Imran Arfick, Cisco Systems & Gene Lee, RSA · Imran Arfick, Cisco Systems & Gene Lee, RSA ... CX3...

© Copyright 2008 EMC Corporation. All rights reserved.

Storage Media Encryption and Enterprise Key Management

Imran Arfick, Cisco Systems & Gene Lee, RSA

2© 2007 Cisco Systems, Inc. All rights reserved. Cisco and EMC Confidential © Copyright 2007 EMC Corporation.

Agenda

Information Security– Business Challenges– Requirements– Encryption Challenges

Cisco Storage Media Encryption– Platform and Solution Overview– Integration, Scalability and HA– Provisioning and Competitive Comparison

RSA Key Manager for the Datacenter– Long Term Planning for Key Management– Meeting the needs of the Enterprise– RSA Key Manager Deployed in the Enterprise

Summary


Information Isn’t Adequately SecureEVOLVING SECURITY THREATS

Perimeter-Centric SecurityGoal: Build and protect perimetersTools: VPNs, firewalls, IDS/IPS, anti-malware, endpoint protection

IS YOUR INFORMATION PROTECTED?

“Despite massive investment in security technology and services fewer than one in five companies feel that all their data is adequately protected.”

— Enterprise Strategy Group

According to IDC, security products and services spending will reach almost $50 billion in 2008

No82%

Yes18%

Sources: Enterprise Strategy Group: "Protecting Confidential Data," March 2006; and IDC: “Worldwide IT Security Software, Hardware, and Services 2007–2011 Forecast: The Big Picture," Doc. #210018, December 2007


Information Isn’t Adequately SecureEVOLVING SECURITY THREATS

Perimeter-Centric SecurityGoal: Build and protect perimetersTools: VPNs, firewalls, IDS/IPS, anti-malware, endpoint protection

EMC STRATEGY

Information-Centric SecurityGoal: Manage and protect informationTools: Identity and access management, data encryption, rights management, anti-fraud, security information management

IS YOUR INFORMATION PROTECTED?

“Despite massive investment in security technology and services fewer than one in five companies feel that all their data is adequately protected.”

— Enterprise Strategy Group

According to IDC, security products and services spending will reach almost $50 billion in 2008

No82%

Yes18%

Sources: Enterprise Strategy Group: "Protecting Confidential Data," March 2006; and IDC: “Worldwide IT Security Software, Hardware, and Services 2007–2011 Forecast: The Big Picture," Doc. #210018, December 2007


EMC’s Comprehensive Product Security Policy

Spans across EMC’s entire storage product portfolioEMC’s Product Security Policy: http://productsecurity.emc.com/comply/

80 Consistent Security Design RequirementsSecure Product

Architectureand Design

Secure ProductDevelopment

ProcessesSecurity Testingand Assurance

SecureServiceability

CLARiiON

CX3 UltraScale Series

AX4

InvistaEMCCentera

Gen 4 LP Node

Symmetrix

DMX-4 and DMX-3

DMX-4 950

Celerra

Rainfinity

NSXNS80

NS20 NS40G NS80G

ConnectrixEMC Disk Library

DL4400

DL210 DL4000 series

DL6000 series

NS40


Data Encryption to Secure Information

Addresses compliance with industry regulations

– PCI, Sarbanes-Oxley (SOX), SB 1386, U.K.’s Data Protection Act (DPA), Directive 95/46/EC, internal requirements

Protects data in transit– Electronic and physical movement of

data for backup, disaster recovery, and maintenance

Limits exposure to security breaches – Minimize risk of unauthorized access to

sensitive informationEncryption protects data at rest from unauthorized access

Data Encryption Becoming an IT Requirement

6


Implementing Data Encryption

Management complexity– Cost and complexity associated

with deploying and managing multiple encryption technologies and key managers

Scalability across the enterprise

– Many point solutions do not scale across application types or infrastructure elements

Service-level disruption– Installing encryption

technologies and appliances may require an outage

Classify applications and develop appropriate protection policies

and enforcement strategies

Deploy encryption technologies that can address enterprise

requirements

GETTING STARTEDEncryption Challenges

Develop strategies to manage the lifecycle of encryption keys

across the enterprise


EMC Storage Security Integration

PowerPath Encryption with RSA Enables data storage on disk arrays to be encryptedIntegrates data-at-rest encryption with the industry-leading path management software

Cisco MDS Storage Media EncryptionEnables data stored on open systems tape libraries and EMC Disk Library DL4000 series virtual tape libraries to be encryptedProtects information in the event of theft or loss of backup media (drives or tapes)Sold and serviced by EMC under the EMC Connectrix brand

RSA Key Manager for the DatacenterNew server appliance to centrally administer policy-based encryption key management Simplifies the deployment and ongoing use of encryption

EMC Encryption Offerings for Data at Rest


Agenda



RSA Key Manager for the Datacenter– Long Term Planning for Key Management– Meeting the needs of the Enterprise– RSA Key Manager Deployed in the Enterprise

Summary


HIGH-PERFORMANCE INTEGRATED SOLUTION WITH MULTI-GIGABIT THROUGHPUT

MDS 9513

MDS 9000 Modules

Mgmt

OS

MDS 9506

MDS 9000 Family

Systems

MDS 9216A MDS 9216i

Cisco Fabric Manager w/Key Management Center

Cisco MDS 9000 Family SAN-OS

MDS 9509

MDS 9222i

Encrypts traffic from any port infabric – Requires no rewiring

Cisco SME - Hardware Platform

Runs SME

18/4-Port Multiservices Module (MSM-18/4)

Runs SME


Name: XYZSSN: 1234567890Amount: $123,456Status: Gold


1. Insert Cisco MPS-18/4 modules or MDS 9222i switches2. Enable Cisco SME and setup encryption service3. Provision encryption for specific storage devices

Cisco SME - Delivering Encryption as a SAN Service

MDS 9500Series

MDS 9200Series

Storage Media Encryption Service

@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@

@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@


Cisco SME - Secure, Integrated Solution

Encrypts storage media (data at rest)– Strong, Std. IEEE AES-256 encryption

– Integrates as transparent fabric service

– Handles traffic from any virtual SAN (VSAN) in fabric

Supports heterogeneous, SAN attached tape devices and virtual tape libraries

Includes secure key management – Integrates with RSA Key Manager for

enterprisewide, lifecycle key management

Compresses tape data Virtual Tape Library

TapeDevices

ApplicationServer


Key ManagementCenter (KMC)TCP/IP


@!$%!%!%!%%^&*&^%$#&%$#$%*!^@*%$*^^^^%$@*)%#*@(*$%%%%#@

Encrypt


Cisco SME - Scaleable, Highly Available

Integrates transparently in MDS fabrics

Dramatically reduces deployment time– No SAN re-configuration or re-wiring to

insert appliances

– Provisioning becomes a simple, logical process of selecting what to encrypt

Modular, clustered solution offers highly scaleable and reliable performance

Load balances automatically

Redirects traffic if a failure occurs

Provisions quickly with Cisco Fabric Manager wizardsTape Drives and VTLs

Media Servers

MSM-18/4 MSM-18/4


Cisco SME - Rapid, Wizard Based Provisioning


Cisco SME - Rapid, Wizard Based Provisioning

Cisco SME is ready !

Wizard 1 – Creating a clusterSelects encryption modulesDefines key management policiesGenerates and stores master key

Wizard 1 – Creating a clusterSelects encryption modulesDefines key management policiesGenerates and stores master key

Wizard 2 - Adding a tape groupSelects media servers Specifics devices to encrypt tape volumes on

Wizard 2 - Adding a tape groupSelects media servers Specifics devices to encrypt tape volumes on

Wizard 3 - Creating a volume groupDefines a set of tape volumesSharing a common group key

Wizard 3 - Creating a volume groupDefines a set of tape volumesSharing a common group key

Cisco SME is ready !


Comparison of Encryption Solutions

Tape DevicesCisco SME SAN Appliance

Investment Protection for Storage DevicesNo drive investmentprotection

Yes Yes

Large Scale Deployment

Medium – Install drives upgrade backup app.

Easy – Insert modules, provision with wizards

Hard – Rewire and reconfigure SAN

Advanced Security Certifications

NoFIPS 140-2 L2 , CC EAL-3 compliant

FIPS 140-2 L3

Consolidated Management

Medium – Backup app integration

High – SAN, security, key mgmt integration

None – New key and appliance mgmt apps

Overall Solution Cost

Higher – New drives & media for max utility

Lower – Reuse drives & media, adds FC ports

Medium – Encryption only, consumes ports


Agenda



RSA Key Manager for the Datacenter– Long Term Planning for Key Management– Meeting the needs of the Enterprise– RSA Key Manager Deployment

Summary


Long Term Planning for Key Management

Pre-tape encryption a survey by the Yankee Group and Sunbelt Software found that “40% of IT managers had been unable to recover data from a tape when they needed it.“

The loss or even lack of availability of the encryption key defines if the IT organization will get access to the encrypted data stored to tape.

Planning an encryption strategy requires a plan for both the cryptographic engine and the lifetime management of the keys. The Key needs to live as long as the data, and in some cases longer.

Since you entrust your tapes and disks to the highest levels of long term protection you should consider your keys being treated the same way.


Planning out an Encryption Deployment

Targeted Solutions based on well defined business, security, compliance and

remediation requirements

Plan ManageBuild1 2 3

DefineSecurity

Requirements

AssessSecurityPosture

EvaluateAlternatives &

Design Solution

ConductSolutionPlanning

Test, Implement & Document Solution &

Update Procedures

Validate Solution & Transfer

Knowledge

Update Solution Support

Processes

Implement Monitoring &

Reporting Mechanisms

Resolve and protect against known risks, while

implementing controls to protect against further risks

EnforceDiscover and Classify

Establish processes and technology for executing an on-going security and

compliance program

Report and Audit

Program Management and Quality Assurance4


Cisco SME + RKM for the Datacenter

Enterprise ScalabilitySupports Disk, Database, and Application

EncryptionRecommended by Cisco for Large Number of

KeysSupports multiple encryption integrations—in

and out of the SAN

Basic Key Management

Local Database for Key StorageStore Attributes with KeyStore Key State

ClusteringClustering for Disaster RecoveryClustering for Failover

Add RKM for the DatacenterKey Vaulting and ProtectionKey Vaulting for Long-Term ProtectionNo Single Point of FailureEnterprise Database for Key StoreDatabase Resilience

Cisco SME


How Data Moves in the Enterprise

EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork

Partners

Business Analytics

Replica

Outsourced Dev.

Staging

DiskArrays

DiskArrays

DiskArrays Backup

Disk

BackupTape

BackupSystem

EnterpriseApplications

ProductionDatabase

InternalEmployees

RemoteEmployees

WAN

LAN

WWW

EndpointEndpoint Apps/DBApps/DB StorageStorageFS/CMSFS/CMSNetworkNetwork

Collaboration &Content Mgmt

Systems

File Server

File Server


Summary: Leverage RKM for Enterprise Key Management Needs

Reduced cost of managementSimple, scalable encryption key management across the IT stackAlignment of policies across data centers worldwidePrevention of risk due to lost or stolen mediaSavings in expense and disruption to your IT environment

Integrate RSA Key Management with SME to Provide Encryption and Lifecycle Key Management

Across the Enterprise

Adding RKM to the Datacenter provides:


Questions?


Date post:	11-May-2018
Category:	Documents
Upload:	hadan
View:	220 times
Download:	0 times

Imran Arfick, Cisco Systems & Gene Lee, RSA · Imran Arfick, Cisco Systems & Gene Lee, RSA ... CX3...

Documents