EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions



Similar documents
RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

SecureD Technical Overview

Efficient Key Management for Oracle Database 11g Release 2 Using Hardware Security Modules

DELL POWERVAULT LIBRARY-MANAGED ENCRYPTION FOR TAPE. By Libby McTeer

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Complying with PCI Data Security

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

Best Practices Guide: Network Convergence with Emulex LP21000 CNA & VMware ESX Server

Solutions for Encrypting Data on Tape: Considerations and Best Practices

Hitachi Virtual Storage Platform Family: Security Overview. By Hitachi Data Systems

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

Navigating Endpoint Encryption Technologies

ABC of Storage Security. M. Granata NetApp System Engineer

Self-Encrypting Hard Disk Drives in the Data Center

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

Frequently Asked Questions: EMC Isilon Data at Rest Encryption Solution

Heather L. Hughes, J.D. HIPAA Privacy Officer U.S. Legal Support, Inc.

EMC VMAX3 DATA AT REST ENCRYPTION

Symantec Backup Exec 11d for Windows Servers New Encryption Capabilities

How To Connect Virtual Fibre Channel To A Virtual Box On A Hyperv Virtual Machine

Leveraging Dedicated Servers and Dedicated Private Cloud for HIPAA Security and Compliance

PCI Data Security. Meeting the Challenges of PCI DSS Payment Card Security

efolder White Paper: HIPAA Compliance

I/O Virtualization Using Mellanox InfiniBand And Channel I/O Virtualization (CIOV) Technology

Keep Your Data Secure: Fighting Back With Flash

EMC Symmetrix Data at Rest Encryption

Using BroadSAFE TM Technology 07/18/05

Safeguarding Data Using Encryption. Matthew Scholl & Andrew Regenscheid Computer Security Division, ITL, NIST

SAN Conceptual and Design Basics

Technical Safeguards is the third area of safeguard defined by the HIPAA Security Rule. The technical safeguards are intended to create policies and

Secure Network Communications FIPS Non Proprietary Security Policy

HP iscsi storage for small and midsize businesses

HBA Virtualization Technologies for Windows OS Environments

BMC s Security Strategy for ITSM in the SaaS Environment

Securing Data in the Cloud

Enterprise Data Protection

EMC PowerPath Family

Compliance and Industry Regulations

HIPAA: MANAGING ACCESS TO SYSTEMS STORING ephi WITH SECRET SERVER

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

How Our Cloud Backup Solution Protects Your Network

SafeNet DataSecure vs. Native Oracle Encryption

8Gb Delivers Enhanced Storage Area Network (SAN) Data Security

BANKING SECURITY and COMPLIANCE

Why Use 16Gb Fibre Channel with Windows Server 2012 Deployments

Microsoft SQL Server 2008 R2 Enterprise Edition and Microsoft SharePoint Server 2010

EMC Security for Microsoft Exchange Solution: Data Loss Prevention and Secure Access Management

Perceptions about Self-Encrypting Drives: A Study of IT Practitioners

White paper FUJITSU Storage ETERNUS DX series

Key Steps to Meeting PCI DSS 2.0 Requirements Using Sensitive Data Discovery and Masking

Projectplace: A Secure Project Collaboration Solution

End-to-end Data integrity Protection in Storage Systems

Data Protection Report 2008 Best Practices in Data Backup & Recovery

PCI DSS FAQ. The twelve requirements of the PCI DSS are defined as follows:

A Websense Research Brief Prevent Data Loss and Comply with Payment Card Industry Data Security Standards

The Impact of HIPAA and HITECH

SecureAge SecureDs Data Breach Prevention Solution

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Application Note. Introduction. Instructions

RSA SecurID Two-factor Authentication

Alliance Key Manager Solution Brief

Solving I/O Bottlenecks to Enable Superior Cloud Efficiency

Using VMWare VAAI for storage integration with Infortrend EonStor DS G7i

Preemptive security solutions for healthcare

New I/O Management Best Practices for Oracle Database Quality of Service

Samsung SED Security in Collaboration with Wave Systems

Key Management Best Practices

Full Disk Encryption Drives & Management Software. The Ultimate Security Solution For Data At Rest

An Integrated End-to-End Data Integrity Solution to Protect Against Silent Data Corruption

Best Practices for Installing and Configuring the Hyper-V Role on the LSI CTS2600 Storage System for Windows 2008

Applying Cryptography as a Service to Mobile Applications

Secured Enterprise eprivacy Suite

Overcoming Security Challenges to Virtualize Internet-facing Applications

Ensuring HIPAA Compliance with Computer BYTES Online Backup and Archiving Services

HIPAA COMPLIANCE AND DATA PROTECTION Page 1

Virtualization of the MS Exchange Server Environment

Protecting Data at Rest with Vormetric Data Security Expert

Encryption Key Management for Microsoft SQL Server 2008/2014

Securing sensitive data at Rest ProtectFile, ProtectDb and ProtectV. Nadav Elkabets Presale Consultant

Whitepaper. What You Need to Know About Infrastructure as a Service (IaaS) Encryption

MS Exchange Server Acceleration

N_Port ID Virtualization

Transcription:

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions Security and Encryption Overview... 2 1. What is encryption?... 2 2. What is the AES encryption standard?... 2 3. What is key management?... 2 4. Why is data encryption important to the data center?... 2 5. Where can data be protected on a Storage Area Network (SAN)?... 2 6. Why is it important to protect data in-flight?... 2 7. What is the trend in the use of data encryption?... 3 8. What are some of the regulations for data encryption?... 3 9. What is a defensible proof of encryption?... 3 10. What is software-based encryption?... 3 11. What are fabric-based encryption appliances?... 3 12. What are encrypting disk drives and arrays?... 3 EmulexSecure HBA Architecture... 4 13. What is the EmulexSecure HBA architecture?... 4 14. What are the business benefits of using the EmulexSecure HBA architecture?... 4 15. How does the EmulexSecure HBA architecture protect data?... 4 16. What type of encryption does the EmulexSecure HBA architecture support?... 4 17. How is the EmulexSecure HBA architecture implemented?... 4 18. How does EmulexSecure HBA architecture support key management?... 5 19. What is the relationship between the EmulexSecure HBA architecture and KMIP?... 5 20. How does the EmulexSecure HBA architecture work in a virtualized server environment?... 5 21. Will EmulexSecure HBA support be included in Emulex management applications?... 5 22. What are the key features and benefits of the EmulexSecure HBA architecture?... 5 Page 1 of 6 09-1248 03/09

Security and Encryption Overview 1. What is encryption? Encryption secures information by converting data so that the original content is unreadable. Modern encryption methods use a standard algorithm (called a cipher) to convert data from unprotected plaintext to protected ciphertext. The key is a randomly generated value that is used to provide a unique transformation of plaintext to ciphertext. The original key must be used to decrypt the data so it can be read. 2. What is the AES encryption standard? The Advanced Encryption Standard (AES) describes encryption algorithms that have been adopted by the U.S. government and approved by the Federal Information Processing Standard (FIPS). AES supports keys sizes of 128, 192 and 256 bytes, with 256-byte keys providing the strongest encryption. 3. What is key management? Key management is the process that is used to create, distribute, store and authenticate encryption keys. Key management systems use policies to restrict key access to specific users and administrators. The key management system also provides secure key distribution, which is critical to ensuring security for encrypted data. 4. Why is data encryption important to the data center? There are several key business benefits that result from protecting data using encryption. These include: Regulation Compliance: There are over 10,000 regulations that require organizations to safeguard data and provide notification of every incident of disclosure. Organizations that don t comply can be subject to government fines and civil litigation. Reduce potential liability from a data breach: Since 2005, there have been 252 million records lost and identity theft has left over 15 million consumers victimized. The average cost of a breach is $6.6 million and each record compromised costs $202 according to the Ponemon Institute. The largest breach on record cost over $250 million. Reduce costs for disk disposal Since disk drives can contain sensitive data, many organizations use costly procedures to protect data on drives that are disposed or taken out of service. For example, IT administrators may not be able to return failed disk drives under warranty for repair or replacement. If not returned, new drives must be purchased at a cost of $1000 to $3500 per drive and the failed drives shredded, drilled, melted or otherwise made physically unreadable. If the data on the drive is properly encrypted with a protected key, it is considered to be unreadable. 5. Where can data be protected on a Storage Area Network (SAN)? The full SAN data path consists of a server, switch, storage (disk and tape) and connecting cabling. There are two primary locations where data can be protected with encryption. The first is in-flight, which refers to data that is in transit anywhere on the data path. The second is at-rest, which is data that is stored on disk or tape. 6. Why is it important to protect data in-flight? Surveys have reported that 68% of data breaches occur from inside the organization. Insiders have more opportunity to capture sensitive data at multiple points in the data path, so simply encrypting Page 2 of 6 09-1248 03/09

data at the storage end-point may not be adequate. Host-based encryption protects data throughout the data path, both in-flight and at-rest. 7. What is the trend in the use of data encryption? An analysis of a recent IDC end user survey indicates that the amount of encrypted data should grow to 55% in the next three to five years, with 44% of those surveyed expecting to encrypt more than 75% of their data. 8. What are some of the regulations for data encryption? Sarbanes-Oxley This law was passed in response to widespread incidences of accounting scandals and corporate fraud with public corporations. Some of the provisions relate to providing assurances for the accuracy of data that is reported and made available to auditors. Other provisions include requirements for internal control reports and audit trails. Data encryption supports compliance by ensuring that access to data is strictly controlled and auditable. California AB 1386 and AB 1950- These laws are directed at state agencies and businesses that operate in California or collect information about California residents. The laws require notification to Californians if their personal information or medical records are disclosed by a security breach. Health Insurance Portability and Accountability Act (HIPPA) - HIPAA regulates the use and disclosure of information held by "covered entities," which includes health insurers, employersponsored health plans and medical service providers. It establishes regulations for the use and disclosure of Protected Health Information (PHI), which generally includes any part of an individual's medical record or payment history. Payment Card Industry (PCI) Data Security Standard The leading credit card companies aligned to adopt a standard that requires merchants to secure account numbers by encryption or truncation. Penalties and fines can be imposed if data is stolen. Department of Defense (DOD) - The DOD has extensive regulations that relate to access and control of classified information. 9. What is a defensible proof of encryption? A defensible proof of encryption must provide evidence to security auditors that confidential data has been encrypted using a secure key. This requires encryption logs for specific applications on both physical servers and virtual machines (VMs) running on virtualized servers. It also requires key management that protects keys as they re stored and transmitted in the network. Failing to meet these requirements can mitigate the benefit of implementing encryption. 10. What is software-based encryption? Software-based encryption is done by applications running on a server to protect data that is specific to the application. It is typically used for environments that encrypt relatively small amounts of data. Software-based encryption consumes significant CPU cycles, which slows applications and reduces consolidation ratios for virtualized servers. 11. What are fabric-based encryption appliances? Fabric-based encryption appliances are hardware solutions that are installed in the fabric network. There are basically two types of encryption appliances: single-port pair (one target and one initiator) and multiple-port pairs, such as an encrypting switch. Fabric-based encryption appliances protect data in-flight from the appliance to storage. There is no protection for data in-flight between a server and the appliance. 12. What are encrypting disk drives and arrays? Encrypting disk drives and arrays encrypt data as it s written to a disk. Encrypting drives and arrays protect data at-rest, but provide no protection for data in-flight. Encryption keys are embedded with the drive, which could be less secure than solutions that store the key in a different location. Page 3 of 6 09-1248 03/09

EmulexSecure HBA Architecture 13. What is the EmulexSecure HBA architecture? The EmulexSecure Host Bus Adapter (HBA) architecture provides a new option for implementing data security. To support this architecture, Emulex is developing HBA products that do hardwarebased encryption of data as it leaves the server, protecting data in-flight on the storage network and when stored at-rest on disk and tape. Initial designs are based on 8Gb/s Fibre Channel PCI Express (PCIe) dual-port HBA technology. The EmulexSecure HBA architecture also includes application programming interfaces (APIs) for integration with key management solutions using the new Key Management Interface Protocol (KMIP). The first supported key management solution will be RSA Key Manager. RSA is a leading enterprise key management provider and other key management solutions will be supported in the future. 14. What are the business benefits of using the EmulexSecure HBA architecture? Data breaches are a growing concern for organizations worldwide. The risk is real and can affect organizations of any size, location or industry. Maximum protection is provided with a strong encryption solution that will secure data in-flight on the network and at-rest on disk and tape and with solutions that can prove that the right data was encrypted and the keys are safe. In addition to the open-ended cost of an actual security breach, organizations need to comply with a variety of regulatory requirements. Adapter-based encryption facilitates auditing and reporting to verify compliance. A host-based solution allows organizations to manage key access based on applications and/or user roles. In addition, keys never leave the data center, so there is no requirement to coordinate key management on hundreds or thousands of drives as with disk-based encryption. Encryption at-rest helps organizations with the problem of disk disposal. When there is a disk failure, unencrypted disks must be made unreadable prior to disposal. Disk drives that contain encrypted information and no key material ensure that disks can be easily disposed and failed disks can be returned for warranty replacement. 15. How does the EmulexSecure HBA architecture protect data? The EmulexSecure HBA architecture is a host-based solution, which protects data in-flight and at-rest with the lowest total cost of ownership when compared to other types of solutions. This has the effect of encryption-enabling the entire storage network. Data is encrypted once and remains encrypted wherever it goes - through the network, on storage and when mirrored or replicated. 16. What type of encryption does the EmulexSecure HBA architecture support? The EmulexSecure HBA architecture uses the Advanced Encryption Standard (AES), which has been ratified by the National Institute of Standards and Technology. It s the encryption solution of choice for solutions requiring a high degree of data security. The EmulexSecure HBA architecture supports AES with 256-bit keys, the strongest security option. There are several modes of AES encryption. The EmulexSecure HBA architecture supports both AES-256 CBC and AES-2x256 XTS. 17. How is the EmulexSecure HBA architecture implemented? The EmulexSecure HBA architecture is designed to be an in-stack transparent encryption solution. Once the keys and encryption policies are loaded, there is no operational difference for software above the driver and there is no impact to any storage network or storage device. Page 4 of 6 09-1248 03/09

The solution consists of an enhanced HBA and driver that use a hardware-based crypto module which is seamlessly integrated into the Emulex software stack. Emulex has invented new techniques to encrypt data with no operational impact on the server or storage environment. The initial release is targeted to include Windows and Linux support, with additional operating systems to follow. 18. How does EmulexSecure HBA architecture support key management? The EmulexSecure HBA architecture includes APIs for integration into standard key management, credential management and authentication solutions. All keys are protected inside a FIPS 140-2 protected security boundary. Encryption keys and host-based access control credentials are managed from the same location to improve security and simplify management. Communications with key managers are authenticated and secure. 19. What is the relationship between the EmulexSecure HBA architecture and KMIP? The Key Management Interoperability Protocol (KMIP) is a new standard that was announced on February 12, 2009. Emulex uses KMIP to integrate with RSA Key Manager and will work with other products that support the standard in the future. 20. How does the EmulexSecure HBA architecture work in a virtualized server environment? The EmulexSecure HBA architecture does hardware-assisted encryption which off-loads CPU cycles, allowing more VMs per server than a software-based encryption solution. Keys are managed per Logic Unit Number (LUN) so applications running on VMs can have unique encryption keys with granular control of access to data. EmulexSecure HBAs also support migration of VMs that have encrypted access to data. The EmulexSecure HBA architecture uses enterprise-wide key management that enables migration to any host that has an EmulexSecure HBA and is authorized to access keys for the VM s storage. Keys are automatically loaded before the VM is moved, ensuring no disruption in server availability and storage access. 21. Will EmulexSecure HBA support be included in Emulex management applications? EmulexSecure HBA management will be included in the OneCommand Management Framework that supports all Emulex host-based products. With the OneCommand Management Framework, IT organizations will be able to: Apply and track encryption policies across the infrastructure Provide audit information into the corporate logging system 22. What are the key features and benefits of the EmulexSecure HBA architecture? Highest level of protection, lowest cost Single lock to protect data in-flight and at-rest AES 256-bit strong encryption Capital costs 50% to 80% less than array or switch encryption Capital costs 50% to 90% less than software-based encryption on servers with high I/O workloads Optimized scalability and performance for server virtualization Hardware-assisted encryption Minimal impact on CPU performance Page 5 of 6 09-1248 03/09

Support for secure virtual machine (VM) migration In-stack transparent security architecture No changes to the software stack above the EmulexSecure HBA drivers Protection for every adapter, switch and storage device in the network Open enterprise key management Support for KMIP standard API for integration with key management solutions Policy-based management allows key access to be managed by roles and applications Compliance-ready Facilitates defensible proof of encryption Safe transport and disposal of disks and tapes Page 6 of 6 09-1248 03/09

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information