? Disk? Tape? Link? Building a key management architecture that scales from single device to enterprise wide architectures for storage security is critical! 12/15/2005 Slide 22

Distributed Configuration System Backup and Tape Recovery Site A Site B Backup Server Backup Server CS Tape IP IP Network Network Tape Library Cluster CS Tape Tape Library Key management Dynamic Key Catalog updates across all cluster members across locations Backup System Key to Smart Card(s) CryptoStor recovery Execute recovery script Restore System Key from Smart Card(s) Obtain policies and import Key Catalog from cluster Tape recovery Automatic via any clustered appliance at either location 12/15/2005 Slide 23

Disaster Site System Backup and Tape Recovery CS Tape Recovery Site n Key Repository IP IP Network Network 3rd CS Tape party Disaster Site Site 1 Tape Library Key management Automatic periodic backup of Encrypted Key Catalogs to Key Repository Backup System Key to Smartcard(s) at each Site CryptoStor Recovery Site Execute recovery script Restore System Key from Smartcard(s) Import Key Catalog from Key Repository Tape recovery Fully Automated Solutions make this business as usual for DR. CS Tape Tape Library 12/15/2005 Slide 24

Customer Solutions Examples of Storage Security

University of Texas HIPAA Compliance File/Print Server MS Exchange Cluster Brocade Switches CryptoStor FC (clustered) Compaq EVA Disk Array (with multipath) Demonstrates reasonable and accepted due diligence for HIPAA compliance Operational Impact Minimized operational impact on day to day operations Database Cluster Cost Savings CryptoStor Tape (clustered) Greatly reduced backend PHI data classification and management costs StorageTek L700 12/15/2005 Slide 26

Customer Architecture: Corporate Payments Company Event Processor Server HIPAA, GLBA and SOX Compliance Controller Master Admin Server CryptoStor FC (clustered via dedicated out-of-band IP connection) Dell / EMC CX500 500GB Monitor Server ISL to form single fabric SQL Server McData Switches CryptoStor Tape Dell Servers SQL Server 12/15/2005 Slide 27 Dell Fibre-Channel Tape Library

Transend Business Services Storage Security Encrypts each customers data individually Shares array between multiple customers with dedicated encryption One appliance per customer Multiple keys per customer Cost savings for Transend Reduced costs by purchasing single array for short term cost savings and long term operations savings Customer can control keys or have Transend provide key management Removed a final hurdle in the Financial Service Provider model where shared storage is involved Reduced liability from $1,000,000 to $100,000 per incident for one customer Customer 1 Customer 2 Customer n IP IP LAN LAN IP IP LAN LAN IP IP LAN LAN & & VPN VPN & & VPN VPN & & VPN VPN WAN WAN WAN WAN WAN WAN 12/15/2005 Slide 28 Shared Array

Global ISP Backup Security Data Backup Application Server Disk Array Multiple Privacy Laws in Multiple Countries Tapes need to be ship between multiple sites including Russia, Japan, Switzerland and the U.S. Backup Server 1 SAN Switch Backup Server 2 Backup/Recovery via CryptoStor for Tape Redundancy for Backups provided by Primary and Secondary Backup Server Each with it s own CryptoStor Tape CryptoStor Tapes (clustered) 12/15/2005 Slide 29 Tape Library w/4 LTO2 Drives

NeoScale Storage Security Solutions Secure primary storage - Host access control - Secure data partitioning - Storage behind NAS head Vaulting Services Secure tape backup -Lost/stolen media -Data manipulation Data Center Arrays Servers Tape MAN Remote Locations NAS SAN Secure SAN extension -Eavesdropping -Data manipulation 12/15/2005 Slide 30

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback