ABC of Storage Security M. Granata NetApp System Engineer
Encryption Challenges Meet Regulatory Requirements No Performance Impact Ease of Installation Government and industry regulations mandate protection of data at rest; for example, FIPS 197, California SB 1386, PCI, HIPAA, Basel II and so on Encrypt data at wire speeds No impact to existing applications Have requirement for no additional CPU overhead Plug seamlessly into current IT environment Realize zero downtime or disruption to workflow Make no modifications to hosts, servers, applications, or forklift upgrades to storage Scalability As data grows, scale cost-effectively
NetApp Storage Security Value Proposition NetApp Storage Security will help you to: Meet regulatory requirements Secure data at rest Enforce separation for multi-tenancy applications Enable data privacy
Pillars of Storage Security and Privacy NAS SafeNet FDE NetApp NetApp Multi-Tenancy Key Management SafeNet
SafeNet StorageSecure Next Generation NAS Encryption Transparent network-based file and block encryption: Windows, UNIX, Linux, and Solaris Targeted at IP-SAN and NAS Industry standard protocols 1-GbE and 10-GbE interfaces Encryption keys managed through KeySecure Low latency, wire-speed encryption and decryption engine High reliability
SafeNet KeySecure k460 Universal Enterprise Key Management: NetApp Fort (all models) NetApp Lifetime Key Management appliance NetApp Storage Encryption Brocade Encryption Switch SafeNet StorageSecure Compliance with OASIS Key Management Interoperability Protocol (KMIP) ensures broad compatibility with future encryption products across all participating vendors.
NSE: Full Disk Encryption (FDE) Always-on Protection Simple set and forget, no configuration Protects your data when returning spares, repurposing, upgrading, or moving Optimized Performance Minimal performance impact (<1%) Works with NetApp storage efficiency and AV scanning Standards Based Security AES 128or 256 bit encryption (drive specific) FIPS 140-2 level 2 validated drives Trusted Computing Group (TCG) Standards-based KMIP server for key management 600 GB SAS ot 3 TB SATA 7 7
How Does NSE Work? The Authentication Key is backed up to the external KMIP Server and retrieved only during ONTAP startup Authentication Key wraps the Disk Key in order to lock the drive Disk Key resides on the drive and is used to encrypt/decrypt data 8
The Security Challenge ERP Apps HR Apps CRM Apps Secure environments traditionally require dedicated resources Inefficient and inflexible Costly to deploy and manage Low utilization rates Difficult to change ERP HR CRM How to gain efficiencies of virtualization while maintaining security? 9
What is a Tenant? An organizational unit within a shared infrastructure used to group objects or entities with common requirements and administrative isolation Examples include but are not limited to: Customers Applications Business Units Customers Applications A B App1 App2 Shared Infrastructure Business Units Departments Departments Finance Sales Dept A Dept B 10
Adding Security to Virtualized Infrastructure No Compromise: Share, Control, and Improve Efficiency Apps Servers Network Storage ERP HR CRM Secure Multi-tenancy End-to-end isolation Share more infrastructure across all your customers and applications Share more = save more Maintain the same control physical silos provided Increase infrastructure efficiency Reduce risks in deploying shared infrastructures 11
NetApp MultiStore Secure IP Space Discrete, private secure network partition Customer A Customer B Customer C Logical partitions within the NetApp array Secure VLAN Interface Securely maps VLANs directly to IP spaces Virtual Storage Controller Virtual Storage Controller Virtual Storage Controller Network VLAN Used to logically partition networks Separates broadcast domains NetApp provides the industry s only complete tool set for providing path isolation from the disk through the network. This level of security is mandatory for multi-tenant environments. 12
Multi-Tenancy Quality of service (QoS) Control operations or raw throughput used by tenants Control bully workloads Limit I/O to Vservers, flexible volumes, files, or LUNs LIF LIF 13
Example of Partnership Architecture - SMT vsphere, vcenter vshield Zones 2.0, Nexus 5000, 1000V, UCS, VLAN, 10GbE MultiStore, NFS, FC/oE, SnapMirror HR BU APP Solution Overview NetApp, Cisco, and VMware jointly developed end-to-end virtualized and secure Infrastructure as a Service (IaaS) End-to-end Secure Multi-Tenancy Defense in depth throughout the infrastructure Customer Benefits Proven highly scalable infrastructure supporting all applications through one unified architecture Drive significantly higher economies of scale, increased utilization, and better SLAs 14
NetApp Storage Security Summary SafeNet StorageSecure (Ethernet based) NetApp Storage Encryption (NSE) Secure Multi- Tenancy Encryption Device Protocols Supported External Appliance Based on Hard Drive OS Embedded CIFS, NFS, iscsi Protocol Independent FC/FCoE, CIFS, NFS, iscsi Encryption granularity Share/volume/iSCSI LUN Entire disk/ha pair (system level) N/A Key Management SafeNet KeySecure KMIP compatible (SafeNet KeySecure) N/A Performance 1/10Gb Ethernet 10k or 15k High Perf Drive Or 7.2k Capacity Drive Non influential Certifications FIPS 140-2 level 3 FIPS 140-2 level 2 Joint Validated design Primary Enhanced ACLs Cryptographic separation Disk theft /misplaced Non-returnable disk Shared Infrastructure Cloud Use Cases Heterogeneous storage Cloud Preserves storage efficiency Consistent QoS 15