Introduction to Data Security for Storage Appliances

furiouserectAI and Robotics

Nov 21, 2013 (3 years and 4 months ago)

61 views

©
SafeNet Confidential and Proprietary

Introduction to Data Security for Storage
Appliances


Module 1: Lesson 3

StorageSecure Storage Security Course


2

©
SafeNet Confidential and Proprietary

Lesson Objectives

By the end of this lesson, you should be able to:

>
Describe data security principles

>
Define encryption

>
Describe standards and regulations in data security


3

©
SafeNet Confidential and Proprietary

Data Security

4

©
SafeNet Confidential and Proprietary

Security and Encryption


>
Security = Encryption or

>
Security ≠ Encryption


5

©
SafeNet Confidential and Proprietary

Security Principles


>
People

>
Process

>
Technology

6

©
SafeNet Confidential and Proprietary

Physical Security


>
Access control

>
Power control

>
Climate control

>
Business continuity


7

©
SafeNet Confidential and Proprietary

Information Security


>
Authentication

>
Verifies the user’s identity

>
Passwords, tokens, and biometrics verify identity

>
Authorization (access control)

>
Defines and enforces the capabilities of an authenticated user

>
Role
-
based access control (RBAC): access decisions are based on the
role assigned to the individual

>
Accounting (auditing, logging)

>
Method to track events that affect a system

>
Access granted, access denied, and so on

>
These elements are often collectively referred to as “Triple
-
A” or
“AAA”


8

©
SafeNet Confidential and Proprietary

Information Security (Cont.)


>
Integrity (or non
-
repudiation)

>
Provides confirmation as to the source of information or changes to
information

>
Prevents people from denying they are the source of an information
transaction

>
Privacy (or confidentiality)

>
Ensures that only authorized users can access information

>
Encryption technologies provide these two elements of security


9

©
SafeNet Confidential and Proprietary

Data Security Standards and Regulations


10

©
SafeNet Confidential and Proprietary

Data Security Standards


>
Security standards

>
Federal Information Processing Standard (FIPS)

>
Payment Card Industry (PCI)

>
Common criteria

>
ISO 17799 and ISO 27001


11

©
SafeNet Confidential and Proprietary

Data Regulations


>
Regulations

>
Sarbanes
-
Oxley

>
Gramm
-
Leach
-
Bliley

>
HIPAA (Health Insurance Portability and Accountability Act)

>
California AB 1950 and SB 1386


12

©
SafeNet Confidential and Proprietary

FIPS 140
-
2 Levels


>
Level 1: No specific physical security mechanisms

>
Requires production
-
grade components

>
Unevaluated operating system

>
Level 2: Tamper
-
evident physical security or pick
-

resistant locks

>
Requires RBAC

>
Evaluated operating system (EAL2 or higher)

>
Level 3: Tamper detection/response physical security

>
Requires identity
-
based authentication

>
Evaluated operating system (EAL3 or higher)

>
Level 4: Physical security provides an envelope of protection around
the cryptographic module

>
Useful for operating in physically unprotected environments


13

©
SafeNet Confidential and Proprietary

Cryptography

Overview


14

©
SafeNet Confidential and Proprietary

Cryptography Overview


>
Encryption

>
A process to convert data from clear text to cipher text, which is
readable only with the proper key

>
Decryption

>
A process to convert cipher text to clear text

>
Encryption and decryption require an encryption algorithm and key


15

©
SafeNet Confidential and Proprietary

Encryption Algorithms


>
Algorithms are generally open to the public, allowing for exhaustive
review without affecting the security profile

>
Keys are secret and must be protected

>
Symmetric (Private Key Cryptography)

>
DES is a widely used algorithm, now considered not secure

>
Current algorithms include AES, Blowfish, IDEA, and 3DES

>
Asymmetric (Public Key Cryptography)

>
RSA and ECC


16

©
SafeNet Confidential and Proprietary

Symmetric Encryption


>
The same key encrypts and decrypts information

>

Symmetric encryption is very fast

>
Challenges

>
There must be a way to securely communicate keys to both parties

>
To communicate with 100 independent parties, you must have (and
maintain) 100 separate keys


17

©
SafeNet Confidential and Proprietary

Asymmetric Encryption


>
Keys come in pairs

>
One key encrypts information and only its peer can decrypt the
information

>
Each party has a public and private key

>
Challenges

>
CPU
-
intensive and much slower than symmetric

>
Keys are weaker than symmetric keys of the same length


18

©
SafeNet Confidential and Proprietary

Advanced Encryption Standard


>
Advanced Encryption Standard (AES) was adapted from the
Rijndael

cipher, named for its inventors, Belgian cryptographers
Joan
Daemen

and Vincent
Rijmen

>
Announced in 2001 as FIPS publication 197

>
Strong features:

>
Fast in both software and hardware

>
Relatively easy to implement

>
Requires little memory

>
AES has a key size of
128, 192, or
256
or 512
bits

>
To date, no successful attack on the cipher

>
Proven the best encryption standard to date

19

©
SafeNet Confidential and Proprietary

Keys (Crypto Variables)


>
56
-
bit keys (DES)

>
72,057,594,037,927,936 possible keys

>
In 1999, specialized hardware broke a DES key in approximately five
days

>
112
-
bit keys (3DES)

>
5,192,296,858,534,827,628,530,496,329,220,100 possible keys

>
256
-
bit keys (AES)

>
115,792,089,237,316,195,423,570,985,008,690,000,000,000,000,000,0
00,000,000,000,000,000,000,000,000,000 possible keys


20

©
SafeNet Confidential and Proprietary

Key Length


>
Primary, but not exclusive factor in determining strength of
encryption

>
Algorithm and random key generation factor in

>
SafeNet
StorageSecure

uses AES
-
256 encryption standard and a
true random number generator (TRNG) to generate keys


21

©
SafeNet Confidential and Proprietary

Key Management


>
Device must create, protect, store, and securely distribute keys

>
Keys must be protected while ensuring availability

>
Store keys in a redundant configuration to ensure availability

>
Secure distribution of keys must utilize reliable and redundant
communication methods


22

©
SafeNet Confidential and Proprietary

Encryption Methods


>
Data
-
in
-
Flight Encryption (link encryption)

>
The data is encrypted at some point before it traverses a
communications link (for example, VPN)

>
Data decrypted at the other end of the link

>
Data is vulnerable when stored or retransmitted unless another
encryption solution is in place

>
Data
-
at
-
Rest Encryption

>
The data is encrypted at some point between the source and storage
media

>
Data remains encrypted until accessed and decrypted

>
After initial encryption, data can be moved, copied, replicated, or
archived in its secure form



23

©
SafeNet Confidential and Proprietary

Encryption Approaches




Host / Application


Pros:



䝲慮ul慲 op瑩ons



䕮捲yp瑥t 慴aho獴



Lower cost (software)



Cons:



C偕 in瑥t獩v攻 獬ow



t敡欠步k 浡m慧敭敮t



h敹猠數eo獥s in 体



Co浰l數e瑯 i浰l敭敮琠慮d
浡m慧e



偯or 捯v敲慧攠景r
h整敲og敮敯us 体l慰p
敮viron浥m瑳

Networked Appliance


Pros:



Transparent to host, storage,
and applications



Wire
-
speed encryption and



compression



Strong logging and access
control



Hardware
-
based encryption
and key management provide
strong security



Cons:



Requires additional device

Storage


Pros:



Transparent to host



Bundled with hardware



Cons:



Immature key management



No support for heterogeneous,
multi
-

vendor environments



Lock
-
in to storage vendor



“Forklift upgrade”

24

©
SafeNet Confidential and Proprietary

Who Has Access to Sensitive Data?


>
50%

80% of attacks originate behind the firewall (source: FBI)


25

©
SafeNet Confidential and Proprietary

Value of Encryption


>
As back
-
end IT complexity increases (for example, replication,
networking, sharing, and so on), the “attack surface” dramatically
increases

>
Data encryption reduces attack surface; everything behind
encryption is opaque

>
By narrowing the number of people and devices that can see data,
encryption simplifies overall system security


26

©
SafeNet Confidential and Proprietary

Lesson Summary


>
In this lesson, you should have learned to:

>
Describe data security principles

>
Define encryption

>
Describe standards and regulations in data security