Data encryption strategies; Part 2: encrypting high-performance, high-volume storage.As the amount of network-attached data and storage systems grow, so does the exposure to data loss. Unless you are using a mainframe computer, the level of risk for data loss and theft from unauthorized access is growing daily. The risk has reached such a level that data encryption data encryption, the process of scrambling stored or transmitted information so that it is unintelligible until it is unscrambled by the intended recipient. Historically, data encryption has been used primarily to protect diplomatic and military secrets from foreign is being implemented for stored data in addition to the traditional use of encrypting data in transit. Data encryption is defined as the process of scrambling transmitted or stored information making it unintelligible UNINTELLIGIBLE. That which cannot be understood. 2. When a law, a contract, or will, is unintelligible, it has no effect whatever. Vide Construction, and the authorities there referred to. until it is unscrambled by the intended recipient. With regard to computing, data has historically been used primarily to protect mission critical data, government records and military secrets from foreign governments. It has been used increasingly over the past 10 years by the financial industry to protect money transfers, by businesses to protect credit-card information, for electronic commerce, and by corporations to secure sensitive transmission of proprietary information. Most of the encryption focus had been on data transmission prior to 2000 but the events of Sept. 11th, 2001 and the rise of compliance are moving the topic of encrypting data at rest, or stored data, much higher on the priority list of leading-edge data protection strategies today. The enciphering and deciphering of messages in secret code or cipher cipher: see cryptography. (1) The core algorithm used to encrypt data. A cipher transforms regular data (plaintext) into a coded set of data (ciphertext) that is not reversible without a key. is called cryptology The science of developing secret codes and/or the use of those codes in encryption systems. See cryptography. cryptology - The study of cryptography and cryptanalysis. and has become a topic of growing interest to the storage industry. DES In 1977 the Data Encryption Standard See DES. Data Encryption Standard - (DES) The NBS's popular, standard encryption algorithm. It is a product cipher that operates on 64-bit blocks of data, using a 56-bit key. It is defined in FIPS 46-1 (1988) (which supersedes FIPS 46 (1977)). (DES and later Triple DES See DES. (cryptography) triple DES - A product cipher which, like DES, operates on 64-bit data blocks. There are several forms, each of which uses the DES cipher 3 times. Some forms use two 56-bit keys, some use three. The DES "modes of operation" may also be used with triple-DES. ) was adopted in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. as the first federal standard. DES applies a 56-bit key to each 64-bit block of data. DES is now considered to be insecure for many applications. This is chiefly due to the 56-bit key size being too small as DES keys have been broken in less than 24 hours or less as microprocessor speeds increase. Computer chips currently exist for under $10 that can test 200 million DES keys/second. Since there was growing concern over the viability DES encryption algorithm A formula used to turn ordinary data, or "plaintext," into a secret code known as "ciphertext." Each algorithm uses a string of bits known as a "key" to perform the calculations. The larger the key (the more bits), the greater the number of potential patterns can be created, thus making , NIST (National Institute of Standards & Technology, Washington, DC, www.nist.gov) The standards-defining agency of the U.S. government, formerly the National Bureau of Standards. It is one of three agencies that fall under the Technology Administration (www.technology. (National Institutes of Standards and Technology) indicated DES would not be recertified as a standard and submissions for its replacement to become the encryption standard were accepted. Other encryption algorithms have been in use for years and include Secure Sockets Layer (networking, security) Secure Sockets Layer - (SSL) A protocol designed by Netscape Communications Corporation to provide secure communications over the Internet using asymmetric key encryption. (SSL (Secure Sockets Layer) The leading security protocol on the Internet. Developed by Netscape, SSL is widely used to do two things: to validate the identity of a Web site and to create an encrypted connection for sending credit card and other personal data. ) for Internet transactions, Pretty Good Privacy (PGP (Pretty Good Privacy) A data encryption program from PGP Corporation, Palo Alto, CA (www.pgp.com). Published as freeware in 1991 and widely used around the world for encrypting e-mail messages and securing files, PGP is available for commercial use and as freeware for ), and Secure Hypertext Transfer Protocol 'Secure hypertext transfer protocol' (S-HTTP) is an alternative mechanism to the https URI scheme for encrypting web communications carried over HTTP. S-HTTP is defined in RFC 2660. (S-HTTP S-HTTP Secure Hyper Text Transport Protocol ). AES The second encryption standard to be adopted was known as the Advanced Encryption Standard (cryptography, algorithm) Advanced Encryption Standard - (AES) The NIST's replacement for the Data Encryption Standard (DES). The Rijndael /rayn-dahl/ symmetric block cipher, designed by Joan Daemen and Vincent Rijmen, was chosen by a NIST contest to be AES. (AES). AES is a symmetric (Secret or Private Key) 128-bit block data encryption technique developed by Belgian cryptographers Joan Daemen Joan Daemen (born 1965, in Achel, Limburg, Belgium) is a Belgian cryptographer and one of the designers of Rijndael, the Advanced Encryption Standard (AES), together with Vincent Rijmen. and Vincent Rijmen Vincent Rijmen (born 16 October 1970, in Leuven, near Brussels, Belgium) is a Belgian cryptographer and one of the designers of the Rijndael, the Advanced Encryption Standard. . The U.S. government adopted the algorithm as its encryption technique in October 2000 after a long standardization process finally replacing the DES encryption algorithm. On December 6, 2001, the Secretary of Commerce officially approved AES as FIPS (Federal Information Processing Standards) A series of publications issed by the U.S. National Institute of Standards and Technology (NIST) that specifies information security guidelines for federal government departments and agencies. (Federal Information Processing Standard Federal Information Processing Standards (FIPS) are publicly announced standards developed by the United States Federal government for use by all non-military government agencies and by government contractors. ) 197. It is expected to be used extensively worldwide as was the case with its predecessor DES. AES is more secure than DES as it offers a larger key size, while ensuring that the only known approach to decrypt To convert secretly coded data (encrypted data) back into its original form. Contrast with encrypt. See plaintext and cryptography. a message is for an intruder to try every possible key. The AES algorithm can specify variable key lengths of 128-bit key (the default), a 192-bit key, or a 256-bit key. AES is a mutually acceptable algorithm that effectively protects any sensitive information. AES was initially used on a selective basis and is backwards compatible See backward compatible. backwards compatible - backward compatibility with DES. Symmetric standards such as DES and AES provide very high levels of security. Symmetric standards require that both the sender and the receiver must share the same key and also keep it secret from anyone else. Top Secret, classified and government information will require use of either the 192 or 256 key lengths. The implementation of AES in products intended to protect US national security systems and information must be reviewed and certified by NSA NSA abbr. National Security Agency Noun 1. NSA - the United States cryptologic organization that coordinates and directs highly specialized activities to protect United States information systems and to produce foreign (National Security Agency) prior to their acquisition and use. As of 2005, no successful attacks against AES have been recognized. Asymmetric Encryption See public key cryptography. Asymmetric Encryption differs from symmetric encryption Same as secret key cryptography. in that uses two keys; a public key known to everyone and a private key, or secret key, known only to the recipient of the message. Asymmetric encryption lessens the risk of key exposure by using two mathematically related keys, the private key and the public key. When users want to send a secure message to another user, they use the recipient's public key to encrypt the message. The recipient then uses a private key to decrypt it. An important element to the public key system is that the public and private keys are related in such a way that only the public key can be used to encrypt messages and only the corresponding private key can be used to decrypt them. Moreover, it is virtually impossible to determine the private key if you know the public key. There are a number of asymmetric key encryption systems but the best known and most widely used is RSA (1) (Rural Service Area) See MSA. (2) (Rivest-Shamir-Adleman) A highly secure cryptography method by RSA Security, Inc., Bedford, MA (www.rsa.com), a division of EMC Corporation since 2006. It uses a two-part key. , named for its three co-inventors Rivest, Shamir and Adleman. The Secure Sockets Layer used for secure communications on the Internet uses RSA (the popular https protocol is simply http over SSL). Asymmetric encryption is based on algorithms that are complex and its performance overhead is more significant making it unsuitable for encrypting very large amounts of data. It is possible to take advantage of the strengths of both key methods by encrypting data with a symmetric key, and then protecting this key with asymmetric encryption, though this area of encryption is in its early stages. Asymmetric encryption is considered one level more secure than symmetric encryption, because the decryption (cryptography) decryption - Any procedure used in cryptography to convert ciphertext (encrypted data) into plaintext. key can be kept private. Keys are the Key The basic idea of key-based encryption means that a block, file or other unit of data is scrambled in a way so that the original information is hidden within a level of encryption. The scrambled data is called cyphertext. In theory, only the person or machine doing the scrambling and the recipient of the cyphertext know how to decrypt or unscramble Same as decrypt. See scramble. the data since it will have been encrypted using an agreed-upon set of keys. The difficulty of cracking an encrypted message is a function of the key length. For example, an 8-bit key allows for only 256 possible keys (28) and can be cracked quickly. A 128-bit key (which equates to searching 2128 keys) might take decades to crack. The same computer power that yields strong encryption An encryption method that uses a very large number as its cryptographic key. The larger the key, the longer it takes to unlawfully break the code. Today, 256 bits is considered strong encryption. As computers become faster, the length of the key must be increased. can be used to break weak encryption schemes. Strong encryption makes data private, but not necessarily secure. To be secure, the recipient of the data, often a server, must be positively identified as being the approved party. This is usually accomplished online using digital signatures or certificates. Encryption keys and passwords should be stored in escrow with a secure third party. It is important to establish an effective key management plan. Key management is the key to the successful use of encryption! Hashing A third category of cryptology is called Hashing (One-Way) Encryption. A hash is a cryptographic algorithm that takes data input of any length and produces an output of a fixed length. The hash output is called a digital signature and is used for data integrity. Some hash algorithms such as MD5 (Message Digest A condensed text string that has been distilled from the contents of a text message. Its value is derived using a one-way hash function and is used to create a digital signature. See digital signature and MD5. 5) have the possibility of producing the same signature making it vulnerable to attack as a duplicate key duplicate key n → duplicado de una llave can be produced. Digital signatures typically range from 128 bits using the MD5 algorithm to 160 bits in size using the more secure SHA SHA - Secure Hash Algorithm 1 (Secure Hash Algorithm (algorithm, cryptography) Secure Hash Algorithm - (SHA) A one-way hash function developped by NIST and defined in standard FIPS 180. SHA-1 is a revision published in 1994; it is also described in ANSI standard X9.30 (part 2). 1). The larger the signature, the more secure the hash though performance degrades as hash size increases. Encryption Data exposure grows For years the storage industry focused its high availability Also called "RAS" (reliability, availability, serviceability) or "fault resilient," it refers to a multiprocessing system that can quickly recover from a failure. There may be a minute or two of downtime while one system switches over to another, but processing will continue. developments on protecting data from technology failures such as disk crashes, operating system operating system (OS) Software that controls the operation of a computer, directs the input and output of data, keeps track of files, and controls the processing of computer programs. failures, or tapes that couldn't be read. Technology failures were addressed with concepts such as RAID, clustering, component redundancy, replication software, and vastly improved intelligent error recovery capabilities for both disk and tape. With the use of vulnerable IP storage networks in full swing by 2000, a new threat to data loss appeared called intrusion and it became the next big data exposure issue for the IT industry to address. Malicious attacks on company networks are nearly doubling each year and the biggest source of the attacks is now believed to be employees. Worms, viruses, spyware, scams and spam have contaminated contaminated, v 1. made radioactive by the addition of small quantities of radioactive material. 2. made contaminated by adding infective or radiographic materials. 3. an infective surface or object. porous IP networks causing significant business losses and an estimated 80% of the e-mail content being transmitted on the Internet is estimated to be useless. This is a growing threat to a successful data protection implementation since over 50% of all disk data is now network-attached via NAS (1) See network access server. (2) (Network Attached Storage) A specialized file server that connects to the network. A NAS device contains a slimmed-down operating system and a file system and processes only I/O requests by supporting the popular or SAN. This threat is growing as computers and systems become increasingly connected, not only through the Internet, but through business partnerships that establish connections and interfaces. Viruses, worms, Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
Companies that continue to operate even though they are insolvent. Also known as living dead. Notes: It's advisable to avoid investing in zombies at all costs their life expectancies are highly unpredictable. , distributed denial-of-service attacks, hacking, and blended threats are all out there, and many can hitch rides with e-mails, downloads and electronic transmissions, including instant messages. There are an estimated 60,000 different viruses currently being transmitted via the Internet. The number is growing. Even network routers have become vulnerable to attack. Router products running certain versions of specially written IP Version 6 packets can be affected by the IP design flaw as malicious hackers can compromise routers to stop, redirect and scramble network traffic. An increasing number of companies are deploying encryption appliances for data that is stored on its SANs in order to prevent data loss from the many sources previously mentioned. Network encryption appliances help fill a growing security gap, securing data both at rest stored on storage devices and on the SAN itself. Having spent significant amounts of time and money shoring up Noun 1. shoring up - the act of propping up with shores propping up, shoring supporting, support - the act of bearing the weight of or strengthening; "he leaned against the wall for support" their physical security, many enterprises are beginning to guard their stored data against insider attacks, disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see employees, and unprincipled contractors and visiting clients. Another reason for the heightened interest in encryption is the advent of government regulations like HIPAA (Health Insurance Portability & Accountability Act of 1996, Public Law 104-191) Also known as the "Kennedy-Kassebaum Act," this U.S. law protects employees' health insurance coverage when they change or lose their jobs (Title I) and provides standards for patient health, , Sarbanes-Oxley and PHIPA PHIPA Personal Health Information Protection Act of 2004 in Canada. Total claims filed in the US in 2004 for damages caused by worms and viruses totaled $17.5B according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. a survey released by the Computer Economics Impact of Malicious Code Study. The Love-bug attack in 2004 cost an estimated $8.8B in damages alone! Intrusion is being addressed by anti-virus protection software but this remains a catch-up game for now as the exposure to data loss mounts. Viruses and worms are more aggressively targeting handheld devices, cell phones and embedded computers in cars this year, according to a report released by IBM (International Business Machines Corporation, Armonk, NY, www.ibm.com) The world's largest computer company. IBM's product lines include the S/390 mainframes (zSeries), AS/400 midrange business systems (iSeries), RS/6000 workstations and servers (pSeries), Intel-based servers (xSeries) . Security jobs are on the rise and estimates indicate demand for 2.1 million information security professionals in 2008, up from 1.3 million in 2005. Data security may well be on its way to becoming the most important storage management discipline. Recent examples of data loss and vulnerability Businesses are storing more data in distributed locations than ever before to guard against physical threats such as loss of electricity, floods, devastating dev·as·tate tr.v. dev·as·tat·ed, dev·as·tat·ing, dev·as·tates 1. To lay waste; destroy. 2. To overwhelm; confound; stun: was devastated by the rude remark. hurricanes or other site related damages. Hurricane Katrina  Editing of this page by unregistered or newly registered users is currently disabled due to vandalism. will likely cause more IT losses than any other natural disaster in history. Data may arrive at distributed locations either electronically or the storage media can be physically transported in an offline mode by other vehicles. What happens if the data being transported to another location is lost or stolen? The growing list of lost data and security breaches includes CardSystems loss of account information for 200,000 credit card holders, some 6,000 current and former employees of the Federal Insurance Deposit Corp. had data revealed through a security breach, a loss of backup tapes at City National Bank, and Bank of America
Bank of America (NYSE: BAC TYO: 8648 ) is the largest commercial bank in the United States in terms of deposits, and the largest company of its kind in the world. Corp. disclosed early in 2005 that it lost digital tapes containing the credit card account records of 1.2 million federal employees including 60 U.S. senators. Was the data really lost? Was the data stolen? Who has the data now? Is it in the hands of unauthorized personnel? Is this valuable data readable or was it encrypted so it could not be understood? What does this mean to potential identity theft problems? Finding answers to these questions has been difficult. If any of this "data at rest" had been encrypted, the damages would be minimized as the stolen or lost data would be useless. Some industry analysts said the rising number of mishaps and disasters highlight the risk of physically moving valuable archival data to geographically separated storage facilities and will likely feed a movement toward network-based backup schemes. Others point out that IP-based networks have their own growing number of vulnerabilities and are subject to additional intrusion bringing along an additional set of security issues. Still others say that weak IT security technology is fueling an identity theft crisis. In an Information Week survey published in July, 2005, only 7 percent of the companies indicated that they always encrypted data backed up to tape. These and other breaches have prompted most businesses to conduct a comprehensive review of their security procedures. California Senate Bill 1386 requires that companies publicly disclose instances when they believe unencrypted personal information about California residents might have been compromised. The bill has led many companies to believe that implementing encryption could keep them out of the headlines. A major risk factor associated with stolen or lost data is that it can't be well protected unless it is encrypted. Stolen data can always be physically destroyed. Data stored on fixed or removable storage is called data at rest (versus data in transit.) Encrypting data in transit has nothing to do with protecting data that is attacked after it is stored at its endpoints. While RAID and redundancy address the device failure problems, anti-virus protection software addresses the access and data intrusion problems, encryption addresses the data loss/data theft problem. With as much as 80% of the world's digital data estimated to reside on removable storage media and with the value of archival data steadily increasing in value, protecting data at rest must be now treated as more than managing an archival repository whether it resides on disk or tape. Presently the majority of IT businesses haven't directly addressed encryption as part of their high availability strategy for stored data. That trend is about to change. Implementing encryption today Data encryption is nothing new, but when it is used in conjunction with high-performance, high-volume enterprise storage, it poses some legitimate challenges. For example, encryption and decryption are compute-intensive activities that can slow access to stored data, especially when organizations are storing and accessing massive amounts of information. Encryption doesn't help for device failures, worms or viruses. It does help for data theft, such as from spyware or lost media, as the encrypted data is meaningless unless it can be successfully decrypted. Storage security appliances are the most common method of implementing encryption for data at rest today. The appliances are placed between the storage devices (disk and more commonly tape) and the server running applications requesting the encrypted data. The appliance encrypts all data going to storage, and decrypts data going back to the applications as it monitors all file access attempts. Stored data is encrypted and hence unreadable if the data is lost, stolen or even if spyware is trying to extract your information for undesirable purposes. Storage security appliances can both prevent malicious insiders and unwelcome outsiders from trying to access and make valuable data meaningful. While secure-storage appliances can protect data at rest, they can also purge it after a prescribed time by simply deleting keys. Rules can be implemented for retaining data for a specific period of time. The appliance can delete the relevant keys when the specified lifecycle or retention period has expired. In particular, notebook PC storage resides on disk and PCs are frequently in transit making them subject to theft. As a result, a few disk drive providers are beginning to provide encryption for disks used in PC's. Storage encryption products are typically sold as combined hardware/software appliances. List prices for appliances typically start around $2025,000 range and are usually deployed in pairs to enable higher availability and for redundancy. Depending on the amount of data and devices to be encrypted, the price for encryption can climb quickly. It may very well be worth it! What data should be encrypted? Despite appliances' ability to encrypt data at rest, knowing what data to encrypt today is important to optimize costs and more importantly to protect critical information from theft. It has become crucial for businesses to know the value of their data and classify it for a growing number of reasons. Some very large businesses are only securing regulated data in their storage environments since managing the keys and the overall encryption process can become time consuming. Small and medium-size companies often consider encrypting just about everything to ease the management challenge. Standard data classifications listed below are primarily based on a recovery time objective (RTO (Recovery Time Objective) The amount of time a computer system or application can stop functioning before it is considered intolerable to the enterprise. It can be computed to be from seconds to days, depending on how critical the application is to the organization. ). Keep in mind that data in each category can be a candidate for encryption as non-critical data might not be needed immediately after a failure but is still valuable. Data Classification Category Description 1) Mission Critical Up to 15% of online data, extremely valuable data required for business survival in the event of a disaster. Normally mirrored to disk and also backed to tape in a different geographic location. 2) Vital About 20% of online data. Highly valuable data used in normal business processes but may not be immediately needed for a disaster recovery. Normally backed up to tape and/or replicated to lower cost disk storage. 3) Sensitive About 25% of online data. Data used in normal business processes that has an alternative source or can be reconstructed and may not be needed for hours or days after a disaster but may have varying degrees of value. Normally backed up to automated tape. 4) Non-critical Typically 40% of online data. Data that is not needed for quick disaster recovery but may have varying degrees of value. Easily reconstructed or duplicated from prior backup or archival copies. Source: Horison, Inc. Compressing data at rest on disk has only been implemented by one manufacturer, Storage-Tek, and never became a defacto standard for disk subsystems. The decision about what disk data to encrypt should ultimately stem from a data classification exercise. Encryption can be applied to an entire disk volume or drive though the performance impact should be evaluated. To use the drive, it is considered "mounted" while using a special decryption key. In this state the drive can be used and read normally. When finished, the drive is dismounted and returns to an encrypted state, unreadable by Trojan horses, spyware or other snoop software. Encryption overhead increases as the keys get larger and it isn't clear yet how widespread encryption for disk applications will become since disk applications are more performance sensitive than tape data. Conclusion Despite evidence that stored data is now more vulnerable than data in transit, most encryption efforts remain focused on data transmission. Encryption makes sense for data stored on backup tapes, laptops, PDAs or other portable storage media containing sensitive information, as well as credit card numbers stored in databases. The issue of encrypting data at rest is moving to center stage and it has unfortunately become a necessity for today's responsible businesses as the threat of data loss and theft mounts daily. Implementing encryption has been used selectively in the past and it can be a trying process. Though encrypting data is quickly gaining momentum, it will continue to be used for specific applications in the near term. Encryption for data at rest was considered in parallel with the introduction of in-line compression for tape drives in the mid-1980's, but the demand did not warrant implementation. Today, the march toward encryption is reminiscent of the way data compression became a standard method for storing data at rest on tape in the mid-1980 period. Up to that point, a variety of cycle-intensive, server-based software techniques were used to compress data being written to tape and disk. Each used different algorithms and the data had to be de-compressed with the same algorithm that compressed data. Finally, IBM and StorageTek each implemented compression in an ASIC (Application Specific Integrated Circuit) Pronounced "a-sick." A chip that is custom designed for a specific application rather than a general-purpose chip such as a microprocessor. (Application Specific Integrated Circuit) in their tape drives using compatible algorithms making the media interchangeable. In a few years, everything written to magnetic tape drives from any vendor was compressed and the end-user didn't have to worry about deciding what data to compress because it was all compressed. Compression for data at rest (on tape) soon became a de-facto standard function for all tape drive manufacturers. It may take a while longer to standardize, but a more likely way that widespread implementation of encryption for data at rest will emerge is in the tape drive itself, similar to compression, via an ASIC. This presents the scenario that essentially all data at rest, for mainframe and non-mainframe systems, will be encrypted for a wide variety of security, legal and lifecycle retention requirements. So far, a surprising level of disregard for storage security from the large storage providers has created opportunities for a handful of encryption products and appliances. Companies such as Decru, NeoScale (acquired by NetApp in 2005), Vormetric, Kasten Chase and Ingrian Networks have all developed unique software and/or hardware solutions to help protect against hackers and other attackers. Stay abreast of your storage and IT vendor's strategies for encryption, the future of your most valuable asset will most likely depend on it. Fred Moore is President of Horison, Inc. (Boulder, CO). www.horison.com www.storagetek.com www.ibm.com www.decru.com www.vormetric.com www.neoscale.com www.kastenchase.com www.ingrian.com |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion