Keep Your Data Secure: Fighting Back With Flash

Transcription

1 Keep Your Data Secure: Fighting Back With Flash CONTENTS: Executive Summary...1 Data Encryption: Ensuring Peace of Mind...2 Enhanced Encryption and Device Decommission in the Enterprise...3 Freeing Up IT Resources...4 The Micron Approach...4 Conclusion...5 Executive Summary For enterprises of any size, data at rest protection remains a critical concern. Currently, with more corporate reliance on mobility and the use of portable devices (laptops, tablets, etc.), the definition of a data storage endpoint goes well beyond a traditional desktop. Such security is increasingly important for all sections of an enterprise, from the personal laptops and portable devices that employees use, to storage devices in the data center. The situation is compounded by the fact that today s data center is comprised of recording media that had not been traditionally considered to be removable: hard drives, SSDs, other storage devices, even servers. All are becoming smaller in physical size, which is good for space and power efficiency, but adds portability, which can be a key concern. It s now easier than ever to lose sensitive business data. These are important reasons why encryption of both stationary data and data-on-the-go should be part of the overall security strategy for any large company. In addition, the growing need of information security to comply with a number of federal and industry regulations cannot be understated.

2 As corporate leaders adopt specific measures, they re benefiting from an important feature: the transition of the encryption workload from the CPU to the storage device. Security built into data storage hardware, such as a fully encrypted SSD, ensures a lack of performance degradation, compared to a similar SSD that does not encrypt data. In this white paper, we explore the benefits of hardware encryption for strengthening data security across the enterprise while freeing up IT to take on other important data center tasks. Data Encryption: Ensuring Peace of Mind As today s corporate workforce transitions from reliance on desktops to the increased flexibility of mobile computing, this very mobility threatens the safety of corporate data. Moreover, removable media and the increased portability of computers and storage devices have made data more vulnerable than ever to loss or theft. Firewalls, virus protection, security protocols, and software tools all offer key safeguards, but selfencrypting drives (SEDs) provide the last line of defense, protecting critical data stored at the endpoints. AES (Advanced Encryption Standard) 256-bit encryption built into the storage hardware is the gold standard for keeping sensitive corporate data locked down and secure. A Self Encrypting Drive (SED) means data is automatically encrypted and decrypted through an AES engine built directly into the SSD. Removing the encryption burden from the host computer, and moving the encryption workload off to the storage device, ensures that stored data receives the highest level of 256-bit encryption with absolutely no performance penalty. Moreover, verifiable protection protocols ensure that lost data is unreadable, no matter what happens to that device. It s important to note the SED by itself is not the complete solution in protecting data at rest. Also necessary is encryption management software, which provides the interface to the device to enable encryption and allows only authenticated access to the device. These software packages enable strong authentication to protect against unauthorized access to a lost device. In addition, such encryption tools provide advanced capabilities to ensure data remains safe, no matter where a device is located. Centralized password backup and corporate-level access and authentication represent two additional capabilities to protect data. Bringing such advanced features to market requires well-designed and widely accepted protocols and standards. As a globally recognized, not-for-profit organization, the Trusted Computing Group (TCG) is the body that brings these standards to the world. The goal of the TCG is to enhance the security of the computing environment in disparate computer platforms. TCG protocols for data storage devices can bring verifiable security to any business that stores sensitive data. Business-based content of all sorts can benefit, from employee-focused data and protected health information to corporate tax and financial records and reports. 2

3 The TCG maintains protocols that cover encryption and data protection across the full spectrum of computing environments, from endpoint and data processing to data transmission. However, the pertinent protocols specifically for data storage are the storage sub-system classes (SSC): TCG SSC Opal: This protocol refers to mobile computing performed using laptops and tablets as well as to aspects of desktop computing. It effectively secures data at rest for powered off or authentication-locked devices. The Opal protocol provides for pre-boot authentication, which enables authentication before the operating system boots, preventing any OS-level application from detecting or intercepting the authentication key or password. TCG SSC Enterprise: This data security standard refers to storage devices used in servers, enterprise main storage and data centers, and other enterprise-class applications. It ensures that data at rest is protected through encryption, even in the event that physical security measures in the data center fail, and a storage device or system goes missing. As in the Opal SSC, the encryption key is generated by the SSD and can never leave the drive. This is especially important in enterpriseclass computing, in that the resource-intensive key generation function is done automatically by the storage devices, alleviating a great burden from the IT team. The TCG Enterprise protocol enables enterprise-level security that is managed from a system console controlling a TCG Enterprise compliant RAID card or Host Bus Adapter (HBA). Although the TCG Opal and Enterprise specifications were created in parallel over the last several years, TCG Enterprise has been more recent in implementation. TCG Opal has been considered more critical because of the immediate importance to protect mobile computers. Enterprise encryption, in general, has been widespread, but much of that encryption has been done by the host computing system. The more recent introduction of SEDs within the enterprise represents a powerful and significant new storage security innovation. Enhanced Encryption and Device Decommission in the Enterprise As more end users rely on mobile computing, and as storage devices grow ever smaller, the risk of physically losing control of important data is obvious. Less obvious is the growing risk of losing control of data when a storage device is decommissioned. It s unfortunately common for data on devices from high-profile companies and government agencies to be inadequately deleted before the devices are disposed of, redeployed or even donated to charities like the local grade school. This lack of effective media sanitization has led to sensitive data being inadvertently released into the public domain. For traditional rotating media, such as hard disk drives, the accepted methods of data destruction can be both costly and slow. The process can even involve physically grinding or drilling holes through media, necessitating the purchase or lease of expensive equipment, or farming out hardware destruction to other firms. On the other hand, SSDs, and SEDs in particular, 3

4 enable data to be purged in a much more efficient, fast, and inexpensive method. many devices, or quickly encrypt a few, and then move on to other important tasks. Cryptographic erase of SSDs is a process that simply changes the encryption key on the drive. The system administrator, once authenticated, can issue a simple command to start a process where a random number generator on-board the SSD creates a new 256-bit encrypted key, and securely erases the old key. Once completed, literally in a matter of seconds, all the data on the drive is effectively unreadable. SSDs also provide the uniquely fast and efficient ability to securely erase or sanitize the drive, even if encryption is not available. While physically deleting the bits on a spinning hard drive can take many hours, for an SSD that process can be performed within minutes. This element of speed represents a key advantage of SSDs compared to traditional rotating devices. Crypto erase and the fast and easy sanitize process provide an enterprise with efficient and verifiable means to ensure that retired or redeployed devices don t take sensitive data with them. Freeing Up IT Resources SEDs, especially solid state SEDs, provide other advanced efficiencies when managing IT resources. On an SED, the encryption engine is always on, meaning that all the stored data is encrypted, regardless of whether authentication control has been enabled. This means that when these security features are enabled, there is no requirement for a long encryption process for data that has already been stored on the device. As a result, an IT department can rapidly image As mentioned previously, the TCG Opal protocols, which allow remote access to lost computers through a console in the IT office, further alleviates the IT burden. For example, an IT manager can locate a notebook anywhere in the world, gain access, and wipe the drive to ensure data stays protected, or lock authentication to the device, such that an intruder is effectively unable to access sensitive data. The Micron Approach Micron Technology allows TCG SSC Opal and TCG SSC Enterprise compliant SEDs to meet all the data protection and security requirements of today s data-centric enterprise. Micron provides the ability to protect data in the event of hardware loss or theft, and guards against the intrusions that can result from that loss. Micron s SEDs implement verifiable data protection methods, following protocols that allow customers to know for certain that their data is protected, both at rest and after device decommissions. Micron understands that sometimes these issues are so important that customers cannot simply rely on a company s assertion of effectiveness. For this reason, we have engaged third-party validation or our processes, ensuring that the supported Micron Sanitize commands, Sanitize Crypto Erase and Sanitize Block Erase, function as advertised. Micron has worked with Kroll Ontrack to achieve these certifications, gaining independent recognition from a well-known industry leader for Micron s encryption and sanitization methods and effectiveness. 4

5 Currently, the amount of data end users generate grows exponentially on a daily basis. Micron understands that the definition of a data storage endpoint goes well beyond a traditional computer or storage array. Micron is uniquely positioned to take advantage of the opportunity to offer comprehensive data at rest security with TCG encryption for client and enterprise SEDs. Conclusion When it comes to mobility in the enterprise, it s easy for a computer or storage device to move around, after hours or during business travel. More and more companies are recognizing the inherent risks of this mobility. The end users of data storage systems are searching for concrete steps they can take to secure their data storage and to gain peace of mind. These companies require assurance that their important, sensitive data moves through the world protected against loss or theft. But mobile computing is not the end of the story. Today, much more data is being stored in the cloud, whether public or private. This has led to much higher attention paid to enterprise encryption. The advantage of moving the encryption workload to the storage device is becoming increasingly evident. C-level executives and IT professionals have a clear choice: SED adoption satisfies regulations and standards compliance, lowers the TCO, increases IT efficiency, and secures data while preventing data breach due to lost or stolen devices. Micron is uniquely positioned to ease adoption with high-level expertise, advice, and support. To continue the conversation, contact us at SED@Micron.com or follow us at Micron Storage ( and Micron products are warranted only to meet Micron s production data sheet specifications. Products and specifications are subject to change without notice. 5 Micron and the Micron logo are trademarks of Micron Technology, Inc. TechTarget 2015