Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices

Transcription

1 > Thales e-security keyauthority Security-Hardened Appliance with IBM Tivoli Key Lifecycle Manager Support for IBM Storage Devices WHITE PAPER November

2 TABLE OF CONTENTS THE CHANGING BUSINESS ENVIRONMENT FOR ENCRYPTION... 3 INTRODUCTION TO KEYAUTHORITY SOLUTION BENEFITS Reducing the risk of security breach Reducing the cost of encrypted storage Simple deployment and management Meeting audit and compliance requirements SUMMARY

3 THE CHANGING BUSINESS ENVIRONMENT FOR ENCRYPTION In the past few years, we have seen increasing legislation and industry regulation covering the protection of personal information privacy. In the US, more than 46 US states now have data breach notification laws. Moreover, new industry-specific mandates, such as the Health Information Technology for Economic and Clinical Health (HITECH) Act, add federal data breach notification for medical patients. The German Federal Data Protection Act, the EU Data Protection Act and initiatives from the Information Commissioner s Office in the UK add protections in Europe. More countries around the world have, or are considering, similar legislation. These laws typically state that organizations must encrypt data a nd/or notify residents if unencrypted personal data is exposed. The implication being that data encryption provides safe harbor from the law in the event of a security breach. But there is now an increasing shift in the way that legislators look at data protection; with a move away from simple notification that an event has happened, towards active protection of the data to start. Encryption is increasingly mandated, not optional, for the protection of sensitive information. Most recently, the US states of Massachusetts and Nevada have enacted laws that require businesses to encrypt personally identifiable information. The Nevada law (SB227) further prescribes effective key management as: Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology. Enterprises must now have a proven, reliable strategy or suffer the consequences of business as usual that leave sensitive data exposed to risks and severe consequences. Without a secure, automated and centralized system, managing and protecting keys incurs the security risks and operational inefficiencies of ad hoc procedures and redundant administration to generate, distribute, store, expire, and rotate encryption keys. This results in high operational costs, delays in meeting audit and compliance requirements, and increased risk of human error or malfeasance. The problem becomes more complex when attempting to integrate multiple, diverse encryption systems or extending support as new encrypting devices are adopted in the future. As companies increasingly must implement encryption to meet government, industry- and self-regulatory demands, focusing on secure, centralized, long-term key management is critical to ensure successful deployment of data encryption, maintain corporate responsibility, and remain competitive. 3

4 INTRODUCTION TO KEYAUTHORITY Thales e-security keyauthority is a hardware-based, security-hardened, encryption key management appliance designed to FIPS Level 3 1 specifications. Supporting the IEEE P draft key management standard, keyauthority ensures business continuity and data recovery requirements are met throughout the information lifecycle. With keyauthority, security policies are enforceable and detailed, secure logging enables audit and security compliance to be demonstrated. Storage managers remain in control without becoming distracted or burdened with time-consuming and unreliable manual procedures for key management. Ad hoc procedures can lead to lost access to keys, and by extension, lost data recoverability. IBM Tivoli Key Lifecycle Manager (TKLM) is a software-based key manager that supports IBM disk and tape storage systems; keyauthority natively hosts TKLM technology for managing IBM storage devices, behind a secure FIPS-compliant hardware boundary. Moreover, keyauthority provides a unified management console to manage encryption modules and devices, in addition to those managed by TKLM. For storage managers, keyauthority eliminates the barriers and concerns of adopting encryption, including reliability, recoverability, and the need to maintain multiple key management systems. Storage managers learn one interface to eliminate redundancy freeing time, simplifying security tasks, and reducing operating time and costs. 1 NIST approval currently in progress as of November

5 SOLUTION BENEFITS Reducing the Risk of Security Breach The primary driver for deploying encryption is to keep sensitive data secure in order to keep an organization out of the data-breach notification headlines and avoid remediation costs. Evidence of secure encryption along with corresponding security controls provides safe harbor for organizations facing a security breach, because any data that is stolen or lost is rendered useless without the associated keys. Organizations can thus avoid the consequences of notifying users, lost business and corporate shareholder value, negative press, fines and litigation, and similar high-cost remediation activities. The critical aspects of a reliable key management system include: > Automated policy-based controls over encryption keys, and thus, protecting sensitive data by controlling access to the appropriate users > A reliable, security-hardened system, able to maintain long-term key integrity in response to data retention policies > Role-based access to prevent overprivileged administration entitlements, and > Support for multiple classes of encryption modules and devices (such as tape libraries, disk arrays, and encryption switches). Encryption keys are required to unlock data, and therefore must be readily available to authorized users, while remaining resistant to tampering. Inefficient or unreliable key management based on manual procedures can adversely impact business continuity, data accessibility, and data retention. With keyauthority, storage administrators and architects can trust their encryption deployments to a system with clear, auditable custody and control of the keys. The hardware is designed to comply with FIPS Level 3, providing tamperresistant and tamper-evident protection. For example, if the seals on the appliance are removed and the chassis is opened, the attack is detected and the System (master) Key is zeroed out, preventing any media keys from being usable. Authorized users can restore the System Key once the integrity of the system is reconfirmed. Further, role-based access controls provide separation of duties to ensure appropriate administrator entitlements and help prevent malicious insider attacks. There are five defined roles that follow NIST standards: Administrator, Security Officer, Group Manager, Recovery Officer, and Auditor. No single operator has access to all functions, for example an employee with an Administrator role can create new users, but cannot assign roles; while a Security Officer can only assign roles and cannot create new users. In some critical operations, a maker-checker (2-person rule) requirement requires four eyes of visibility to ensure the action is appropriate. 5

6 Lastly, a unified approach to key management requires support for multiple classes of encrypting endpoints such as disk, tape, switches, and servers with interoperability for integrating multiple vendor products. With keyauthority, not only is IBM storage supported, but new standards-based encrypting endpoints can be securely managed as they become available in the years to come. Reducing the Cost of Encrypted Storage keyauthority uses standards-based encryption key management, enabling new encryption systems to be certified and integrated into the management scheme quickly and efficiently, going forward. keyauthority is designed to support emerging protocol standards, as well as legacy or proprietary protocols, to greatly simplify interoperability of key management across a diverse encryption device infrastructure. keyauthority simplifies maintenance and operation of encryption, freeing administrator time and reducing costs, especially within heterogeneous storage environments. A single, centrally-managed key management system reduces the learning curve and operational costs by eliminating the need for multiple silo systems. Simple Deployment and Management As a hardware appliance that is already pre-integrated and qualified with industryleading encrypting storage endpoints, keyauthority is simple to install and configure, with high-performance optimizations that allow enterprises to accelerate deployment and time-to-value. keyauthority is highly scalable with qualified performance metrics; in addition to the one million keys supported by TKLM, the appliance expands support to twenty five million keys in a single key management cluster of multiple vendor encryption products. This is a significant improvement delivering the ability to actively manage full key lifecycles for large, global installations over many years with consistency. Meeting Audit and Compliance Requirements Storage teams must keep up with an ever-increasing number of government, industry and corporate security compliance requirements, while being able to immediately respond to routine audits and informal inquiries. keyauthority allows organizations to enforce encryption policies and minimize human error through automation of key lifecycle management procedures. Comprehensive, secure, tamper-resistant logs are centrally maintained within secured audit facilities to quickly provide a clear audit trail that demonstrates custody and control of the keys. Access to this secure audit facility is controlled by an appropriately assigned administrative role to ensure integrity and accountability. The net result: audits that are easier to pass with high reliability. 6

7 SUMMARY Increasing government legislation and industry mandates, along with corporate governance best practices, are driving the need to deploy encryption across enterprise applications for security compliance and data protection. IT organizations must implement encryption while maintaining service level agreements, ensuring data availability and the ability to reliably meet audits that demonstrate compliance for custody and control of keys. As more endpoints such as tape libraries and disk arrays are deployed, organizations must protect sensitive information on them. Therefore, the role of key management is critical to ensure the long-term data availability to trusted users and ability to demonstrate compliance with policies. Many organizations have relied on IBM storage as the foundation for implementing an encryption strategy. keyauthority provides IBM storage users with a secure FIPS140-2 Level 3 designed platform to host IBM encryption management, delivering the security of a hardware-based appliance, the accountability of role-based administration with secure logging, and the flexibility of a standards-based approach for storage interoperability. More information To find out more about how Thales e-security and IBM can help secure your sensitive information, please visit or contact Thales e-security sales at one of the contact points on the back cover. About Thales e-security Thales e-security is a leading global provider of data protection solutions. With a 40-year track record of protecting the most sensitive corporate and government information, Thales e-security encryption and key management solutions are an essential component of any critical IT infrastructure. Thales makes it easy to enhance the security of softwarebased business applications and reduce the cost and complexity associated with the use of cryptography across the organization and out to the Cloud. 7

8 Europe, Middle East, Africa Meadow View House Long Crendon Industrial Estate Aylesbury Buckinghamshire HP18 9EQ. UK T: +44 (0) F: +44 (0) E: Americas 2200 North Commerce Parkway Suite 200 Weston Florida USA T: or F: E: DISCLAIMER Thales reserves the right at any time, without notice and at its sole discretion to revise, update, enhance, modify, change or discontinue the information provided herein. THALES MAKES NO REPRESENTATION OR WARRANTY AS TO THE ADEQUACY OR COMPLETENESS OF THE INFORMATION PROVIDED HEREUNDER. All Rights Reserved. keyauthority is a registered trademark of Thales e-security Inc. Tivoli is a registered trademark of IBM Asia Pacific Unit /F 248 Queen s Road East Wanchai Hong Kong PRC T: F: E: [email protected] Thales November 2011