XTREMIO DATA AT REST ENCRYPTION



Similar documents
Frequently Asked Questions: EMC Isilon Data at Rest Encryption Solution

Complying with PCI Data Security

EMC Symmetrix Data at Rest Encryption

EMC VMAX3 DATA AT REST ENCRYPTION

Guide to Data Field Encryption

Technical Note. Installing Micron SEDs in Windows 8 and 10. Introduction. TN-FD-28: Installing Micron SEDs in Windows 8 and 10.

Data Security using Encryption in SwiftStack

Self-Encrypting Hard Disk Drives in the Data Center

FLASH 15 MINUTE GUIDE DELIVER MORE VALUE AT LOWER COST WITH XTREMIO ALL- FLASH ARRAY Unparal eled performance with in- line data services al the time

Credit Card Security

INTRODUCTION TO THE EMC XtremIO STORAGE ARRAY (Ver. 4.0)

How To Get The Most Out Of An Ecm Xtremio Flash Array

Keep Your Data Secure: Fighting Back With Flash

Navigating Endpoint Encryption Technologies

EMC SOLUTION FOR SPLUNK

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Overview of Data Security Methods: Passwords, Encryption, and Erase

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

PCI Data Security and Classification Standards Summary

EMC VNX2: Data at Rest Encryption

PA-DSS Implementation Guide for. Sage MAS 90 and 200 ERP. Credit Card Processing

Making Data at Rest Encryption Easy

Credit Card Handling Security Standards

Samsung SED Security in Collaboration with Wave Systems

Windows BitLocker Drive Encryption Step-by-Step Guide

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

Initial Roadmap: Point-to-Point Encryption Technology and PCI DSS Compliance

Dartmouth College Merchant Credit Card Policy for Processors

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

Solid State Drives (SSD) with Self Encryption: Solidly Secure Michael Willett Storage Security Strategist Independent Consultant

EMC XtremSF: Delivering Next Generation Performance for Oracle Database

A Rackspace White Paper Spring 2010

Data Security Using TCG Self-Encrypting Drive Technology

PCI Training for Retail Jamboree Staff Volunteers. Securing Cardholder Data

Card Management System Integration Made Easy: Tools for Enrollment and Management of Certificates. September 2006

TREASURER S OFFICE ADMINISTRATIVE STANDARDS FOR THE TREASURER S FISCAL PROCEDURE No MERCHANT DEBIT AND CREDIT CARD RECEIPTS

USING INTERSYSTEMS CACHÉ FOR SECURELY STORING CREDIT CARD DATA

Intel RAID Controller Premium Feature Key Training

How Drive Encryption Works

Viterbo University Credit Card Processing & Data Security Procedures and Policy

Data At Rest Protection

How Endpoint Encryption Works

E2EE and PCI Compliancy. Martin Holloway VSP Sales Director VeriFone NEMEA

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

Self-encrypting drives (SED): helping prevent data loss, theft, and misplacement

Project Title slide Project: PCI. Are You At Risk?

Solid-State Drives with Self-Encryption: Solidly Secure

SecureD Technical Overview

Microsoft SQL Server Integration Guide

Dartmouth College Merchant Credit Card Policy for Managers and Supervisors

Perceptions about Self-Encrypting Drives: A Study of IT Practitioners

The Relationship Between PCI, Encryption and Tokenization: What you need to know

Payment Card Industry Data Security Standard

SELF SERVICE RESET PASSWORD MANAGEMENT ARCHITECTURE GUIDE

Understanding the Role of Hardware Data Encryption in EMV and P2PE from the CEO s Perspective

Implementing Disk Encryption on System x Servers with IBM Security Key Lifecycle Manager Solution Guide

Payment Card Industry (PCI) Data Security Standard. Summary of Changes from PCI DSS Version to 2.0

Seagate Secure Technology

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

Reducing PCI DSS Scope with the TransArmor First Data TransArmor Solution

2.0 PAYMENT CARD INDUSTRY DATA SECURITY STANDARDS (PCI-DSS)

mobile payment acceptance Solutions Visa security best practices version 3.0

Voltage SecureData Web with Page-Integrated Encryption (PIE) Technology Security Review

PCI PA - DSS. Point XSA Implementation Guide. Atos Worldline Banksys XENTA SA. Version 1.00

05.0 Application Development

Encrypted SSDs: Self-Encryption Versus Software Solutions

EMC VNX2 Deduplication and Compression

DELL POWERVAULT LIBRARY-MANAGED ENCRYPTION FOR TAPE. By Libby McTeer

8/17/2010. Over 90% of all compromised merchants are PCI level 4 (small) merchants or merchants with less than 1 million transactions per year

Application Note. Atmel CryptoAuthentication Product Uses. Atmel ATSHA204. Abstract. Overview

DESIGNING SECURE USB-BASED DONGLES

Self-Encrypting Drives

White Paper: Whole Disk Encryption

Full Disk Encryption Agent Reference

Converged storage architecture for Oracle RAC based on NVMe SSDs and standard x86 servers

Appendix 1 Payment Card Industry Data Security Standards Program

Full Drive Encryption Security Problem Definition - Encryption Engine

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Securing Sensitive Data

2.6.1 Creating an Acronis account Subscription to Acronis Cloud Creating bootable rescue media... 12

Using BitLocker As Part Of A Customer Data Protection Program: Part 1

Cyber-Ark Software and the PCI Data Security Standard

Trusted Computing Basics: Self-Encrypting Drives

PrivyLink Cryptographic Key Server *

Client Advisory October Data Security Law MGL Chapter 93H and 201 CMR 17.00

ENABLING SDDC WITH XTREMIO & BROCADE

Accelerating PCI Compliance

Vormetric and SanDisk : Encryption-at-Rest for Active Data Sets

CONSOLIDATING MICROSOFT SQL SERVER OLTP WORKLOADS ON THE EMC XtremIO ALL FLASH ARRAY

Functional diagram: Secure encrypted data. totally encrypted. XOR encryption. RFID token. fingerprint reader. 128 bit AES in ECB mode Security HDD

EMC XTREMIO AND MICROSOFT EXCHANGE DATABASES

USB Portable Storage Device: Security Problem Definition Summary

User s Guide Part 1. Enterprise Self-Encrypting Drives

Transcription:

White Paper XTREMIO DATA AT REST ENCRYPTION Abstract Data at Rest Encryption is a mandatory requirement in various industries that host private or sensitive data. This white paper introduces and explains how it handles the challenges of protecting data, without impacting performance or other services that are provided by the XtremIO All-Flash Array. June 2014

Copyright 2014 EMC Corporation. All Rights Reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. The information in this publication is provided "as is". EMC Corporation makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. Part Number H13038.1 (Rev. 02) 2

Table of Contents Executive Summary... 4 Architecture... 5 Self-Encrypting Drives (SEDs)... 7 Encryption Algorithm... 7 PCI-DSS and Key Management Requirements... 8 Enabling Encryption... 10 Key Management... 11 Disabling Encryption... 11 Conclusion... 12 3

Executive Summary Information security is a key area of focus for many IT managers. Knowing that data centers are secure against unauthorized access is of critical importance. Yet, how is it possible to secure information on SSDs in an array when they are easily removable from the system (by design for serviceability)? Data at Rest Encryption (DARE) provides a solution to securing critical data even when the media is removed from the array. XtremIO arrays utilize a high performance inline encryption technique to ensure that all data stored on the array is unusable if the SSD media is removed. This prevents unauthorized access in the event of theft or loss during transport, and makes it possible to return/replace failed components containing sensitive data. DARE is a mandatory requirement that has been established in several industries, such as health care (where patient records must be kept closely-guarded), banking (where financial data safety is extremely important), and in many government institutions. This white paper focuses on DARE and the way it is implemented in the XtremIO All- Flash Array. It describes the technology behind the XtremIO encryption solution and how the architecture combines encryption with XtremIO s unique data protection and Inline Data Reduction technologies without undergoing any performance penalty. It also discusses key management and key rollover functions that enhance the data at rest protection. 4

Architecture At the heart of XtremIO s DARE solution lies the use of Self-Encrypting Drive (SED) technology. An SED has dedicated hardware, which is used to encrypt and decrypt data as it is written to or read from the SSD. Offloading the encryption task to the SSD enables XtremIO to maintain the same software architecture whenever encryption is enabled or disabled on the array. All of XtremIO s features and services, including Inline Data Reduction, XtremIO Data Protection (XDP), thin provisioning and snapshots are available on an encrypted cluster (as well as on non-encrypted clusters). A unique Data Encryption Key (DEK) is created during the drive manufacturing process. The key does not leave the drive at any time. It is possible to erase the DEK or change it, but this causes the data on the drive to become unreadable and no option is provided to retrieve the DEK. In order to ensure that only authorized hosts can access the data on the SED, the DEK is protected by an Authentication Key (AK). Without this key the DEK is encrypted and cannot be used to encrypt or decrypt data. SEDs are shipped out of the factory in an unlocked state, meaning that any host can access the drive data. In unlocked drives the data is always encrypted, but the DEK is always decrypted and no authentication is required. Figure 1. Unlocked SED 5

Locking the drive is made possible by changing the default drive s AK to a new, private AK and changing the SED settings so that it remains locked after a boot or power fail (such as when an SSD is taken out of the array). When an SSD is taken out of the array, it is turned off and will require the AK upon booting up. Without the correct AK the data on the SSD is unreadable and safe. To access the data, the hosts must provide the correct AK, a term that is sometimes referred to as "acquiring" or "taking ownership" of the drive, which unlocks the DEK and enables data access. Drive acquisition is achieved only upon boot, and the SED remains unlocked for as long as the array is up. Since data passes through the encryption or decryption hardware in all cases, there is no performance impact when locking an SED. Figure 2. SED Operation Mode The XtremIO All-Flash Array encrypts data on the following SSDs: Data SSDs where all User Data is stored Storage Controller SSDs which may contain User Data journal dumps 6

Self-Encrypting Drives (SEDs) XtremIO encryption capable All-Flash Arrays have always used SEDs. Enabling encryption simply means that the SSDs are now locked with an auto-generated Personal Identification Number (PIN). This is the main reason why there is no performance overhead for encrypting data on XtremIO. SED solutions, based on Trusted Computing Group (TCG) specifications, enable integrated encryption and access control within the drive s protected hardware. The TCG is an international industry standards group that develops specifications amongst its members. Upon completion, the TCG publishes the specifications for use and implementation by the industry. TCG's open standards provide multi-vendor interoperability, allowing application vendors to provide management for multiple SED providers. Using an SED which is based on TCG specifications ensures that the drive encryption is based on proven standards for data confidentiality, that the drive utilizes optimized hardware components within its electronics, and that it does not rely on XtremIO s Storage Controller processing power. A TCG-certified SED provides better security because encryption is always enabled and transparent to the user, keys for encryption are generated in the drive and never leave the drive, and userauthentication is performed by the drive before it unlocks, independent of the operating system. Encryption Algorithm XtremIO SEDs use the Advanced Encryption Standard (AES) 256 encryption algorithm as per the recommendation of TCG specification. AES is a widely-used block encryption standard, and is acceptable by the most rigorous regulations and federal governments standards. 7

PCI-DSS and Key Management Requirements The Payment Card Industry (PCI) Data Security Standard (DSS) was developed to encourage and enhance cardholder data security and facilitate the broad adoption of consistent data security measures globally. All companies that transmit, process, or store cardholder data, including Primary Account Numbers (PAN), must comply with the twelve requirements of PCI-DSS. The PCI-DSS Requirement 3 details the card data protection methods, such as encryption, that are critical components of cardholder data protection. Compliance with the key management controls outlined in Requirement 3 of the PCI- DSS can be time-consuming and expensive. Retailers, payment card transaction processors, hospitality, transportation, government agencies, and other industries that need to protect cardholder data may find substantial benefit from products that are purpose-built to implement the security controls of PCI in a cost-effective manner, without disruption to existing infrastructure or business processes. As such, EMC has taken significant measures to ensure that XtremIO All-Flash Array complies with the applicable guidelines of PCI-DSS outlined in Table 1. Table 1. PCI-DSS Requirements Requirement Number Requirement Details 3.6.1 Generation of strong cryptographic keys (ensuring that all keys generated to encrypt data meet industry standards of key length, generally a minimum of 128 bits). 3.6.2 Secure cryptographic key distribution (once the keys are generated, they must be securely distributed to the locations required for use and storage). 3.6.3 Secure cryptographic key storage (keys must be stored in a secure manner that prevents [and can show evidence of] unauthorized access or change). 3.6.4 Cryptographic key changes for keys that have reached the end of their cryptoperiod. XtremIO Implementation Hardware-Based AES 256 encryption algorithm. Data Encryption Key (DEK) never leaves the SSD encryption Hardware. Authentication Keys (AK) are generated on the array and are not distributed externally. DEKs are stored on SSD s hardware. AKs are not stored in plain text and are calculated upon array startup. It is possible to regenerate new AKs for all SSDs to minimize the risk of someone obtaining the encryption keys and using them to decrypt the Data Encryption Key and the data. 8

Requirement Number Requirement Details 3.6.5 Retirement or replacement (for example, archiving, destruction, and/or revocation) of keys as deemed necessary when the integrity of the key has been weakened, or keys are suspected of being compromised. 3.6.6 If manual clear-text cryptographic key management operations are used, these operations must be managed using split knowledge and dual control (for example, requiring two or three people, each knowing only their own key component, to reconstruct the whole key). 3.6.7 Prevention of unauthorized substitution of cryptographic keys (key management processes must be developed and implemented in such a manner as to control and ensure that illegitimate keys are not substituted into the process). 3.6.8 Requirement for cryptographic key custodians to formally acknowledge that they understand and accept their keycustodian responsibilities. XtremIO Implementation Using SED makes the retirement or replacement of old keys transparent to the user. DEK and AK are unique per SSD and are not used when an SSD is pulled out of the array. When a new SSD is inserted into the Array as a replacement, it will have its own DEK and the cluster will generate a new AK for it. No clear-text key is transmitted within the cluster. TCG-certified SEDs guaranty that it will not be possible to inject or substitute the Data Encryption Keys. Keys are generated on the SEDs' dedicated hardware and do not leave the SEDs. Both types of keys used in XtremIO DARE implementation are internal to the array and do not require a custodians. 9

Enabling Encryption As discussed in this document, drives encrypt data constantly, and enabling encryption simply means that the SSD lock mode changes from "Open" to "Lock on boot", and a new PIN is generated. Nevertheless, to minimize the risk of data corruption, the process is performed while the cluster is in a stopped state. When the modify-clusters-configuration encryptioncommand="switch-mode" encryption-mode="self" command is initiated, the cluster generates a unique AK per SSD, and per local SSD in each of the Storage Controllers. The AK is created from a secret seed and unique identification of the SSD. Using a secret digest function, it is turned into the SSD s AK. Once the software has the AK, it configures each SSD in the DAE in turn, by setting the new AK, setting the mode to "Lock on boot", and acquiring the SSD, thereby unlocking it and verifying that data can be read from it. Upon success, the software moves to the next SSD. When all SSDs are done, the software configures the Storage Controllers SSDs in the same way, one at a time. When done, the cluster can be started and IOPS can be resumed. This process is carried out in parallel for each X-Brick and takes the same time for any size XtremIO cluster. Initial encryption of a cluster takes approximately ten minutes. Figure 3: Enabling Encryption 10

Key Management As discussed in this document, each SSD has its own AK. The key itself is kept only in memory and is not stored in clear text on SSDs or in logs. The AK seed is stored on the boot SSD's unencrypted partition. It is possible to change the SSD AK to comply with key rollover requirements. Once the modify-clusters-configuration encryption-command="reencrypt" encryption-mode="self command is initiated, the software generates new seeds per SSD, and changes the AK on each SSD in turn. Old seeds are kept for as long as the operation continues, ensuring access to SSDs that have not changed yet. When the process is completed, the new AKs are kept in memory and the old AKs seeds are retired. This process is carried out in parallel for each X-Brick and takes the same time for any size XtremIO cluster. Changing the cluster s AK takes less than a minute. Disabling Encryption It is possible to disable the encryption on an encrypted cluster if the customer wishes to do so. Disabling encryption is performed with the cluster in a stopped state. Once the modify-clusters-configuration encryption-command="reencrypt" encryption-mode="disabled" command is initiated, the software changes the configuration of each SSD to "Unlocked" and resets the AK to its original value, as received from the manufacturer. When encryption is disabled, the data on the SED is not protected and can be read by any host. 11

Conclusion Data at Rest Encryption is becoming a mandatory requirement in many industries. XtremIO s solution, based on Self-Encrypting Drives (SED), addresses this mandatory requirement without impacting performance or services. Customers can benefit from XtremIO s Inline Data Reduction, high performance, thin provisioning and snapshot capabilities while resting assured that the data on the SSDs is protected from peering eyes. 12

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information