2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Designing Secure Storage for the Cloud
Jesus MolinaFujitsu Laboratories of America
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Introduction
Trusted Computing and Cloud Overview of Trusted Computing CSA guidelines and TCG standards Trusted Storage WG Practical Applications Other Working Groups
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Trusted Computing and Cloud
TRUST
So what is the root problem of cloud security?
In cloud you cant verify directly the Trusted Computing Base
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
TCG standards and cloud
VERIFY THEN TRUST JUST TRUSTOR
In the cloud you can
Standards
Certification
Technology Lawyers
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Introduction to TCG
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
TCG: Standards for Trusted Systems
Mobile Phones
Authentication
Storage
Applications•Software Stack•Operating Systems•Web Services•Authentication•Data Protection
Infrastructure
Servers
Desktops & Notebooks
Security Hardware
NetworkSecurity
Printers & Hardcopy
Virtualized Platform
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Trusted Clients
Security Built In Trusted Platform Module
(TPM) Mobile Trusted Module
(MTM) Features Authentication Encryption Attestation
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Trusted Servers
Security Built In Trusted Platform Module
(TPM) Secure Virtualization Secure Cloud
Features Authentication Encryption Attestation
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Trusted Storage
Security Built In Self Encrypting Drive
(SED) Features Encryption Authentication
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Trusted Networks
Security Built In & Coordinated Trusted Network Connect (TNC)
Features Authenticate Health Check Behavior Monitor Enforce
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
CSA Guidelines and TCG
CSA Domain(Number) Type
Examples
(2) Governance/Risk Management Decrease risk exposure
(3) Legal and Electronic Discovery Data Recovery and Encryption
(4) Compliance and Audit Server Attestation
(5) Information Lifecycle Management Safe Data Retirement
(6) Portability and Interoperability Metadata Access Policy
(7) Traditional Security Network Access Control
(8) Incident Response Coordinated Security
(11) Encryption / Key Management SED, Hardware Key storage
(12) Identity/ Access Management Hardware Token Authentication
(13) Virtualization Trusted Multitenancy
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Trusted Storage Working Group
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 13
TRUSTED STORAGE
ATA or SC
SI
Hidden StorageFirmware
Controller Storage
Firmware/hardwareenhancements for
security and cryptography
Trusted
Send and
Receive
Container Commands
• (Partitioned) Hidden Memory
• Security firmware/hardware
• Trusted Send/Receive Commands
• Assign Hidden Memory to Applications
ISVApplication
(on the Host)
Enterprise
Support
Security
Providers
Assign Hidden Memory to Applications
TRUSTED
SED CHIP
SP
TCG/T10/T13
Implementation Overview
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 14
Trusted Platform
TPMSecure
Communications
Trusted Storage
Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, …
Root
Of
Trust
OR
Trusted
Element
Trusted Storage with Trusted Platform
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 15
Trusted Platform
TPMSecure
Communications
Trusted Storage
Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, …
Root
Of
Trust
OR
Trusted
Element
Trusted Storage with Trusted Platform
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 16
SPs (Security Providers)
Logical Groupings of Features SP = Tables + Methods + Access Controls
Tables
Like “registers”, primitive storage and control Methods
Get, Set – Commands kept simple with many possible functions Access Control over Methods on Tables
TCG Storage WG Core Specification
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 17
SPs (Security Providers) Logical Groupings of Features SP = Tables + Methods + Access Controls
Tables Like “registers”, primitive storage and control
Methods Get, Set – Commands kept simple with many possible functions
Access Control over Methods on Tables
TCG Storage WG Core Specification
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 18
TCG Storage: Document Structure
Core Spec Interface
PC SSC (OPAL) Enterprise SSC
Compliance and Security EvaluationAux
iliar
y D
ocum
ents
Spec
ific
Doc
umen
tsG
ener
al
Doc
umen
ts
SSC = Security Subsystem Class
Optical SSC
PUB
LISH
EDIN
PR
OC
ESS
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 19
EncryptedUser Data
Hashed AK
Encrypted DEK
AKAuthentication Key
DEKData Encryption KeyCorrect AK?
Storage Server
Yes
Drive responds to No Read or
Write Reqs
No
Clear Data
Hash AK
Authentication in the Drive
= Unlock
HDD
Clear AKdecrypts DEK
DEK encrypts anddecrypts User Data
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Practical Applications
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 21
Queue inSecure Area
RemoveALL drives
Send even“dead" drives
through
TransportOffsite
Queue insecure area
How the Drive Retirement Process Works
1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_
People make mistakes
which lost a tape with 150,000 Social Security numbersstored at an Iron Mountain warehouse, October 20071
“Because of the volume of information wehandle and the fact people are involved,we have occasionally made mistakes.” 99% of Shuttle Columbia's hard drive data
recovered from crash siteData recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period.
- May 7, 2008 (Computerworld)
Retire Drive
• Replace• Repair• Repurpose
Shredding is environmentally hazardous
Not always as secure as shredding, but more fun
Hard to ensure degauss strength matched drive type
Overwriting takes days and there is no notification of completion from drive
Retirement Options
SECURE?
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 22
Queue inSecure Area
RemoveALL drives
Send even“dead" drives
through
TransportOffsite
Queue insecure area
How the Drive Retirement Process Works
1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_
People make mistakes
which lost a tape with 150,000 Social Security numbersstored at an Iron Mountain warehouse, October 20071
“Because of the volume of information wehandle and the fact people are involved,we have occasionally made mistakes.” 99% of Shuttle Columbia's hard drive data
recovered from crash siteData recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period.
- May 7, 2008 (Computerworld)
Retire Drive
• Replace• Repair• Repurpose
Shredding is environmentally hazardous
Not always as secure as shredding, but more fun
Hard to ensure degauss strength matched drive type
Overwriting takes days and there is no notification of completion from drive
Retirement Options
SECURE?
Drive Retirement is:
Expensive
Time-consuming
Error-prone
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved. 23
RemoveALL drives
Send even“dead" drives
through
Queue insecure area
TransportOffsite
Queue insecure area
Retire Drive
• Replace• Repair• Repurpose
SECURE
Self-Encrypting Drives
Drive Retirement: Self-Encrypting Drives
Reduces IT operating expense Eliminates the need to overwrite or destroy drive Secures warranty and expired lease returns Enables drives to be repurposed securely
Provides safe harbor for most data privacy laws
Power Off = Locked and Encrypted = Secure
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Other Working Groups
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Should you care?
Storing data in the cloud is more than hardware storageWhere does the data reside? How do yu handle
information dispersal?Can you verify hardware?
Remote integrity is also of importanceHow your data being erased? If so, when, how and
utilizing what method?How do you make sure your data is not
corrupted
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Securing Multitenant Platforms Using TCG
Some goals Protection of processing and
information in motion and at rest Ability to share physical platforms
among tenant domain components (shared services)
Visibility and auditability of actions Management of physical resources
independently of domain resources Loosely coupled architecture managed
using application of appropriate policy and trust
Ability to control the flow of information between tenant domains within policy constraints
Ability to address various security models to protect integrity and confidentiality of services and data exchanges within enterprise
Virtualization work group(virtual certificates, virtual TPM, migration)
Trusted Network Connect (Policy definitions and enforcement)
Storage workgroup (multilevel storage)
TPM working Group (Server Attestation)
Relevant Working Groups
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Support Slides
2010 Storage Developer Conference. Insert Your Company Name. All Rights Reserved.
Virtual Machine Monitor
VM VM VM
TPM
VTPM
MultilevelStorage
NAC,IF-MAP