putting security and data together michael willett seagate ... · - overview whitepaper - on-line...

Storage Developer Conference 2008 © 2008 Insert Copyright Information Here. All Rights Reserved.

www.storage-developer.org

Trusted StoragePutting Security and Data Together

Michael Willett

Seagate Technology



Why Encrypt Data-At-Rest?

Compliance42+ states have data privacy laws with encryption safe harbors

New data breach bills have explicit encryption safe harbors

PCI DSS requires rendering stored cardholder data unreadable

Exposure of data loss is expensive

Data center disk drives are mobileNearly ALL drives leave the security of the data center

The vast majority of decommissioned drives are still readable

Not all leave under the owner’s control…



Marketing WorkgroupBrian Berger, Wave

Board of DirectorsScott Rotondo, Sun, President and Chairman

Server Specific WGLarry McMahan, HP

User Auth WGLaszlo Elteto, Safenet

TSS Work GroupDavid Challener, Lenovo

TPM Work GroupDavid Grawrock, Intel

Storage WG Robert

Thibadeau Seagate

AdministrationVTM, Inc.

Advisory Council Invited Participants

Best Practices Jeff Austin, Intel

Technical Committee Graeme Proudler, HP

Public Relations

Anne Price, PR Works

EventsMarketingSupportVTM, Inc.

Peripherals WG(dormant)

PDA WGJonathan Tourzan, Sony

PC Client WGMonty Wiseman, Intel

Mobile Phone WGPanu Markkanen, Nokia

Infrastructure WGThomas Hardjono, SignaCert

Conformance WGManny Novoa, HP

BOLD:Most Relevant to Storage Work

Key ManagementServices

Walt HubisLSI

Storage Interface Interactions

James HatfieldSeagate

Optical Storage Bill McFerrin

DataPlay



TRUSTED SEND/IN

TRUSTED RECEIVE/OUT

T10/T13 defined the “container commands”

TCG/Storage defining the “TCG payload”

(Protocol ID = xxxx …..)

Protocol IDs assigned to TCG, T10/T13, or reserved

Joint Work –T10 (SCSI) and T13 (ATA)



TRUSTED STORAGE

ATA or SC

SI

Hidden StorageFirmware

Controller Storage

Firmware/hardwareenhancements for

security and cryptography

Trusted

Send and

Receive

Container Commands

• (Partitioned) Hidden Memory

• Security firmware/hardware

• Trusted Send/Receive Commands

• Assign Hidden Memory to Applications

ISVApplication

(on the Host)

Enterprise

Support

Security

Providers

Assign Hidden Memory to Applications

TRUSTED

FDE

SP

TCG/T10/T13

Implementation Overview



Trust “Toolkit”:

Cryptographic SIGNING

CREDENTIALS (eg, signed X.509 Certificates)

Trust

System behaves as designed



Trusted Platform

TPMSecure

Communications

Trusted Storage

Life Cycle: Manufacture, Own, Enroll, PowerUp, Connect, Use, …

Root

Of

Trust

OR

Trusted

Element

Trusted Storage with Trusted Platform



3 Simple reasonsStorage for secrets with strong access control

• Inaccessible using traditional storage access• Arbitrarily large memory space• Gated by access control

Unobservable cryptographic processing of secrets• Processing unit “welded” to storage unit• “Closed”, controlled environment

Custom logic for faster, more secure operations• Inexpensive implementation of modern

cryptographic functions• Complex security operations are feasible

Why Security in STORAGE (hard drive)



Forensic Logging DRM Building Blocks

DriveLocking

Full Disc Encryption

Crypto

Chip

ALL Encrypted

-Laptop Loss or Theft

-Re-Purposing

-End of Life

-Rapid Erase

Personal Video Recorders

Crypto Key Management

TCG Storage Use Case Examples



TCG Storage Workgroup

Specification Overview and Core Architecture SpecificationSpecification Version 1.0

Revision 0.9 (DRAFT)

19 June 2007

Specification Overview



SPs (Security Providers)

Logical Groupings of FeaturesSP = Tables + Methods + Access Controls

Tables

Like “registers”, primitive storage and controlMethods

Get, Set – Commands kept simple with many possible functions

Access Control over Methods on Tables

TCG Storage WG Core Specification



Storage Architecture Core Specification

Storage

HDD SSC - Enterprise

Optical SSC (OSSC)

HDD SSC - Notebook

Security Subsystem

Class = SSC

Security Subsystem Classes



Trusted Platform w/

Trusted Storage

- Multi-factor authentication: password, biometrics, dongles

- Secure/hardware storage of credentials, confidential financial/medical data

-Trusted life cycle management of personal information

- Integrity-checking of application software

- Cryptographic functions for storage and communications security

- Secure computation of high-value functions (protection from viruses/etc)

Home Banking (or Remote Medical, or … )


www.storage-developer.org14

Self-Encrypting Drives

IT policy: All future drive purchases to be self-encrypting drives when available

• Simple • Transparent • Integrated• Scalable• Interoperable

For when a drive leaves the owner's controlLearn more at:

www.fdeSecurityLeaders.com- Webcast from architects- Overview whitepaper- On-line performance demo



The drive remains LOCKED when it is powered back ONThe drive LOCKS automatically when powered OFFAuthentication Key (Password) Unlocks the drive

15

Here is the un-encrypted

text

Here is the un-encrypted

text

P%k5t$@sg!7#x1)

#&%

Write and Read data normally while drive is unlocked

Self-Encrypting Drive Basics

Data protected from loss, disclosure

Write

Read

100% performance encryption engine

in the drive

Authentication Key

Management Service



SPFDE

-Enterprise Server:Key generation and distribution

Key/Password archive, backup and recovery

-Laptop (Application):Master/User passwords, multi-factor authentication, TPM support

Secure log-in, “Rapid Erase”

-Trusted Drive (self-encrypting):Disk or sector encryption, sensitive credential store, drive locking

Enterprise Management of Self-Encrypting Drives

Self-Encrypting Drive



NSA-Accepted Security:Sensitive and Secret Govt Data

• With the NSA qualification, the Momentus 5400 FDE.2 hard drive meets one of the highest standards for securing sensitive information – the National Security Telecommunications and Information Systems Security Policy (NSTISSP) #11.

• NSTISSP #11 defines requirements for a wide variety of products that “satisfy a diversity of security requirements to include providing confidentiality for data, as well as authenticating the identities of individuals or organizations exchanging sensitive information.”*

• The National Institute of Standards and Technology (NIST), the U.S. federal agency focused on promoting product innovation by establishing technical standards for government and business, certified the Advanced Encryption Standard (AES) encryption algorithm that powers the Momentus 5400 FDE.2 hard drive.

*More information on NSTISSP #11 is available at http://www.niap-ccevs.org/cc-scheme/faqs/nstissp-faqs.cfm#Question_I_5.

The National Security Agency (NSA) has qualified the Momentus® 5400 FDE hard drive, for protection of information in computers deployed by U.S. government agencies and contractors for national security purposes.



Why standards are important

Customer choiceBest product, best price, long term supplier viabilityMultiple vendor options

Data at rest needs long term recoverabilityMedia lifetime may exceed supplier lifetime

Security requiresWell tested and examined practicesSeparation of dutiesConsistency of policy enforcement



-Trusted Storage Specification

- Key Management Services Application Notes



IEEE P1619.3 (Key Management)



Key Lifecycle Model

21



What Does the Future Look Like?

Encryption everywhere!Automatic performance scaling, manageability, security

Standards-basedMultiple vendors; interoperability

Unified key managementHandles all forms of storage



Decommissionsystem

RemoveALL drives

Send even“dead”drives

through

Queue insecure area

TransportOffsite

Queue insecure area

Not always as secure as shredding, but more fun

Shredding is environmentally hazardous

Hard to ensure degauss strength matched drive type

Overwriting takes days and there is no notification of completion from drive S

ECURE

1. http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_

50,000 Hard Drives Leave the Data Center Every Day90% of returned drives were still readable (IBM study)

People make mistakes

which lost a tape with 150,000 Social Security numbersstored at an Iron Mountain warehouse, October 20071

“Because of the volume of information wehandle and the fact people are involved,we have occasionally made mistakes.” 99% of Shuttle Columbia's hard drive data

recovered from crash siteData recovery specialists at Kroll Ontrack Inc. retrieved 99% of the information stored on the charred Seagate hard drive's platters over a two day period.

- May 7, 2008 (Computerworld)

SECURE

It’s Simple, Clean and CompleteSecure the moment the drive is unplugged

• Comply with data privacy laws• Warranty and expired lease secure drive returns• Repurpose drives securely; Cut decommissioning costs


• Replace• Repair• Repurpose

http://www.usatoday.com/tech/news/computersecurity/2008-01-18-penney-data-breach_

http://www.kmktechnologies.com/Iron Mountain logo 2.gif



Disposal Options: Riddled with Shortcomings

Format the drive or delete the data

Doesn’t remove the data -data is still readable

Over-writingTakes hours-to-daysError-prone; no notification from the drive of overwrite completion

DegaussingVery costly, time-consumingDifficult to ensure degauss strength matched type of drive

ShreddingVery costly, time-consumingEnvironmentally hazardous

Smash the disk drive

Not always as secure as shredding, but more fun

Professional offsite disposal services

• Drive is now exposed to the tape’s falling-off-the-truck issue



25

IBM, LSI and Seagate Lead the Industry to an Enterprise Encryption Solution

Network

Application ServerIEEE 1619.3StandardKey MgmtProtocol

TCG/T10/T13SecurityProtocol

Authentication Key Flow Data Flow

Storage System

Authentication Key Management Service



Manageability • Don’t need to escrow the encryption key

to maintain data recoverability

• Less re-encryption required

Security • No clear text secrets anywhere on the drive

• We assume the attacker has complete knowledge of secrets’ design and location

• No cipher text exposure

• The drive can self power down after x authentication attempts

• Protected firmware downloads

• No back doors in the Trusted Storage Spec

Self-Encrypting Drive: Manageability and Security



Storage System

No Performance Degradation

Encryption engine speed The encryption engine is in the

controller ASIC

Matches

Port’s max speed

Scales Linearly, Automatically

Storage System

All data can be encrypted, with no performance degradation Less need for data classification



Transparent to the Storage System

At Initialization:• Bring in new volume• Set up Authentication Key

Power-up:• Authenticate with the key source• Pass key to the disk drive

Storage System

Network

Application Server

Key Management Service

After Power-up:The storage system virtualizes the disk drives and provides:• Data protection through RAID and copy services,

• Availability through redundancy, failover drivers, robust error handling

• Capacity sharing through partitioning and network connectivity

• Management reporting

• Storage systems are optimized for unencrypted data for data compression and de-duplication



Implement Transparent to OS, applications, databases – Automatic Scalability

May need to change OS, applications, databases

Re-key Exposed Keys

No re-encryption needed Re-encrypt all data

Recover Data Encryption keys don’t leave drives. No need to track or manage them.

Track, manage, escrow encryption keys, maintain interoperability

Retire HDD Delete encryption key Key compromised; Could make data across multiple drives unreadable

Encrypting outside the drive

Storage Systems


Storage Systems

Simplify Management


www.storage-developer.orgwww.trustedcomputinggroup.org

Thank You!

putting security and data together michael willett seagate ... · - overview whitepaper - on-line...

Documents