managing data security for storage of high value content · managing data security for storage of...

2016 SNIA Data Storage Security Summit. © Insert Your Company Name. All Rights Reserved.

Managing Data Security for Storage of

High Value Content

Robert Wann President & CEO

Email: [email protected] Enova Technology Corporation


What is an eDrive?

2

An eDrive constitutes three major functions -

1. Transparent (or Real-time) Hardware Full Disk Encryption or Self Encrypted Drive 2. Trusted Computing Group (TCG) Opal 2.0 Firmware 3. IEEE 1667 Firmware

A BitLocker managed eDrive is called Microsoft eDrive or EHDD. BitLocker (came free with Windows 8.1 Pro, Windows 10 Pro and Enterprise release) manages eDrive through 1667 & Opal 2.0.

An eDrive can be internally a - • Boot Drive, or • Data Drive

Alternatively, an eDrive can be a portable drive, such as the one using USB3.0/3.1 to SATA technology.


What is an OPAL 2.0?

3

LBA Range 1 Max LBA LBA Range 2

User 1 User 2 User 3 User N

0 Max LBA

Global Range

No LBA Range Assigned

LBA Range 1 and 2 Assigned

Assign LBA

Ranges Global Range Global Range


Intelligence-built X-Wall MX+ eDrive Controller

4

Clear Text Cipher Text

How it works: Automatically transforms various drive capacities to eDrive Equipped with SATA Device Protocol Stack connecting to the SATA Host Equipped with SATA Host Protocol Stack connecting to the SATA Device

Controller (SATA device) Identity-based authentication can be done through either SATA API or

built-in I2C API with challenge & response plus FIPS 140-2 certified HMAC/CMAC and/or RSA 2048 DS

Motherboard

SATA Host Adapter

BIOS

CPU

SATA DEVICES

SATA Coupling

SATA Coupling


The X-Wall MX+ Automatically Transforms Any SATA Drive To eDrive

5

The X-Wall MX+ features -

1. In-line 6Gbps AES CBC/XTS/ECB 256-bit crypto performance for any SATA Gen 3 drive

2. Offer fast data access through the same access point for a mixed/legacy drives and future expansion

3. TCG Opal 2.0 Firmware 4. IEEE 1667 Firmware

The in-progress FIPS 140-2 certified X-Wall MX+ automatically transforms any SATA drive to SED/FDE, Opal2.0 Drive or eDrive which can then be configured as a Microsoft eDrive with BitLocker enabled, suitable for either booting or data.


Why Is The X-Wall MX+ eDrive Solution Superior?

6

The X-Wall MX+ eDrive Solution Benefits from - 1. FIPS 140-2 Level 2 or 3 certified single chip crypto module (in progress) 2. Able to utilize any SATA compliant drive regardless of its capacity 3. Enable disk image cloning to reduce corporate IT overhead 4. Data backup is made easy 5. In-line 6Gbps AES CBC/XTS/ECB 256-bit crypto performance

The X-Wall MX+ effectively transforms any SATA drive to FDE/SED, Opal2.0 Drive, eDrive or Microsoft eDrive for both internal and external storage applications.


Benefits

7

• Better performance • Encryption hardware, integrated into the X-Wall MX+ controller, allows

the drive to operate at full data rate. • Strong security based in hardware

• Encryption is always "on" and the keys for encryption never leave the MX+ interface. User authentication is performed by the MX+ before it will be unlocked, independently of the operating system

• Ease of use • Encryption is transparent to the user because of the MX+. There is no

user interaction needed to enable encryption. There is no need to re-encrypt data for re-purposing.

• Lower cost of ownership • There is no need for new infrastructure to manage encryption keys, since

BitLocker leverages your Active Directory Domain Services infrastructure to store recovery information. Your computer operates more efficiently because processor cycles do not need to be frequently interrupted.


The X-Wall MX+ Ensures Trusted Communications throughout all

computing tiers

8

The X-Wall MX+ is intelligent in that -

1. Able to generate, sign & verify digital signature 2. Able to perform device level HMAC and CMAC plus challenge

& response protocols 3. All cryptographic implementations are FIPS 140-2 validated 4. Commands can be digitally signed whereas pay loads can

now be encrypted during authentication

The X-Wall MX+ is empowering devices with more intelligence with its digital signature generating, signing and verifying capability to ensure trusted & encrypted communications throughout all computing tiers.


X-Wall MX+ Solution for System Manufacturers

9

For System Built-in Application: Enable specific SATA Host to FDE/SED, eDrive

capable; Able to use any SATA disk drive; If Microsoft Windows with BitLocker

• Configured as a Boot eDrive • Configured as a Data eDrive

If Other OSes

• TCG Opal 2.0 drive through available Opal 2.0 management software

• Standard FDE/SED


X-Wall MX+ eDrive Solution for SSD & Drive Manufacturers

10

For SSD & HDD Built-in Applications: Microsoft Windows Using BitLocker

• Boot eDrive • Data eDrive

Other OSes




X-Wall MX+ eDrive Solution for Desktop Retrofitting

11

For Existing Desktop Retrofit Application: Microsoft Windows Using BitLocker

• Boot eDrive • Data eDrive

Other OSes




Enigma 3.1 Solution Protects Data-In-Motion & Cloud Data

12

Enigma 3.1 For Cloud & Data-In-Motion

Applications:

Encrypt selectable File/Folder

Send encrypted file/folder to any cloud

Supports Windows & Mac OS

Utilizes latest USB3.0/3.1 technology

May alternatively configure to FDE


X-Wall MX+ Solution Enables Portable eDrive

13

For USB3.0/3.1 to SATA Portable Drive

Application:

Microsoft Windows Using BitLocker • Enables the drive as a Microsoft eDrive • Utilizes latest USB3.0/3.1 to SATA technologies • Portable yet secured!

For Non-Windows Applications




X-Wall MX+ SecureNAS Solution

14

Enova SecureNAS T2 System Block Diagram

700W Redundant

Power supply

SATA DISK #1

Redundant Power supply

Gigabits Ethernet

SecureNAS T2 Main Controller Board

HIG

H PER

FOR

MA

NC

E H

AR

DW

AR

E

RA

ID5/6 C

ON

TRO

LLER

Backplane quipped with multiple X-Wall MX+ eDrive Controllers

To Gigabits Ethernet for NAS Applications

CPU OS Kernel

SATA DISK #2

SATA DISK #3

SATA DISK #16

SATA DISK #15

Internal Memory Turbine Heat

Dissipation & Noise

Reduction


X-Wall MX+ Identity-based Authentication

15

SecureNAS T2 Controller Board

OS Kernel

High Performance Hardware RAID 5 Module

Authentication Module

Secure ProtocoModule

X-Wall MX+

License Evaluation

Module

Key Server Authentication

Module

License File Authentication through RSA 2048 DS, HMAC or CMAC

Enova License Server

Internet (email)

System Administrator

License File

License Storage

HDD

CPU


X-Wall MX+ Solutions Comparison Chart

16

Features/Functions X-Wall MX+ Branded eDrive Drive claimed with AES block

Transparent Full Disk Encryption (FDE)/Self Encrypting Device (SED)

Yes Selectable

AES CBC, XTS, ECB 256-bit

Yes M500 – AES CBC 256-bit ST500 – AES CBC 256-bit EVO850 AES XTS 256-bit

Unknown AES mode or bit strength

Support TCG Opal 2.0 Yes Yes No

Support IEEE 1667 Yes Yes No

Support Any Capacity Yes No No

FIPS 140-2 Level 2, 3 Yes, In Progress No No

Gate Keeper for Desirable Functions Yes No No

Configure BitLocker for Booting & Data Yes, Very Easy. Somewhat Difficult No

Image Clone & Backup eDrive Yes No No

Enable RSA 2048 DS for Trust Relationship Yes No No

Commands digitally signed & payloads encrypted

Yes No No


Key Take Away

17

In-line 6Gbps AES CBC/XTS/ECB 256-bit crypto performance on any SATA Gen 3 drive

Converts any drive capacity from various vendor to eDrive to save significant qualification cost

Intelligence-build controller that enables digital signature generation, verification and signature

Commands can not be digitally signed whereas payload can not be encrypted


Patents & Awards

18

Enova X-Wall® MX received 2012 Golden Bridge Awards’ Encryption Solutions Innovations.

Enova Enigma received 2012 PC Magazine Editors’ Choice and TAITRONICS’ Technology

Innovation Awards.

Title: Cryptographic Serial ATA Apparatus and Method:

2013 Canada Patent 2567219

2011 US Patent 7900057，Japan Patent 4762861

2010 China Patent 2006101624794 ，Taiwan Patent I330320

Title: Real Time Data Encryption/Decryption System and Method for IDE/ATA Data Transfer:

2011 Taiwan Patent I348853 2012 China Patent 2004100703766

2007 Korea Patent 711190 2008 US Patent 7386734

Title: Encryption-Decryption Device for Data Storage:

2003 Taiwan Patent I79354 2004 Korea Patent 445288

2001 Japan Patent 3085785

Title: Cryptographic Device:

2006 US Patent 7136995


Product History

19

2016 Introduced solution Enigma 3.1

2015 Introduced chip X-Wall® MX+

2013 Introduced solution Enigma 2

2012 Introduced solution Enigma 1

2010 Introduced chip X-Wall® DX

2008 Introduced solution SecureNAS T1

2008 Introduced chip X-Wall® FX

2007 Introduced chip X-Wall® MX

2006 Introduced chip X-Wall® CO+

2005 Introduced chip X-Wall® CO

2004 Introduced chip X-Wall® XO

2003 Introduced chip X-Wall® LX

2002 Introduced first chip X-Wall® SE, SEA

2000 Enova founded in April, 2000.


Thank you!

Download this presentation and others from SNIA’s Data Storage Security Summit at:

http://www.snia.org/dss-summit

20




managing data security for storage of high value content · managing data security for storage of...

Documents