Dell Compellent 6.5 SED Reference Architecture and Best Practices Dell Storage Technical Solutions May 2014 A Dell Reference Architecture
Revisions Date May 2014 Description Initial release THIS WHITE PAPER IS FOR INFORMATIONAL PURPOSES ONLY, AND MAY CONTAIN TYPOGRAPHICAL ERRORS AND TECHNICAL INACCURACIES. THE CONTENT IS PROVIDED AS IS, WITHOUT EXPRESS OR IMPLIED WARRANTIES OF ANY KIND. 2014 Dell Inc. All rights reserved. Reproduction of this material in any manner whatsoever without the express written permission of Dell Inc. is strictly forbidden. For more information, contact Dell. PRODUCT WARRANTIES APPLICABLE TO THE DELL PRODUCTS DESCRIBED IN THIS DOCUMENT MAY BE FOUND AT: http://www.dell.com/learn/us/en/19/terms-of-sale-commercial-and-public-sector Performance of network reference architectures discussed in this document may vary with differing deployment conditions, network loads, and the like. Third party products may be included in reference architectures for the convenience of the reader. Inclusion of such third party products does not necessarily constitute Dell s recommendation of those products. Please consult your Dell representative for additional information. Trademarks used in this text: Dell, the Dell logo, Dell Boomi, Dell Precision,OptiPlex, Latitude, PowerEdge, PowerVault, PowerConnect, OpenManage, EqualLogic, Compellent, KACE, FlexAddress, Force10 and Vostro are trademarks of Dell Inc. Other Dell trademarks may be used in this document. Cisco Nexus, Cisco MDS, Cisco NX- 0S, and other Cisco Catalyst are registered trademarks of Cisco System Inc. EMC VNX, and EMC Unisphere are registered trademarks of EMC Corporation. Intel, Pentium, Xeon, Core and Celeron are registered trademarks of Intel Corporation in the U.S. and other countries. AMD is a registered trademark and AMD Opteron, AMD Phenom and AMD Sempron are trademarks of Advanced Micro Devices, Inc. Microsoft, Windows, Windows Server, Internet Explorer, MS-DOS, Windows Vista and Active Directory are either trademarks or registered trademarks of Microsoft Corporation in the United States and/or other countries. Red Hat and Red Hat Enterprise Linux are registered trademarks of Red Hat, Inc. in the United States and/or other countries. Novell and SUSE are registered trademarks of Novell Inc. in the United States and other countries. Oracle is a registered trademark of Oracle Corporation and/or its affiliates. Citrix, Xen, XenServer and XenMotion are either registered trademarks or trademarks of Citrix Systems, Inc. in the United States and/or other countries. VMware, Virtual SMP, vmotion, vcenter and vsphere are registered trademarks or trademarks of VMware, Inc. in the United States or other countries. IBM is a registered trademark of International Business Machines Corporation. Broadcom and NetXtreme are registered trademarks of Broadcom Corporation. Qlogic is a registered trademark of QLogic Corporation. Other trademarks and trade names may be used in this document to refer to either the entities claiming the marks and/or names or their products and are the property of their respective owners. Dell disclaims proprietary interest in the marks and names of others. 2 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Table of contents Revisions... 2 Executive summary... 4 1 Secure Data overview... 5 1.1 Securing data with SED technology on Dell Compellent Storage Center arrays... 6 1.2 SED technology overview... 8 1.2.1 Security threats covered by SEDs... 8 1.2.2 Security Scenarios not covered by SEDs... 9 1.3 Protecting data from unauthorized access... 9 1.4 Cryptographic erase... 11 2 Reference architecture... 13 2.1 Secure Data hardware requirements... 13 2.2 Secure Data software requirements... 13 2.3 Reference architecture hardware... 13 2.4 Secure Data configuration... 14 2.4.1 Apply license file... 14 2.4.2 Configure Key Management Server... 16 2.4.3 Add SEDs to Secure Data Folder... 19 2.4.4 Create volume... 27 2.4.5 Volume migration... 36 3 Best practices... 47 A Frequently Asked Questions... 48 B Glossary... 49 C Additional resources... 51 3 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Executive summary Data and intellectual property is the life blood for a company in the modern information-driven economy. The legal aspects of a data breach unprotected by encryption (safe harbor) could tarnish your business reputation, destroy consumer confidence, provoke customers to walk away, and at the very worst, wipe out your business completely. According to the Ponemon Institute s annual 2013 survey, the average organizational cost of a data breach was $5.4 million for the U.S. alone, followed by $4.8 million in Germanyand $4.1 million in Australia. Although much money and effort has been spent at protecting corporate networks from outside intrusion, many security analysts agree that there are still considerable vulnerabilities relating to data theft by either physically stealing, misplacing, or inappropriate redeployment or disposal of hard drives from corporate computers and storage arrays. An effective solution to the above problems is to employ Self-Encrypting Drive (SED) technology. SEDs, coupled with Dell Compellent storage arrays provide an industry-leading Data at Rest Encryption solution for securing corporate data from hard drive loss or theft. This white paper provides a detailed description of the Dell Storage Secure Data solution including an overview on SEDs, encryption features and Key Manager Server integration. 4 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
1 Secure Data overview With data security risks on the rise, an influx of government regulations for securing data have been mandated and are becoming part of the corporate business requirements for many organizations. Even in the absence of a government mandate, eliminating exposure of private data is now simply viewed as a sound business practice. This is a high priority for companies operating in the healthcare, Federal/State government, financial, banking, education and manufacturing spaces, just to name a few. Providing data storage solutions that are easy to manage and implement, both now and into the future, is what Dell Storage has been about since its start. And we do this through deployment of technology that is non-disruptive to our customers so that they can seamlessly grow with new requirements and regulations, like PCI DSS, GLBA, SOX, HIPAA, the recently passed HITECH Act, as well as the 45+ state laws requiring businesses to publicly disclose data breach incidents. To avoid the high cost and other negative consequences of a data breach or lost data, it is important for organizations to put a comprehensive security strategy in place. A comprehensive strategy requires understanding where data is at all times across the organization and securing it at each of these points. These points, or levels of security, can be broken down into three basic categories: data-in-use, data-inmotion, and data-at-rest. Data in Use User, OS, or application use of data (for example, print, copy, or move) Data in Motion All data being transferred between two nodes across the network Data at Rest Data recorded on the storage media Figure 1 Levels of data to be secured across an organization The primary focus of this guide is securing Data at Rest (DAR). While each point in the storage infrastructure provides unique threat models, DAR presents one of the highest security vulnerabilities. 5 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Data, in fact, spends most of its life at rest on drives. When these drives eventually leave the data center for repair, retirement, relocation, or maintenance, the drives and their data are most vulnerable to being lost or stolen. The emergence of full disk encryption technology and SEDs is timely for mitigating the security vulnerabilities of DAR. SEDs are also becoming a standardized technology across many of the world s top drive vendors, which allows for interoperability and ensures greater market competition and competitive pricing. To further highlight the importance of SEDs, the Storage Networking Industry Association (SNIA) best practices recommends encryption as close to the information source as possible, which is the media where the data resides. In addition, many safe harbor laws, such as California state regulations CA 1798 (formerly SB-1386), protect organizations that store data in compliance with security encryption requirements. With safe harbor laws such as these, organizations might not have to notify customers of lost data if that data was stored and secured on SEDs. Current SEDs use the Advanced Encryption Standard (AES) algorithm as defined by the National Institute of Standards and Technology (NIST) and has been widely adopted as an encryption standard. The SEDs selected by Dell for use in the Dell Storage product line are approved for use in applications requiring compliance with Federal Information Processing Standards (FIPS) 140-2 Level 2. 1.1 Securing data with SED technology on Dell Compellent Storage Center arrays As a leader in storage technologies, Dell provides support and management capabilities that allow users to safely secure their DAR in the Compellent Storage Center arrays. This support is offered through a wide variety of SEDs with multiple capacities managed through Trusted Computing Group (TCG) protocols within the Storage Center SAN. Dell s solution is compatible with KMIP v1.0 standards and customerdefined external Key Management Servers. The Secure Data support for DAR encryption in Dell Compellent Storage Center extends from encrypting the full array, multiple disk folders, or even at a Volume level as tied to a separate Secure Data folder. SED and Non-SEDs are supported separately, within the same array with negligible performance impact on the system or your applications. The encryption technology also works on Legacy Compellent Storage (with the addition of new SED drives). Figure 2 shows a Dell Compellent array with both SED and Non-SEDs as an example. 6 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Figure 2 Storage Center array with both SEDs and Non-SEDs managed independently. 7 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Figure 3 FIPS 140-2 Level 2 Tamper-evident Drive 1.2 SED technology overview An SED is a self-encrypting hard drive with an encryption / decryption function performing like any other hard drive with the encryption being completely transparent to the user, built into the disk drive controller chip that encrypts all data written to the magnetic media and decrypts all the data read from the media automatically. With the encrypting engine built-in the hardware of each individual drive, there is no performance impact on the Storage system. SEDs encrypt constantly, There are two primary functions of SED technology: 1. Protecting hard drive data from unauthorized access: secure DAR 2. Cryptographic Erase (CE): provides a mechanism to securely erase the data on the drive so that the drive can be repurposed or retired 1.2.1 Security threats covered by SEDs While using SEDs is fairly simple and transparent, it is important to understand what protection they provide and what protection they do not provide. The threats that Secure Data provides data protection for are: Protects data against lost, transported, or stolen drives. When a powered on drive leaves the array (whether by failure, removal, or otherwise), the drive immediately locks itself. Its contents are 8 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
inaccessible without the Authority Credential (AC). At the same time, the volumes with data on that drive will begin a RAID rebuild using the associated hot spare. If that drive is inserted into a different array, the drive will remain in a locked state. The administrator must explicitly bring the drive into service, which then will result in an CE of the SED. Furthermore, even if the platters were removed from the drive itself and placed on a spin stand, the data would be secure due to the AES-256 encryption used to write the bits. Protects against theft of data through the theft of an entire enclosure. Protects against theft of data through the theft of an entire Storage Center system. 1.2.2 Security Scenarios not covered by SEDs Insider attack: Any person who possesses the administrator password can access any volume on the array, or change Storage Center user permissions to allow others to do the same. Similarly, a compromised host can access volumes that the host is authorized to access. SEDss cannot provide protection against improper access to an online data volume. Data-in-flight: SEDs are intended to solely provide protection for DAR, and thus provide no protection for data-in-flight on the network. Tampering with array hardware. Secure Data is not resistant to hardware probes, other snooping devices, or the removal of a drive without loss of power to that drive. Theft of the KMS and the associated ACs saved in it. 1.3 Protecting data from unauthorized access To protect the data from unauthorized access, SEDs use two sets of keys. One key is called the Media Encryption Key (MEK). In the drive factory, each SED randomly generates an MEK that is encrypted and embedded within the drive. The MEK is never exposed outside the drive and requires no management by the user. The MEK functions as a secret password so that the encryption / decryption engine built into the drive will know how to decrypt the user data stored on the physical media. The encryption in the drive uses a symmetric key algorithm which means the MEK is the same for encrypting and decrypting the data on the disk. This MEK can be changed by Crypt-Erase but the encryption can never be turned off. The second required key is called the Authority Credential (AC), sometimes referred to as the locking key, credentials, authentication keys or Access Key (AK). It is used to unlock and configure the SED. There is one AC for each SED. Dell Compellent Storage Center arrays automatically detect SED drives and will create the ACs when the array is initially configured with SEDs or when SEDs are added to a legacy system (requires an encryption software license and Storage Center v6.5.1 or greater). The AC is stored in a Key Management Interoperability Protocol (KMIP) Secret Data object on the Key Management Server (KMS). There is one valid Secret Data object for each SED that has been put into a lockable state. Storage Center completes a KMIP Register on this Secret Data object, and the Secret Data 9 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
object s keyblock contains the AC. Storage Center also controls the contents of the Secret Data object. Once an SED has been configured with an AC, the AC must be provided to unlock the drive, and the drive remains unlocked only while powered on. The drive locks itself upon losing power or shutting down, and the AC must be provided again before the drive will unlock and participate in I/O operations. Figure 4 describes the process of how data is accessed on a SED during normal operation: Figure 4 Accessing data on an SED 1. Data is requested from the SED by the storage controller. If data is requested from the drive and it is locked, an error code is returned which indicates it is locked. Then, the Storage Center OS (SCOS) sends a series of commands to the drive to unlock. One of those commands is an Authentication Request which carries the AC. 2. The drive electronics hash the AC from the storage controller and pull the stored hashed access key from the drive storage. The hashed keys are compared. 3. If the hashed keys do not match, no access is given to the data and an error is passed back to the storage controller stating that the drive is locked and that the subsystem does not have authorization to access it. If the hashed keys match, a subsequent drive command is sent to unlock the drive. 4. The encrypting / decrypting circuit pulls the requested data from the drive and uses the decoded MEK to decrypt the encrypted user data. 5. The decrypted user data is then passed back to the storage controller. 10 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
In summary, the true value of SEDs is realized when a drive is lost, removed, or stolen. In such an instance, the drive becomes locked and the data remains encrypted.. Because an unauthorized user would not have the appropriate AC, the drive will remain locked and data will remain inaccessible to any attacker. 1.4 Cryptographic erase Another security method available with SEDs is cryptographic erase (CE). CE simply replaces the encryption key inside the encrypted drive, making it impossible to ever decrypt the data encrypted with the deleted key. Alternative methods, such as de-gaussing each drive or simply overwriting the data with zeros, are available to permanently erase this data; however, these methods often are expensive, slow, or do not provide the complete data erasure. A common use of CE is when a failing drive is preemptively copied to a spare SED drive and then removed from use (unmanaged) by the Storage Center firmware. After the copy-to-spare occurs, the failing drive undergoes a CE so that it may be safely returned to the manufacturer under warranty. Through this process of unmanaging out of a Secure Data folder, the CE function destroys the stored encrypted MEK, and if/when the drive is removed from the array, it will not lock when power is removed. At this point a new randomly generated MEK is created by the drive and stored on the drive. Without the original MEK, there is no way to decode the already encrypted data on the drive. Drives that fail hard (head crash, unreadable, or other issues) do not undergo CE because they are not reachable, but they do lock when removed because their SED settings are still intact. 11 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Figure 5 Crypto-Erase Process As shown in Figure 5, CE prompts the SED to permanently erase the current media encryption key and replace it with a new key, randomly generated within the drive. When the media encryption key is changed, any data that has been written to the drive using the previous key cannot be decoded by the new media encryption key, which renders all of the data unusable. Thus, data that was encrypted with the previous media encryption key is now cryptographically destroyed. 12 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2 Reference architecture The goal of the section is to provide a SED Reference Architecture to use as a starting point for designing and implementing SED into your infrastructure. 2.1 Secure Data hardware requirements Table 1 Controller Model Controller support Supported SC8000 Series 40 Series 30 / 20 Yes Yes No Table 2 Enclosure support Enclosure Model SC200 SC220 SC280 Other enclosure models Supported Yes Yes Yes No 2.2 Secure Data software requirements Table 3 Storage Center OS versions Storage Center OS Supported 6.5.1 or greater Yes 6.4.4 or below No Note: To use SEDs, you must apply a license file that has the Self Encrypting Drives feature enabled. 2.3 Reference architecture hardware The hardware used for this environment consists of the following: Table 4 Reference architecture hardware Model Quantity Dell Compellent SC8000 Controllers 2 13 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Dell Compellent SC220 Disk enclosures 4 Dell PowerEdge R620 Rackmount Server 2 Brocade 6505 16Gb Fibre Channel Switches 1 SafeNet K460 Key Management Server 1 Dell Compellent 300GB 15K SED 48 Figure 6 Reference Architecture Environment 2.4 Secure Data configuration The Dell Secure Data implementation is simple to setup. The following steps outline how to setup Self Encrypting drives on a Dell Compellent Storage Center. 2.4.1 Apply license file 1. In the System Manager go to Storage Management System Setup Apply a license file. Select the file ending in.lic and click OK. 14 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
15 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2. Locate your Compellent Storage Center License file and click Select. 3. Select OK. 2.4.2 Configure Key Management Server By applying the license file, you can now configure a Key Management Server. 1. In the System Manager select System Management System Access Configure Key Management Servers. 16 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2. In this dialog, enter the IP or hostname of the KMS, and the timeout. If your Key Management Server uses authentication, also enter that. 3. Then provide the certificate files for each controller, and click Continue. 17 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
4. At the main screen select Upload Certstore Cert. 18 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
5. On completion of the Certstore Cert, click Continue to save the configuration. The Compellent Storage Center is now communicating with the Key Management Server 2.4.3 Add SEDs to Secure Data Folder 1. In the Compellent System Manager, select Storage Management Disk Folder Create Disk Folder. 19 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
20 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2. Dell Compellent recommends putting all drives into one Disk Folder. Dell Compellent does not support mixing of SEDs and non-seds in the same Disk Folder. Select Yes to continue to create a Disk Folder. 21 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
3. The Storage Center has detected there are Unconfigured Self-Encrypting Drives. Select Yes to create a Secure Data folder. 22 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
4. Select the SED drives that you want to include in the Secure Data Disk Folder and click Continue. 23 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
5. Select the drives to be Hot Spares and click Continue. 24 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
6. Assign a name to the Disk Folder. In this example we used SED to distinguish between the SED and non-sed drive Disk Folders. 25 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
26 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
7. The Disk Folder is now a Secure Data folder. The yellow lock icon on the Disk Folder and drive indicates the drives are now encrypting data using a randomly generated key which is stored on the Key Management Server. 2.4.4 Create volume 1. In the System Manager, expand the Storage section and right-click Volumes. Select Create Volume. 27 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2. Select the Disk Folder that you want the volume to be created on. Since the intent is for this Volume to be encrypted, select SED. 28 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
3. Enter a size for the volume and select Continue. 29 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
4. Select a Replay Profile to use and click Continue. 30 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
5. Provide the volume with a Name and click Continue. 31 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
6. Review the summary page and select Create Now. 32 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
7. Select Map this Volume to this Server to start the mapping process 33 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
8. Select Create Now to map the volume to the server. 34 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
9. The volume is now created and is on a Secure Data Disk Folder. The AC is now stored on the KMS. If a drive needs to be unlocked, the AC from the KMS will be retrieved. 35 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2.4.5 Volume migration 1. To migrate a volume from a non-secure Data folder to another, start by right-clicking on the Volume you want to move. The selected volume is on a disk folder named Infrastructure, which is not a Secure Data Disk Folder. 36 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
2. Select Create New Volume. 37 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
3. Select the Secure Data folder named SED. 38 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
4. Enter the Volume size then click Continue. Note: The Volume size must be equal to or larger than the source volume. 39 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
5. Select the Replay Profile you want to use, and click Continue. 40 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
6. Provide a Name for the destination Volume and select Continue. 41 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
7. The review page displays attributes for the new volume. Select Create Now to create the volume. 42 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
8. Select the newly named Destination Volume, and click Continue. 43 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
9. Review the details relating to the Copy/Migrate process, and click Continue. 44 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
10. Select Start Now to start the Copy/Migrate process. The data will be moved from the Infrastructure Disk Folder to the SED Disk Folder, which is a Secure Data Disk Folder. 45 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
11. The volume is now on the SED Disk Folder, which is encrypted. 46 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
3 Best practices Volume migration using Copy/Mirror/Migrate to a Secure Data Disk Folder The Dell Compellent Fluid architecture allows volumes to be moved from one Disk Folder to another Disk Folder. It is expected that volumes may be moved from a non-secure Data Disk Folder to a Secure Data Disk Folder when attaching SED drives to a system. When completing this, make sure there is enough RAID10 space allocated in your Tier 1 space, Storage Center Design Guidance with SEDs There is no performance difference between non-seds and SEDs. When designing a Dell Compellent Storage Center system, follow standard design guidance, Using Crypto-Erase There is no (CE) button in the system. When necessary - such as marking a failing drive as failed or repurposing a drive into a new array, the controller firmware will perform a CE as part of the process when unmanaging out of a Secure Data folder. Note: Secure-erase is also known as cryptographic erase or crypto-erase in the general SED literature. Mixing drive types in the same Disk Folder SED and Non-SED drives can be used in the same array. In order to securely lock and manage the SED drives for DAR protection, the SED drives will be managed in their own Disk Folder. 47 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
A Frequently Asked Questions What is the difference between a locked drive and a securely-erased drive? Data that is locked is inaccessible without the Authority Credential. Data that is securely erased has been cryptographically destroyed. What if the entire array is stolen? The data will be protected as long as the thieves were not able to also steal and access the Key Management Server (KMS) and compromise the ACs to unlock all of the SED drives in the Array. Is it safe to discard or return a locked SED? Yes. Any data that was written to the drive will be locked and inaccessible. When you return a drive to Dell, the only information that remains readable are its operating statistics (S.M.A.R.T. data), the RAID type that the drive was used in, and drive hardware error logs. 48 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
B Glossary Self-Encrypting Drives (SED): A drive with a dedicated ASICs encryption engine built in to encrypt/decrypt all data to the media transparently, without user intervention. Data at Rest (DAR) encryption: Protection of data written on the storage media via symmetric encryption/decryption keys. Data-in-motion: Data in transit between two nodes. This is also known as Data In Flight. Note: Data-in-motion is also known as Data In Flight. Data-in-use: Data being used by a person, an application, or an operating system Secure Data: The Dell storage term for the DAR encryption solution in a Dell Storage array. Media Encryption Key (MEK): Functions as a secret password so that the encryption / decryption engine built into the drive will know how to decrypt the user data stored on the physical media. Generated in the drive factory, the MEK is encrypted and embedded within the drive and is never exposed outside the drive. Authority Credential (AC): sometimes referred to as the locking key, credentials, authentication keys or Access Key (AK). It is used to unlock and configure the SED. There is one AC for each SED. Table 5 Term Media Encryption Key (MEK) vs Authority Credential (AC) Definition and Usage Location & Management How is it Generated Media Encryption Key (MEK) Required to encrypt and decrypt data Resides and managed by the drives Never leaves the drives Unique MEK for every drive Generated by the drive at the manufacturer Authority Credential (AC) Needed to unlock a drive Managed by the Storage Center Firmware and stored on Key Management Server Created by a random number generator in the drive 256-bit Advanced Encryption Standard (AES) encryption: AES is a specification established by the U.S. National Standards of Institute and Technology (NIST) FIPS 140-2 Level 2 - (Federal Information Processing Standards): FIPS 140-2 Security Level 2 provides certification for the cryptographic module and tamper-evident labels/seals around the drive to show physical access to the inside. 49 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
Disk Folder: A logical pool of storage disks with multiple Disk drives, RAID levels and Volumes managed with a virtualization layer for application and user efficiencies. Key Management Server (KMS): An external appliance that manages (stores and serves up) authority credentials to lock/unlock SEDs. Key Management Interoperability Protocol (KMIP) v1.0: The standards-based protocol used to communicate between a KMS and a storage device such as a Dell Storage Array. TCG: Trusted Computing Group. Locked drive: An SED in which security has been enabled and the drive has been unexpectedly removed from the storage array, or powered down. Data on the drive cannot be read from or written to until the appropriate AC is provided. Unlocked: Data on a drive is accessible for all read and write operations. Cryptographic erase (CE): This feature permanently changes the Media Encryption Key so the drive can be re-used or re-purposed. After the CE is performed, the data previously written to the drive becomes unreadable. Re-purpose: Changes the drive from a secured state to an unsecured state so that it can be safely used for another purpose. This task is accomplished using the CE feature. RevertSP function: Reverts the drive to factory default condition. 50 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043
C Additional resources Guidelines for Media Sanitation, National Institute of Standards and Technology, Computer Security Division http://www.snia.org/sites/default/education/tutorials/2008/fall/security/walthubis- Best_Practices_Secure_Storage.pdf SNIA Guidance and Best Practices http://www.snia.org/forums/ssif/programs/best_practices The Dell Compellent Secure Data architecture relies on a key management server that operates using KMIP. Currently certified for use is the SafeNet KeySecure K460 product. SafeNet KeySecure K460 http://www.safenet-inc.com/data-protection/key-management/key-secure/ IBM Security Key Lifecycle Manager (SKLM) formerly Tivoli Key Lifecycle http://www-03.ibm.com/software/products/en/key-lifecycle-manager/ EMC RSA Data Protection Manager http://www.emc.com/security/rsa-data-protection-manager.htm Brocade offers in-flight encryption available in the Brocade 6510, Brocade 6520 and Brocade DCX-8510. Using this feature will provide additional security for frames between switches. http://www.brocade.com 51 Dell Compellent 6.5 SED Reference Architecture and Best Practices CML1043