Achieving PCI compliance with storage security systems.As organizations look to comply with the PCI (1) (Payment Card Industry) See PCI DSS.
(2) (Peripheral Component Interconnect) The most widely used I/O bus (peripheral bus). standards, the matter of protecting data-at-rest through encryption The reversible transformation of data from the original (the plaintext) to a difficult-to-interpret format (the ciphertext) as a mechanism for protecting its confidentiality, integrity and sometimes its authenticity. Encryption uses an encryption algorithm and one or more encryption keys. is a serious--and complex--priority.
While hackers beating against the corporate firewall have captured the headlines, the breaches that are genuinely compromising business stability and consumer confidence are hitting data while in storage, known as data-at-rest. Businesses have made significant strides in protecting their networks from external intrusion, but today's vulnerability is located in data storage. We examine the current security situation, outline the pros and cons pros and cons
the advantages and disadvantages of a situation [Latin pro for + con(tra) against] of several storage security alternatives, and provide brief highlights of technical and operational best practices in addressing this security issue.
Data breaches make headlines
Reported data breaches involving the loss or theft of tapes and disks skyrocketed in 2005, with more breaches than in all prior years in this decade. Each incident exposed tens of thousands of unsuspecting people to potential identity theft through misuse of personal records containing financial or medical details.
The business impact of these thefts and losses can hardly be overestimated. Liability for the potential use of this data is enormous. Consumer confidence plummets and there is ample statistical evidence of consumers choosing to abandon vendors who suffer these breaches in favour of those who have not. The 2005 EDS (Electronic Data Systems, Plano, TX, www.eds.com) Founded in 1962 by H. Ross Perot (independent candidate for the President of the U.S. in 1992), EDS is the largest outsourcing and data processing services organization in the country. US Financial Services The examples and perspective in this article or section may not represent a worldwide view of the subject.
Please [ improve this article] or discuss the issue on the talk page. Privacy and Customer Relationship Management Survey reported that 40 percent of consumers would either immediately or eventually close bank accounts and move to another establishment if there had been a breach. Fully 32 percent would discontinue online banking, reverting to branch and ATM activity, while 55 percent said they would discontinue banking activity until they felt assured that the crisis had been resolved. For the bank, this translates into either customer attrition Customer attrition, also known as customer churn, customer turnover, or customer defection, is a business term used to describe loss of clients or customers. or at best an interruption in commerce, both of which had significant impact to the bottom line.
In response to growing concern among credit cardholders regarding identity theft and the potential impact to their credit records, the Payment Card Industry (PCI) developed the PCI Data Security Standard. Developed by Visa and MasterCard with the endorsement of other payment vendors, the PCI Data Security Standard consists of 12 unified requirements for merchants and service providers who store, process or transmit cardholder card·hold·er
One who holds a card, especially a credit card.
cardhold data. PCI compliance companies must:
Build and maintain a secure network Protect cardholder data Maintain a vulnerability management program Implement strong access control measures Regularly monitor and test networks
Failure to comply with these standards can result in the imposition of fines up to $500,000 and forfeiture The involuntary relinquishment of money or property without compensation as a consequence of a breach or nonperformance of some legal obligation or the commission of a crime. The loss of a corporate charter or franchise as a result of illegality, malfeasance, or Nonfeasance. of business with Visa and MasterCard, which in this economy virtually shuts down a company. Despite the catastrophic fallout fallout, minute particles of radioactive material produced by nuclear explosions (see atomic bomb; hydrogen bomb; Chernobyl) or by discharge from nuclear-power or atomic installations and scattered throughout the earth's atmosphere by winds and convection currents. for non-compliance, however, Visa recently reported that 83 percent of 231 large merchants are not yet in compliance with the PCI Standard. Approximately 75 percent have filed initial reports indicating that they were working toward compliance with PCI, but eight percent have filed no report at all.
One side down; one to go
In the last few years, companies have worked diligently to protect their networks from external threats by implementing perimeter security. Firewalls, VPN (Virtual Private Network) A private network that is configured within a public network (a carrier's network or the Internet) in order to take advantage of the economies of scale and management facilities of large networks. and SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. software have become highly advanced, and for the most part, effective. Authentication (1) Verifying the integrity of a transmitted message. See message integrity, e-mail authentication and MAC.
(2) Verifying the identity of a user logging into a network. and IDS procedures are protecting the network, while content filters coupled with anti-virus and anti-spam software are protecting the client. The problem currently facing most companies, however, is that their data is still vulnerable while being stored, or at-rest. One side--the network side--is relatively safe, while the other side--the storage side--is not.
Protecting data-at-rest presents unique challenges. Storage systems recently became networked and consolidated, increasing the sheer volume of data that could be accessed by a single breach, and also increasing the possible entry points into the system. Adding to the complexity is the extension of the online enterprise. Now that the workforce is mobile and distributed, many client systems lie outside the protective perimeter which increases the data's vulnerability. Additionally, most companies are relying on physical security of their backup tapes See tape backup. , locking them in a vault off-site. In this scenario, tapes and disks are lost or stolen en-route from the company to its storage vendor. Hard drives and tapes that are made obsolete have been known to show up on auction sites without having been wiped clean of their data.
Recognizing the limitations of physical security, the PCI standard makes it clear that "encryption is the ultimate protection mechanism because even if someone breaks through all other protection mechanisms and gains access to encrypted data, they will not be able to read the data without further breaking the encryption." (Requirement 3 of the Visa Payment Card Industry Data Security Standard.)
There are a number of configuration options for using encryption to improve storage security, each with its own challenges and advantages. Consider application encryption, server agent encryption and storage security appliances Security appliances protect computer networks from unwanted data traffic, intruders, email spam, enforce policies, and may also be used to create and manage VPNs. There are a number of types of security appliances. .
Application encryption has been available in the marketplace for a number of years. The challenges facing this type of security, however, involve the high impact it has on both security and operations. Encryption keys are not secure because of their application-level distribution. Key management is very cumbersome. Most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent"
above all, most especially , application encryption requires very large overhead of the server CPU CPU
in full central processing unit
Principal component of a digital computer, composed of a control unit, an instruction-decoding unit, and an arithmetic-logic unit. , which causes significant performance degradation.
Server agent encryption is a step forward in that it provides an appliance for secure storage of encryption keys. However, this solution requires integration with the server agent and introduces significant latency delays in network performance. It also requires patch management The installation of patches from a software vendor onto an organization's computers. Patching thousands of PCs and servers is a major issue. A patch should be applied to test machines first before deployment, and the testing environments must represent all the users' PCs with their unique , an unwieldy, time-intensive and risky task.
Introducing a storage security appliance, however, provides a number of advantages not found in the other solutions. a security appliance off-loads the encryption from the application and networks to the storage arena which makes the security function invisible to the application. If therefore protects network performance. An appliance-based solution also provides versatility, ensuring disk, tape and Fibre Channel Link security, as well as multi-vendor interoperability so that it can be implemented across a wide variety of arrays, remote sites and servers. Multi-vendor interoperability is essential as a company grows and incorporates other data banks. In fact, a storage security appliance solution can provide maximum security with minimal impact.
Technical considerations for effective encryption
Effective encryption solutions consist of four major elements: effective key management; certified encryption systems; role-based administration; and secure audit logging.
1. Key management is a critical, and potentially laborious la·bo·ri·ous
1. Marked by or requiring long, hard work: spent many laborious hours on the project.
2. Hard-working; industrious. , part of securing stored data. According to according to
1. As stated or indicated by; on the authority of: according to historians.
2. In keeping with: according to instructions.
3. Jon Oltsik, an analyst with the Enterprise Strategy Group: "Key management will become more important as more devices add cryptographic capabilities and thus more data is encrypted." Encryption keys must be continually generated, organized, tracked and available--potentially for years--to recover data that has been stored. Thankfully, automated solutions offer secure key generation, distribution and archival.
2. An encryption system should have independent security validations, such as FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies. 140-2 Level 3 certification from the National Institute of Standards and Technology National Institute of Standards and Technology, governmental agency within the U.S. Dept. of Commerce with the mission of "working with industry to develop and apply technology, measurements, and standards" in the national interest. . This certification should include the entire system--from the physical and logical integrity of individual hardware components, to the operating system operating system (OS)
Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. , to system level functionality such as user access control and key management. FIPS operation mode ensures that unencrypted key never leave the appliance and requires M of N (split key) backup and recovery of system keys and configuration data to ensure secure appliance recovery. The encryption algorithm A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making itself should be extremely robust: if stored media falls into the wrong hands, you'll want your data protected with strong encryption An encryption method that uses a very large number as its cryptographic key. The larger the key, the longer it takes to unlawfully break the code. Today, 256 bits is considered strong encryption. As computers become faster, the length of the key must be increased. . Ideally, it should meet the AES-256 standard, which is the strongest commercially available algorithm.
3. Role-based administration divides up management responsibility to ensure that no single administrator can compromise security of the system. For example, a system administrator can configure the network parameters and add users; a security officer can set security policies and encryption rules. These controls ensure that only select individuals have access to important security elements, such as encryption keys.
4. Finally, audit logging maintains a record of security operations and violations. An audit log must be protected from alteration to ensure a rogue administrator cannot remove entries. It should also record all system changes by administrators to ensure that malicious changes can be tied back to a specific user.
Operational considerations for data-at-rest security
The operational impact should also be considered when implementing a storage security solution. Important areas to evaluate include: initial deployment, performance/availability impact, and data recovery process.
Integration into an existing environment requires detailed planning to minimize the operational impact. Ideally, the solution should require minimal to no changes at all to the server and/or applications. Deploying an encryption solution requires that existing data is encrypted; for disk data this process can be performed transparently without impacting online operations.
Meeting availability and performance service levels are one of the biggest concerns of customers deploying storage security solutions. An effective solution integrates with the existing infrastructure and supports a redundant design to eliminate single points of failure. Performance considerations should be taken into account: primary storage, or disk encryption Disk encryption is a special case of data at rest protection when the storage media is a sector-addressable device (e.g., a hard disk or a flash card). Disk encryption has many facets:
Data recovery plans are required to provide either local or remote recovery of information, including the access of encrypted data at disaster recovery sites. Best practices should allow automated and secure sharing of media and keys between data centers, one-step disaster recovery of keys, and secure sharing of encrypted media with business partners.
As banks, credit unions and companies strive to meet PCI standards, they must tackle the complex issue of protecting data-at-rest through encryption, selecting solutions that are designed for the distributed, growing enterprise, provide the most efficient management of encryption keys, and introduce the least amount of operation disruption.
NeoScale Systems, Inc. is an independent storage security company, whose solutions have been certified by leading storage vendors and deployed worldwide within government, financial services, healthcare and other organizations.
by Dore Rosenblum, VP Marketing, NeoScale Systems