Integrated Security Protection with NetApp and Safenet Bagus Dewantara Senior System Engineer
Agenda Why Storage Encryption? NetApp Storage Encryption (NSE) Solution SafeNet StorageSecure as for Heterogeneous Environment SafeNet KeySecure for Key Management
Who is Viewing Your Data? Records Lost Since 2013 Over 3 Billion Malicious Outsiders Accidental Loss Malicious Insiders Hacktivist & State Sponsored Source: http://breachlevelindex.com 3
Multi-layer Security Provides Defense in Depth A Sound Security Plan is the First Step Towards a Multi-layered Defense Corporate Policies Operations Planning User Training Physical Access Security Measures Perimeter security model is no longer reliable Security threats now focused on data Insider threats are poorly addressed in enterprise systems, especially storage Layered defenses are a requirement Prevent attempts to gain unauthorized access to information resources 4
Encrypting Data at Rest 5
2014: The Year of Encryption Unisys Security Experts Predict 2014 will be The Year of Encryption as organizations Combat Growing Cyber Threats 6
Potential Cost of a Privacy Breach Gartner Study Quantifies Cost of a Privacy Breach $90 VS. $6 per account per account Cost estimate for a 100,000-record breach Cost of encryption to prevent breach Most data-theft attacks would have failed if data was encrypted, using encryption keys 7
Why Storage Encryption? Regulations IP Protection Business Trends Security Best Practices PCI, HIPAA, FIPS, FISMA, CA SB1386 Privacy regulations impose financial penalties Proactive security measures have compelling ROI 1 Protect IP, digital assets from threats Strengthen access controls Auditing and logging of user IP access Controlled data access with outsourced IT and external development centers Strong authentication Administrator role separation Nonrepudiable auditing Secure data disposal Granularity of user data protection 1 Gartner: Estimated cost of dealing with a 100k record breach: $90 per customer record. Cost of deploying encryption technology: $6 per record. 8
Storage Encryption Options Choose Performance and Cost Profile Unique to Your Business Host Network Storage Media Manageability and Efficiency Security and Granularity Encrypts at point of creation Protects data at rest and in flight Requires key to decrypt/encrypt for use Encrypts the entire contents of a disk or volume and decrypts/encrypts it during use after a key has been given Restricts data access on removable media 9
It s About Trade-offs and Balance There is No Single Encryption Answer Encryption Strengths Trade Offs Host Network Storage Media Tight granularity and control of what gets encrypted Data encrypted in flight and at rest Transparent to both user and storage administrators Secures data from admins without need-to-know More granular than media based solutions Easy to build in high-availability and multi-site solutions Transparent to users, hosts, network May maintain some storage efficiencies Unreadable without host system and proper credentials Protects against loss or theft of hard drives Easy to deploy Minimal impact on users, hosts, network and storage efficiencies Increases data processing overhead and impact performance Deployment can be limited or intrusive Often in software-only processes Storage-controller based efficiencies may be impacted Requires dedicated appliance Can impact storage efficiencies Need to provision encryption bandwidth accordingly Not available on all storage systems Does not protect data from storage administrators Lack of granularity Encryption not maintained when data moves Adds little/no security against rogue administrators May be expensive on larger storage systems 10
NetApp Encryption and Key Management Solutions Meet Governance, Risk, and Compliance Requirements NetApp Storage Encryption SafeNet StorageSecure Full Disk Encryption Encrypts all data Operates seamlessly with Data ONTAP storage efficiency features Storage Network Encryption Self-contained hardware-based encryption, key management, identity and access management and rolebased administration Protect Your Data from Unauthorized Disclosure SafeNet KeySecure Model k460 Hardware appliance provides robust enterprise key lifecycle management, centralizing management of up to one million encryption keys/policies per cluster. Model k150v Provides customers with a virtual appliance that manages and securely stores encryption keys in clustered environments. New 11 NetApp Proprietary Internal Use Only
NetApp Storage Encryption (NSE) Full Disk Encryption Always-on Protection Simple set and forget, no configuration Protects your data when returning spares, repurposing, upgrading, or moving Optimized Performance Minimal performance impact (<1%) Works with NetApp storage efficiency and AV scanning Industry Standard Security AES 256-bit encryption FIPS 140-2 level 2 validated drives* TCG enterprise-compliant drives OASIS key management NetApp is considering a future Data ONTAP release that will enhance this FIPS140-2 level 2 validation * 12
NetApp Storage Encryption Full Disk Encryption Data ONTAP 7-Mode support with 8.1.1 (or higher) 7-Mode and Clustered support starting with 8.2.1 FAS8xxx, FAS62ss, FAS/V32xx, FAS25xx, FAS/V62xx, FAS22xx and FAS2040 DS4243, DS4246, and DS2246 shelves 600GB and 900GB High Performance (10k or 15k) 3TB and 4TB High Capacity (7.2k) Drives Cannot mix NSE with non-nse on a system or HA pair Requires external KMIP-compliant key manager 13
SafeNet StorageSecure Storage Network Encryption Secures Regulated / Archived Data Flexible Encryption Options Drop-in, self-contained storage appliance Secures data within existing storage infrastructure Enforces stronger authentication using all identity / access management systems Customize security policies to encrypt data Encrypt existing data without interrupting user workflows [SMB (CIFS), and NFS] Handles data segregation and granular encryption at the folder and file level Supports Compliance Secures data from unauthorized access or theft, even from rogue administrators Single, centralized policy enforcement and audit control for compliance protection 14
SafeNet StorageSecure Storage Network Encryption Transparent network-based encryption NAS: SMB/CIFS (Windows ), NFS (UNIX or Linux ) @ file level Granular encryption at the folder and file level FIPS 140-2 level 3 (validation in process) Strong access controls Separation of duties and tamper-proof auditing High reliability and availability Clustering Centralized key management Integrated with KeySecure S220 1Gbit interfaces, S280 10Gbit interfaces 15
SafeNet StorageSecure Summary Transparent deployment No agent or application/database changes Native support for SMB (CIFS), and NFS Supports multigigabit speeds Multiple platforms support end-user performance needs Hardware-based security Clear-text keys never leave secure hardware Fully integrated with SafeNet KeySecure platform Automated and centralized key lifecycle management 16
SafeNet KeySecure Enterprise Key Management Centralized Key Management Provides centralized and consistent enterprise-wide key management across physical and virtual data centers, disaster recovery sites, and cloud infrastructures Meet Compliance Mandates Provides verifiable audit trail for all key management actions to address compliance requirements Administrators are informed if attempts to breach occur Investment Protection Consolidates key security policies across multiple disparate encryption systems Supports KMIP and standard management protocols from legacy devices 17
SafeNet KeySecure Enterprise Key Management Enterprise key lifecycle management Centrally managed, consolidation of keys Up to 1 million keys per cluster High assurance level Standard-based approach: OASIS KMIP Full support for NSE SafeNet HSM and PCI card management NetApp resells Gemalto maintenance and Professional Services All support and professional services are provided by Gemalto Hardware-based secure key replication across multiple appliances Active-active mode of clustering Geo distribution support Highly scalable for cloud implementations LDAP and Active Directory integration and syslog forwarding Heterogeneous solutions: SFNT and non-sfnt devices, applications, databases, storage devices, SAN switches, tape libraries, HSM, network and endpoint devices, etc. 18
SafeNet Virtual KeySecure k150v Product Details Centralized key management for virtual environments Centrally managed, consolidation of keys Up to 25,000 keys and 100 maximum concurrent clients per cluster High assurance level Standard-based approach: OASIS KMIP Full support for NSE NetApp resells Gemalto maintenance and Professional Services All support and professional services are provided by Gemalto Hardened virtual security appliance Active-active mode of clustering Accelerated deployment Scale key management across traditional and virtualized data centers and public cloud environments LDAP and Active Directory integration and syslog forwarding Heterogeneous solutions: SFNT and non-sfnt devices, applications, databases, storage devices, SAN switches, tape libraries, HSM, network and endpoint devices, etc. 19 NetApp Proprietary Internal Use Only
Enterprise Key Management SafeNet KeySecure SafeNet StorageSecure k460 SafeNet KeySecure k150v NetApp Storage Encryption 20
Industry Validation 21
SafeNet/Gemalto Our purpose We are the world leader in digital security 2.4bn revenue 2013 2bn+ end-users benefit from our solutions 12,000 employees worldwide 110+ patents and patent applications in 2013 86% customer satisfaction in annual survey 190 countries where our clients are based 22 NetApp Proprietary Limited Use Only
Gemalto - the Data Protection Company Over $1 Trillion a Day #1 in Classified Data #1 in Digital Identities PCI HIPAA GLBA SOX FISMA EU Data Privacy Japan PIP German GDPdU Etc. SafeNet delivers comprehensive data protection solution for persistent protection of high-value information 23
NetApp Security Certifications Full Disk Encryption FIPS 140-2 Level 2 SAN Encryption FIPS 140-2 Level 3 NAS Encryption FIPS 140-2 Level 3 (pending) Key Manager FIPS 140-2 Level 3 (k460), FIPS 140-2 Level 1 (k150v) Secure Multi-tenancy 1.0 Cisco Validated Design has passed PCI-DSS Audit FlexPod FISMA Moderate 24
BM.I Relies on Gemalto Encryption Soltuions to Secure Storage Maintain compliance through continuous data access control Implement an effective and modern IT infrastructure that dynamically adapts to new and unanticipated challenges NetApp FAS6000 series storage NetApp Virtual File Manager; NetApp MetroCluster software; NetApp SnapMirror SafeNet StorageSecure S220 SafeNet KeySecure k460 Adheres to highest security standards Robust access and key management controls maintains data protection Enforces separation of duties Reduces administrative complexity and risk No impact to operations, authorized users have continuous access to data Protects regulated data making sure data will be encrypted and rendered unreadable for unauthorized users With more than 30,000 employees, the Austrian Federal Ministry of the Interior (Bundesministerium fu r Inneres, or BM.I) is the top government agency responsible for domestic security. The BM.I is responsible for fighting crime and terrorism, battling corruption in matters of asylum and immigration, managing responses to natural disasters and crises, and handling electionsne sentence that describes business of NetApp customer 25
Sample Use Cases 26
Data Isolation Multi-tenant Environments Health Solutions Isolated Data Pharmaceutical Solutions Storage Head Patient Relationship Shares Medical- Surgical Encryption-enabled separation of data in shared virtual environments Separation of departmental data Protects data belonging to security-sensitive departments Enables hosting multiple customers on the same HW 27
Compliant Data Protection SalesForce.com HR Intellectual Property CMS Off Premises On Premises Clients (cluster/ failover) Encrypt data in real time at the point of capture/creation Secure, hardware-based network storage (FIPS 140-2 Level 3) Encrypts data and renders it unreadable to unauthorized viewers Secure key management - clear text keys never leave the hardware Integrated with KeySecure for automated and centralized key lifecycle management 28
Archival Protection web Networked Applications App DB Primary Storage Secondary Storage Mobile Workers Corporate Offices Military Applications Encrypt data in primary and secondary storage before writing to tape Operations and staff able to manage data the systems without access to content Transparent deployment - no agents, storage device changes, or user behavior adjustments 29
Privileged User Risk Mitigation Storage Users Isolated data Administrator Makes sure of data isolation and granular, authorized access Protects against unauthorized administrators/network administrators and users Operations and staff able to manage data the systems without access to content Integrated with existing Identity and access management systems (LDAP, MS AD, NIS) Instantiates additional layer of dual control to restrict access 30
SafeNet StorageSecure Separation of Duties Separation of administrator roles Prevent compromise from rogue administrator Simplest implementation Within StorageSecure device: Password resets, changed user Define nine administrator Flexiblecredentials at the directory, or roles, including full Encryption authentication server can still Between authentication and require validation by the Options directory services, appliance and StorageSecure admin and/or storage access share owner (group review) Sync user and group directory data directly to the StorageSecure appliance Supports Compliance 31
StorageSecure and Key Secure Technical overview 32
SafeNet StorageSecure Illustrated Removable Air Filter FIPS Antiprobing Redundant fans 19 Rack Mountable Status and Alarm LEDs Zeroize Button (press and hold) Smart Card Reader Antiprobing exhaust vents Dual, hot-swappable power supplies Active Tamper Diagnostic LEDs Console Port Dual Management Ports 1G SFP Interface, Cu and Optical 10G SFP+ Interfaces 33
SafeNet KeySecure Enterprise Key Management Enterprise key management Centrally managed Geographically dispersed operations Culmination of research and development SafeNet DataSecure SafeNet HSM Decru Lifetime Key Manager (LKM) Based off the NetApp LKM v4 software SSKM runs in a virtual machine alongside KeySecure software Trustee links for high reliability 34
SafeNet StorageSecure Data Flow StorageSecure Encrypted Data Cleartext Data StorageSecure 35
Questions 36
Thank You No portions of this document may be reproduced without prior written consent of NetApp, Inc. Specifications are subject to change without notice. NetApp, the NetApp logo, and Data ONTAP are trademarks or registered trademarks of NetApp, Inc. in the United States and/or other countries. Active Directory and Windows are registered trademarks of Microsoft Corporation. Linux is a registered trademark of Linus Torvalds. UNIX is a registered trademark of The Open Group. All other brands or products are trademarks or registered trademarks of their respective holders and should be treated as such. 37