EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Transcription

1 EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions Security and Encryption Overview What is encryption? What is the AES encryption standard? What is key management? Why is data encryption important to the data center? Where can data be protected on a Storage Area Network (SAN)? Why is it important to protect data in-flight? What is the trend in the use of data encryption? What are some of the regulations for data encryption? What is a defensible proof of encryption? What is software-based encryption? What are fabric-based encryption appliances? What are encrypting disk drives and arrays?... 3 EmulexSecure HBA Architecture What is the EmulexSecure HBA architecture? What are the business benefits of using the EmulexSecure HBA architecture? How does the EmulexSecure HBA architecture protect data? What type of encryption does the EmulexSecure HBA architecture support? How is the EmulexSecure HBA architecture implemented? How does EmulexSecure HBA architecture support key management? What is the relationship between the EmulexSecure HBA architecture and KMIP? How does the EmulexSecure HBA architecture work in a virtualized server environment? Will EmulexSecure HBA support be included in Emulex management applications? What are the key features and benefits of the EmulexSecure HBA architecture?... 5 Page 1 of /09

2 Security and Encryption Overview 1. What is encryption? Encryption secures information by converting data so that the original content is unreadable. Modern encryption methods use a standard algorithm (called a cipher) to convert data from unprotected plaintext to protected ciphertext. The key is a randomly generated value that is used to provide a unique transformation of plaintext to ciphertext. The original key must be used to decrypt the data so it can be read. 2. What is the AES encryption standard? The Advanced Encryption Standard (AES) describes encryption algorithms that have been adopted by the U.S. government and approved by the Federal Information Processing Standard (FIPS). AES supports keys sizes of 128, 192 and 256 bytes, with 256-byte keys providing the strongest encryption. 3. What is key management? Key management is the process that is used to create, distribute, store and authenticate encryption keys. Key management systems use policies to restrict key access to specific users and administrators. The key management system also provides secure key distribution, which is critical to ensuring security for encrypted data. 4. Why is data encryption important to the data center? There are several key business benefits that result from protecting data using encryption. These include: Regulation Compliance: There are over 10,000 regulations that require organizations to safeguard data and provide notification of every incident of disclosure. Organizations that don t comply can be subject to government fines and civil litigation. Reduce potential liability from a data breach: Since 2005, there have been 252 million records lost and identity theft has left over 15 million consumers victimized. The average cost of a breach is $6.6 million and each record compromised costs $202 according to the Ponemon Institute. The largest breach on record cost over $250 million. Reduce costs for disk disposal Since disk drives can contain sensitive data, many organizations use costly procedures to protect data on drives that are disposed or taken out of service. For example, IT administrators may not be able to return failed disk drives under warranty for repair or replacement. If not returned, new drives must be purchased at a cost of $1000 to $3500 per drive and the failed drives shredded, drilled, melted or otherwise made physically unreadable. If the data on the drive is properly encrypted with a protected key, it is considered to be unreadable. 5. Where can data be protected on a Storage Area Network (SAN)? The full SAN data path consists of a server, switch, storage (disk and tape) and connecting cabling. There are two primary locations where data can be protected with encryption. The first is in-flight, which refers to data that is in transit anywhere on the data path. The second is at-rest, which is data that is stored on disk or tape. 6. Why is it important to protect data in-flight? Surveys have reported that 68% of data breaches occur from inside the organization. Insiders have more opportunity to capture sensitive data at multiple points in the data path, so simply encrypting Page 2 of /09

3 data at the storage end-point may not be adequate. Host-based encryption protects data throughout the data path, both in-flight and at-rest. 7. What is the trend in the use of data encryption? An analysis of a recent IDC end user survey indicates that the amount of encrypted data should grow to 55% in the next three to five years, with 44% of those surveyed expecting to encrypt more than 75% of their data. 8. What are some of the regulations for data encryption? Sarbanes-Oxley This law was passed in response to widespread incidences of accounting scandals and corporate fraud with public corporations. Some of the provisions relate to providing assurances for the accuracy of data that is reported and made available to auditors. Other provisions include requirements for internal control reports and audit trails. Data encryption supports compliance by ensuring that access to data is strictly controlled and auditable. California AB 1386 and AB These laws are directed at state agencies and businesses that operate in California or collect information about California residents. The laws require notification to Californians if their personal information or medical records are disclosed by a security breach. Health Insurance Portability and Accountability Act (HIPPA) - HIPAA regulates the use and disclosure of information held by "covered entities," which includes health insurers, employersponsored health plans and medical service providers. It establishes regulations for the use and disclosure of Protected Health Information (PHI), which generally includes any part of an individual's medical record or payment history. Payment Card Industry (PCI) Data Security Standard The leading credit card companies aligned to adopt a standard that requires merchants to secure account numbers by encryption or truncation. Penalties and fines can be imposed if data is stolen. Department of Defense (DOD) - The DOD has extensive regulations that relate to access and control of classified information. 9. What is a defensible proof of encryption? A defensible proof of encryption must provide evidence to security auditors that confidential data has been encrypted using a secure key. This requires encryption logs for specific applications on both physical servers and virtual machines (VMs) running on virtualized servers. It also requires key management that protects keys as they re stored and transmitted in the network. Failing to meet these requirements can mitigate the benefit of implementing encryption. 10. What is software-based encryption? Software-based encryption is done by applications running on a server to protect data that is specific to the application. It is typically used for environments that encrypt relatively small amounts of data. Software-based encryption consumes significant CPU cycles, which slows applications and reduces consolidation ratios for virtualized servers. 11. What are fabric-based encryption appliances? Fabric-based encryption appliances are hardware solutions that are installed in the fabric network. There are basically two types of encryption appliances: single-port pair (one target and one initiator) and multiple-port pairs, such as an encrypting switch. Fabric-based encryption appliances protect data in-flight from the appliance to storage. There is no protection for data in-flight between a server and the appliance. 12. What are encrypting disk drives and arrays? Encrypting disk drives and arrays encrypt data as it s written to a disk. Encrypting drives and arrays protect data at-rest, but provide no protection for data in-flight. Encryption keys are embedded with the drive, which could be less secure than solutions that store the key in a different location. Page 3 of /09

4 EmulexSecure HBA Architecture 13. What is the EmulexSecure HBA architecture? The EmulexSecure Host Bus Adapter (HBA) architecture provides a new option for implementing data security. To support this architecture, Emulex is developing HBA products that do hardwarebased encryption of data as it leaves the server, protecting data in-flight on the storage network and when stored at-rest on disk and tape. Initial designs are based on 8Gb/s Fibre Channel PCI Express (PCIe) dual-port HBA technology. The EmulexSecure HBA architecture also includes application programming interfaces (APIs) for integration with key management solutions using the new Key Management Interface Protocol (KMIP). The first supported key management solution will be RSA Key Manager. RSA is a leading enterprise key management provider and other key management solutions will be supported in the future. 14. What are the business benefits of using the EmulexSecure HBA architecture? Data breaches are a growing concern for organizations worldwide. The risk is real and can affect organizations of any size, location or industry. Maximum protection is provided with a strong encryption solution that will secure data in-flight on the network and at-rest on disk and tape and with solutions that can prove that the right data was encrypted and the keys are safe. In addition to the open-ended cost of an actual security breach, organizations need to comply with a variety of regulatory requirements. Adapter-based encryption facilitates auditing and reporting to verify compliance. A host-based solution allows organizations to manage key access based on applications and/or user roles. In addition, keys never leave the data center, so there is no requirement to coordinate key management on hundreds or thousands of drives as with disk-based encryption. Encryption at-rest helps organizations with the problem of disk disposal. When there is a disk failure, unencrypted disks must be made unreadable prior to disposal. Disk drives that contain encrypted information and no key material ensure that disks can be easily disposed and failed disks can be returned for warranty replacement. 15. How does the EmulexSecure HBA architecture protect data? The EmulexSecure HBA architecture is a host-based solution, which protects data in-flight and at-rest with the lowest total cost of ownership when compared to other types of solutions. This has the effect of encryption-enabling the entire storage network. Data is encrypted once and remains encrypted wherever it goes - through the network, on storage and when mirrored or replicated. 16. What type of encryption does the EmulexSecure HBA architecture support? The EmulexSecure HBA architecture uses the Advanced Encryption Standard (AES), which has been ratified by the National Institute of Standards and Technology. It s the encryption solution of choice for solutions requiring a high degree of data security. The EmulexSecure HBA architecture supports AES with 256-bit keys, the strongest security option. There are several modes of AES encryption. The EmulexSecure HBA architecture supports both AES-256 CBC and AES-2x256 XTS. 17. How is the EmulexSecure HBA architecture implemented? The EmulexSecure HBA architecture is designed to be an in-stack transparent encryption solution. Once the keys and encryption policies are loaded, there is no operational difference for software above the driver and there is no impact to any storage network or storage device. Page 4 of /09

5 The solution consists of an enhanced HBA and driver that use a hardware-based crypto module which is seamlessly integrated into the Emulex software stack. Emulex has invented new techniques to encrypt data with no operational impact on the server or storage environment. The initial release is targeted to include Windows and Linux support, with additional operating systems to follow. 18. How does EmulexSecure HBA architecture support key management? The EmulexSecure HBA architecture includes APIs for integration into standard key management, credential management and authentication solutions. All keys are protected inside a FIPS protected security boundary. Encryption keys and host-based access control credentials are managed from the same location to improve security and simplify management. Communications with key managers are authenticated and secure. 19. What is the relationship between the EmulexSecure HBA architecture and KMIP? The Key Management Interoperability Protocol (KMIP) is a new standard that was announced on February 12, Emulex uses KMIP to integrate with RSA Key Manager and will work with other products that support the standard in the future. 20. How does the EmulexSecure HBA architecture work in a virtualized server environment? The EmulexSecure HBA architecture does hardware-assisted encryption which off-loads CPU cycles, allowing more VMs per server than a software-based encryption solution. Keys are managed per Logic Unit Number (LUN) so applications running on VMs can have unique encryption keys with granular control of access to data. EmulexSecure HBAs also support migration of VMs that have encrypted access to data. The EmulexSecure HBA architecture uses enterprise-wide key management that enables migration to any host that has an EmulexSecure HBA and is authorized to access keys for the VM s storage. Keys are automatically loaded before the VM is moved, ensuring no disruption in server availability and storage access. 21. Will EmulexSecure HBA support be included in Emulex management applications? EmulexSecure HBA management will be included in the OneCommand Management Framework that supports all Emulex host-based products. With the OneCommand Management Framework, IT organizations will be able to: Apply and track encryption policies across the infrastructure Provide audit information into the corporate logging system 22. What are the key features and benefits of the EmulexSecure HBA architecture? Highest level of protection, lowest cost Single lock to protect data in-flight and at-rest AES 256-bit strong encryption Capital costs 50% to 80% less than array or switch encryption Capital costs 50% to 90% less than software-based encryption on servers with high I/O workloads Optimized scalability and performance for server virtualization Hardware-assisted encryption Minimal impact on CPU performance Page 5 of /09

6 Support for secure virtual machine (VM) migration In-stack transparent security architecture No changes to the software stack above the EmulexSecure HBA drivers Protection for every adapter, switch and storage device in the network Open enterprise key management Support for KMIP standard API for integration with key management solutions Policy-based management allows key access to be managed by roles and applications Compliance-ready Facilitates defensible proof of encryption Safe transport and disposal of disks and tapes Page 6 of /09