EMC Symmetrix Data at Rest Encryption



Similar documents
EMC VMAX3 DATA AT REST ENCRYPTION

Deployment Guide P/N Rev A01

EMC VNX2: Data at Rest Encryption

EMC Virtual Infrastructure for SAP Enabled by EMC Symmetrix with Auto-provisioning Groups, Symmetrix Management Console, and VMware vcenter Converter

XTREMIO DATA AT REST ENCRYPTION

EMC Backup and Recovery for Microsoft SQL Server 2008 Enabled by EMC Celerra Unified Storage

Full Drive Encryption Security Problem Definition - Encryption Engine

REMOTE KEY MANAGEMENT (RKM) ENABLEMENT FOR EXISTING DOCUMENTUM CONTENT SERVER DEPLOYMENTS

EMC DATA DOMAIN ENCRYPTION A Detailed Review

Configuring Celerra for Security Information Management with Network Intelligence s envision

EMC Disk Library with EMC Data Domain Deployment Scenario

EMC ENCRYPTION AS A SERVICE

EMC Celerra Version 5.6 Technical Primer: Control Station Password Complexity Policy Technology Concepts and Business Considerations

Implementing Disk Encryption on System x Servers with IBM Security Key Lifecycle Manager Solution Guide

An Integrated End-to-End Data Integrity Solution to Protect Against Silent Data Corruption

How To Protect Data On Network Attached Storage (Nas) From Disaster

CONFIGURATION GUIDELINES: EMC STORAGE FOR PHYSICAL SECURITY

PLATFORM ENCRYPTlON ARCHlTECTURE. How to protect sensitive data without locking up business functionality.

An Introduction to Key Management for Secure Storage. Walt Hubis, LSI Corporation

EMC CLARiiON Secure Remote Support Solutions Technical Notes P/N REV A03 October 5, 2010

IBM TSM DISASTER RECOVERY BEST PRACTICES WITH EMC DATA DOMAIN DEDUPLICATION STORAGE

Projectplace: A Secure Project Collaboration Solution

AX4 5 Series Software Overview

Storage Media Encryption and Enterprise Key Management: The EMC Connectrix MDS and RSA Solution for Securing Data on Tape

Navisphere Quality of Service Manager (NQM) Applied Technology

EmulexSecure 8Gb/s HBA Architecture Frequently Asked Questions

16 TB of Disk Savings and 3 Oracle Applications Modules Retired in 3 Days: EMC IT s Informatica Data Retirement Proof of Concept

Reference Architecture. EMC Global Solutions. 42 South Street Hopkinton MA

EMC Celerra Version 5.6 Technical Primer: Public Key Infrastructure Support

SecureDoc Disk Encryption Cryptographic Engine

USB Portable Storage Device: Security Problem Definition Summary

VIDEO SURVEILLANCE WITH SURVEILLUS VMS AND EMC ISILON STORAGE ARRAYS

Microsoft SQL Server 2005 on Windows Server 2003

RSA Solution Brief RSA. Encryption and Key Management Suite. RSA Solution Brief

ProtectV. Securing Sensitive Data in Virtual and Cloud Environments. Executive Summary

Secure Network Communications FIPS Non Proprietary Security Policy

IBM Cognos TM1 on Cloud Solution scalability with rapid time to value

CONFIGURATION BEST PRACTICES FOR MICROSOFT SQL SERVER AND EMC SYMMETRIX VMAXe

Self-Encrypting Hard Disk Drives in the Data Center

FIPS Security Policy LogRhythm Log Manager

Bloombase StoreSafe Security Best Practice

Ensuring Security and Compliance of Your EMC Documentum Enterprise Content Management System: A Collaborative Effort of EMC Documentum and RSA

USB Portable Storage Device: Security Problem Definition Summary

Symantec Drive Encryption for Windows

EMC PERFORMANCE OPTIMIZATION FOR MICROSOFT FAST SEARCH SERVER 2010 FOR SHAREPOINT

EMC MID-RANGE STORAGE AND THE MICROSOFT SQL SERVER I/O RELIABILITY PROGRAM

Hitachi Virtual Storage Platform Family: Security Overview. By Hitachi Data Systems

Understanding EMC Avamar with EMC Data Protection Advisor

Securing Data in the Virtual Data Center and Cloud: Requirements for Effective Encryption

EMC Replication Manager and Kroll Ontrack PowerControls for Granular Recovery of SharePoint Items

EMC Integrated Infrastructure for VMware

SecureD Technical Overview

Online Transaction Processing in SQL Server 2008

EMC FEDERATED TIERED STORAGE (FTS) Allows Seamless Integration Between EMC Symmetrix VMAX Series and Third-Party Storage Arrays

HIPAA Privacy & Security White Paper

EMC Unified Storage for Microsoft SQL Server 2008

EMC NETWORKER SNAPSHOT MANAGEMENT

Improving Microsoft SQL Server Recovery with EMC NetWorker and EMC RecoverPoint

Enterprise Key Management: A Strategic Approach ENTERPRISE KEY MANAGEMENT A SRATEGIC APPROACH. White Paper February

DELL POWERVAULT LIBRARY-MANAGED ENCRYPTION FOR TAPE. By Libby McTeer

Accellion Secure File Transfer Cryptographic Module Security Policy Document Version 1.0. Accellion, Inc.

SkyRecon Cryptographic Module (SCM)

Understanding EMC Avamar with EMC Data Protection Advisor

Whitepaper Enhancing BitLocker Deployment and Management with SimplySecure. Addressing the Concerns of the IT Professional Rob Weber February 2015

SP A Framework for Designing Cryptographic Key Management Systems. 5/25/2012 Lunch and Learn Scott Shorter

HIPAA Security Matrix

Backup-to-Disk Building an Effective Long-Term Strategy

How To Secure An Rsa Authentication Agent

Virtualizing SQL Server 2008 Using EMC VNX Series and Microsoft Windows Server 2008 R2 Hyper-V. Reference Architecture

For more information on how to build a HIPAA-compliant wireless network with Lutrum, please contact us today!

HIPAA and HITECH Regulations

EMC MIGRATION OF AN ORACLE DATA WAREHOUSE

Frequently Asked Questions: EMC UnityVSA

EMC VMAX 40K: Mainframe Performance Accelerator

EMC Documentum Interactive Delivery Services Accelerated Overview

IMPROVING VMWARE DISASTER RECOVERY WITH EMC RECOVERPOINT Applied Technology

Complying with PCI Data Security

How To Encrypt Data On A Network With Cisco Storage Media Encryption (Sme) For Disk And Tape (Smine)

EMC Backup and Recovery for SAP Oracle with SAP BR*Tools Enabled by EMC Symmetrix DMX-3, EMC Replication Manager, EMC Disk Library, and EMC NetWorker

How To Use Cmk On An Ipa (Intralinks) On A Pc Or Mac Mac (Apple) On An Iphone Or Ipa On A Mac Or Ipad (Apple Mac) On Pc Or Ipat (Apple

Navigating Endpoint Encryption Technologies

AUTOMATED DATA RETENTION WITH EMC ISILON SMARTLOCK

EMC Data Protection Search

nwstor Storage Security Solution 1. Executive Summary 2. Need for Data Security 3. Solution: nwstor isav Storage Security Appliances 4.

EMC Data Domain Boost for Oracle Recovery Manager (RMAN)

MICROSOFT HYPER-V SCALABILITY WITH EMC SYMMETRIX VMAX

EMC Business Continuity for VMware View Enabled by EMC SRDF/S and VMware vcenter Site Recovery Manager

Increasing Recoverability of Critical Data with EMC Data Protection Advisor and Replication Analysis

Alliance Key Manager Solution Brief

WHITE PAPER. HIPAA-Compliant Data Backup and Disaster Recovery

Veeam Cloud Connect. Version 8.0. Administrator Guide

Microsoft Windows Common Criteria Evaluation

Xanadu 130. Business Class Storage Solution. 8G FC Host Connectivity and 6G SAS Backplane. 2U 12-Bay 3.5 Form Factor

Security White Paper The Goverlan Solution

EMC Integrated Infrastructure for VMware

Security Technical. Overview. BlackBerry Enterprise Service 10. BlackBerry Device Service Solution Version: 10.2

Using VMware VMotion with Oracle Database and EMC CLARiiON Storage Systems

Transcription:

Detailed Review Abstract This white paper provides a detailed description of EMC Symmetrix Data at Rest Encryption features and operations. March 2011

Copyright 2010, 2011 EMC Corporation. All rights reserved. EMC believes the information in this publication is accurate as of its publication date. The information is subject to change without notice. THE INFORMATION IN THIS PUBLICATION IS PROVIDED AS IS. EMC CORPORATION MAKES NO REPRESENTATIONS OR WARRANTIES OF ANY KIND WITH RESPECT TO THE INFORMATION IN THIS PUBLICATION, AND SPECIFICALLY DISCLAIMS IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE. Use, copying, and distribution of any EMC software described in this publication requires an applicable software license. For the most up-to-date listing of EMC product names, see EMC Corporation Trademarks on EMC.com. All other trademarks used herein are the property of their respective owners. Part Number h8073.1 Detailed Review 2

Table of Contents Executive summary... 4 Audience... 4 Terminology... 4 Data at Rest Encryption... 5 Key management... 7 RSA Embedded Key Manager components... 7 DEK protection... 7 Data integrity... 7 Operational examples... 8 Installation of a Symmetrix system... 8 Replacement of a drive... 8 Decommissioning of a Symmetrix system... 9 Data at Rest Encryption options... 9 Conclusion... 9 Detailed Review 3

Executive summary Securing sensitive data is one of the greatest challenges faced by many enterprises. Increasing regulatory and legislative demands and the constantly changing threat landscape have brought data security to the forefront of IT issues. Several of the most important data security threats are related to protection of the storage environment. Drive loss and theft are primary risk factors. EMC Symmetrix Data at Rest Encryption protects data confidentiality by adding back-end encryption to the entire array. Audience The audience for this white paper includes: Customers, including IT planners, storage architects, and administrators involved in evaluating, acquiring, managing, operating, or designing security for an EMC networked storage environment. EMC staff and partners, for guidance and development of proposals. Terminology Table 1. Term Enginuity Symmetrix system terms Definition EMC Symmetrix systems run the Enginuity operating environment. Symmetrix Audit Logs Symmetrix Service Processor SymmWin Application An immutable (not changeable) audit log that tracks security events on a Symmetrix system. The audit log allows administrators to identify any breaches in the system and prove compliance with data protection policies. A component that monitors the system environment, provides remote notification and remote support capabilities, and allows EMC personnel to access the system locally or remotely. A graphics-based tool for configuring and monitoring a Symmetrix system. Table 2. Term Encryption terms Definition XTS-AES Algorithm Data Encryption Key (DEK) Key Encryption Key (KEK) Key Tag An XEX-based Tweaked Codebook (TCB) mode with Cipher Text Stealing (CTS) disk encryption used for the encryption of sector-based storage devices. Uses key algorithms to encrypt and decrypt data and apply confidentiality protection to information. Keeps DEKs secure during storage and transmission. The approved technique to protect DEKs is to use KEKs along with the AES Key Wrap algorithm. A value that is permanently attached to an encryption key. Key tag verification in controller-based encryption guarantees reliable encryption without any potential loss or corruption of data. Detailed Review 4

Data at Rest Encryption Data at Rest Encryption provides hardware-based, on-array, back-end encryption for Symmetrix systems. Back-end encryption protects your information from unauthorized access when drives are removed from the system. Data at Rest Encryption provides encryption on the back end using Fibre Channel I/O modules that incorporate XTS-AES 256-bit data-at-rest encryption. These modules encrypt and decrypt data as it is being written to or read from a drive. All configured drives are encrypted, including data drives, spares, and drives with no provisioned volumes. In addition, all array data is encrypted, including Symmetrix File System and PowerVault contents. Data at Rest Encryption incorporates RSA Embedded Key Manager for key management. With Data at Rest Encryption, keys are self-managed, and there is no need to replicate keys across volume snapshots or remote sites. RSA Embedded Key Manager provides a separate, unique DEK for each drive in the array, including spare drives. By securing data on enterprise storage, Data at Rest Encryption ensures that the potential exposure of sensitive data on discarded, misplaced, or stolen media is reduced or eliminated. As long as the key used to encrypt the data is secured, encrypted data cannot be read. In addition to protecting against threats related to physical removal of media, this also means that media can readily be repurposed by destroying the encryption key used for securing the data previously stored on that media. Data at Rest Encryption is compatible with all Symmetrix system features, allows for encryption of any supported local drive types or volume emulations, and delivers powerful encryption without performance degradation or disruption to existing applications or infrastructure. Detailed Review 5

The following illustration shows a high-level overview of the Data at Rest Encryption architecture: Host EMC host software SAN IP Director Director RSA Key Manager Client IO module IO module IO module IO module RSA Embedded Key Manager Server Service Processor Unencrypted data Encrypted data Management traffic Unique key for each physical disk ICO-IMG-000849 Figure 1. Data at Rest Encryption architecture Detailed Review 6

Key management Because encryption offers protection for the data itself, rather than for a device or a host, it is a powerful tool for enforcing your security policies. However, the data security provided by encryption is only as good as the generation, protection, and management of the keys used in the encryption process. Encryption keys must be available when they are needed, but at the same time access to keys must be tightly controlled. The keys themselves, as well as the information required to enable the use of the key during decryption activities, must be preserved for the lifetime of the data. This is especially important for enterprise storage environments where encrypted data is kept for many years. Because of the critical importance of key management in encryption solutions, Data at Rest Encryption was designed to be integrated with RSA Embedded Key Manager. RSA Embedded Key Manager provides enterprise key management for a broad range of encryption environments, establishing a pervasive and secure infrastructure for this essential component of data security. All key generation, distribution, and management capabilities required for Data at Rest Encryption are provided by RSA Embedded Key Manager, according to the best practices defined by industry standards such as NIST 800-57 and ISO 11770. The accessibility of encryption keys is a critical factor in high availability. Data at Rest Encryption addresses this by caching the keys locally so that the need to connect to RSA Embedded Key Manager is limited to maintenance operations such as the initial installation of the Symmetrix system, the replacement of a drive, or drive upgrades. Key management events such as key creation, key deletion, and Key Manager recovery are reported in the Symmetrix Audit Log. RSA Embedded Key Manager components Data at Rest Encryption utilizes the following RSA software, which is compiled into the SymmWin application on the Symmetrix Service Processor: RSA Embedded Key Manager Server an embedded version of RSA Key Manager Enterprise Server, which provides encryption key management capabilities such as secure key generation, storage, distribution, and audit. RSA Key Manager client handles communication with the RSA Embedded Key Manager Server. RSA BSAFE cryptographic libraries provide foundational security functionality for RSA Embedded Key Manager Server and the RSA Key Manager client. RSA Lockbox a hardware-and software-specific encrypted repository that securely stores passwords and other sensitive key manager configuration information. DEK protection The following features ensure the protection of the DEKs: The RSA Embedded Key Manager Server repository is encrypted with 256-bit AES using an RSA-generated random password, which is saved in the RSA Lockbox. All persistent key storage locations either contain wrapped or encrypted keys, or unwrapped keys that are protected from access by hardware. DEKs are wrapped by encrypting the key data using a standard AES keywrap operation that utilizes a KEK that is unique to each array. There are no backdoor keys or passwords to bypass security. Data integrity The following features allow Data at Rest Encryption to ensure that the correct key is used with the correct drive: DEKs stored in the RSA Embedded Key Manager include a unique key tag along with the key metadata, which is included with the key material while wrapping (encrypting) the DEK for use in the array. Detailed Review 7

During encryption I/O, the expected key tag associated with the drive is separately supplied along with the wrapped key. During key unwrap (prior to starting an I/O) the encryption hardware checks that the key unwrapped properly and that it matches the supplied key tag. Arrays with data encryption enabled have a special Physical Information Block (PHIB) located in reserved space at the beginning of each drive. Before the drive is made available for normal I/O operation, the PHIB contents are used to validate that the key used to encrypt the drive data matches the key in use by the array. To prevent silent data corruption due to encryption hardware datapath failures, the hardware performs self-tests during initialization to ensure that the encryption/decryption logic is intact. Operational examples This section describes how Data at Rest Encryption works during several common operations. Installation of a Symmetrix system When an EMC Customer Engineer installs a Symmetrix system: 1. The EMC Customer Engineer enables Data at Rest Encryption by setting the DARE flag in the initial configuration file for the Symmetrix system. 2. The Symmetrix system installation script automatically installs the RSA software on the Service Processor during the installation process. 3. The RSA Embedded Key Manager Server generates DEKs for each drive in the array and a KEK that is unique to the array. 4. Enginuity generates Symmetrix Audit Logs for every key generation event. 5. The RSA Embedded Key Manager Server encrypts the keys and stores them in the local key repository file as non-volatile copies. 6. The RSA Embedded Key Manager Server wraps each DEK with the KEK, and Enginuity stores all of the keys on the array as encrypted, persistent backup copies. The KEK is programmed into write-only, non-volatile memory in the encryption hardware, which cannot be retrieved back from the hardware. 7. Enginuity initializes volumes using the DEKs and writes any incoming host data to the drives as encrypted data. Replacement of a drive When a customer or EMC Customer Engineer removes a drive from an array: 1. The RSA Embedded Key Manager Server securely deletes the key associated with the removed drive from the key repository on the Service Processor. 2. After the customer or EMC Customer Engineer installs the new drive and Enginuity verifies that it is working, the RSA Embedded Key Manager Server generates a new DEK for the drive and wraps the DEK using the KEK. 3. Enginuity generates Symmetrix Audit Log entries for the deletion of the old DEK and the creation of the new DEK. 4. Enginuity caches the new DEK, which replaces the previous drive's DEK. 5. Enginuity validates the contents of the drive and rebuilds the data using the new DEK. Detailed Review 8

Decommissioning of a Symmetrix system When an EMC Customer Engineer decommissions a Symmetrix system: 1. The RSA Embedded Key Manager Server securely deletes all persistent copies of the keys in the key repository. 2. Enginuity zeroizes the cached keys stored within the array. The Symmetrix Audit Log becomes irretrievable from the array due to the key destruction. 3. A certificate file detailing the status of the keys involved in the array decommissioning operation is produced. Data at Rest Encryption options The following options apply to Data at Rest Encryption: Data at Rest Encryption is an install-time option only. If Data at Rest Encryption is not enabled during installation, it cannot be enabled at a later time. Conversely, if Data at Rest Encryption is enabled during installation, it cannot be disabled. All disk groups are encrypted. Mixing encrypted and unencrypted data within the array is not supported. Conclusion Data at Rest Encryption is an easy-to-use, minimal-maintenance solution for data-at-rest encryption. Data at Rest Encryption keeps information safe from drive theft or loss by providing back-end encryption for the entire array. By utilizing RSA Embedded Key Manager, Data at Rest Encryption is able to self-manage encryption keys, so manual key management is not required. The following table describes the capabilities and benefits of Data at Rest Encryption as compared to other data-at-rest security products on the market: Table 3. Competitive comparison Capability/Benefit EMC Hitachi/HP IBM Storage physical protection Yes Yes Yes Drive segregation Yes: one key per drive. Limited: one key per parity group with a maximum of 32 keys per array. Yes: one key per drive. Multi-layered protection and availability Yes: redundant internal key backup. No: requires manual key backup management. No: arrays require access to one of multiple Tivoli Key Lifecycle Manager servers to boot successfully. Operates without manual key management by users Compatible with all array capabilities Yes No No Yes Yes No: FDE is only available on FC drives and eliminates the use of Easy Tier. Detailed Review 9

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information