Are you ensuring the security of your keys?
To provide protection from these attacks, most companies have secured their systems and network from outsiders, implementing perimeter-based security strategies with firewalls and virtual private networks (VPNs) to ensure that external users without proper authorization cannot access sensitive data. However, companies are now looking beyond traditional perimeter-based security methods to secure data and are focusing on securing the data residing on the storage within their organizations (data at rest) and data moving between their systems on the network and storage devices (data in flight). This is known as storage security.
Typically, storage security includes three components:
* Access control
Authentication ensures that users and systems are who they say they are.
Access control limits the ability of the user or system to access data.
Encryption is the process of scrambling data to prevent unauthorized persons from reading it, and has two primary components: the encryption algorithm and the key.
Many encryption algorithms are in use today. The National Institute of Standards and Technology (NIST) selected the Advanced Encryption Standard (AES); however other cryptographic algorithms and standard test criteria have been established by NIST under the Federal Information Processing Standard (FIPS).
Once an encryption algorithm is selected, a key is generated based on the specific security requirements. To ensure that security is maintained for encryption operations, processes must be put into place that allow for complete control and security of the keys used to encrypt and decrypt the data. Key management is the process used to provide this control.
Key Management Systems
Key management combines the devices, people, and operations required to create, maintain, and control keys. The system contains operational practices that must be implemented to make it work effectively. Security plays an important part of key management, in the form of access control and logging.
Access control ensures who or what has access to which keys. By limiting access to keys, the organization limits its vulnerability to security risks. An effective key management system has role-based access control to ensure a single user doesn't have rights to all keys.
A secure audit log server logs every event on the key management system. Administrators should have limited access to this server, and should not delete a log without first archiving it using encryption, authentication, and a digital signature for the encrypted file. Access to the server for viewing the logs should be limited to audit users only.
The security of the key management system should be independently certified (e.g. FIPS 140-2 certification) to validate a vendor's claims. A higher level (e.g. Level 3) of certification requires more testing than lower levels.
The operational aspect of any key management system is probably the most overlooked aspect of the system as a whole. Processes must be repeatable, replicable, and secure to meet the requirements of key management in today's organizations.
Key Generation. Keys can be created using either manual or automatic generation. The less human intervention, the more secure the key. Unique keys generated on a per-use basis (e.g., a unique key generated for each tape) provide greater security than a single key generated to encrypt data on all tapes in the enterprise. An automated key generator can be a standalone device or included in a piece of cryptographic equipment. An absolute requirement is that the generator must be contained in a secure hardware component, rather than in software running on an off-the-shelf system.
Key Distribution. A key must be distributed to all systems that will encrypt and/or decrypt data. There are several options to performing this action. The preferred method is electronic key distribution. The second method is manual distribution via smartcards. When using manual key exchange methods, the recommended practice for keys used for data or keys that protect other keys is to use "split knowledge systems." These systems split the key into pieces among multiple individuals. No matter how a key is distributed, it should be encrypted at least once using a strong method or split into multiple shares using split knowledge trust.
Key Archiving. When a key is distributed, best practices are to send the key directly to an archive and, therefore, a backup facility. The key user should forward it to the archive before using the key to encrypt data. Key archiving provides the ability to quickly recover a key using tamper-proof hardware to ensure key security.
Key Sharing. In some cases keys need to be shared outside of an enterprise with business partners. For example, an organization which sends an encrypted tape to a supplier requires a mechanism to share the encryption key to read the tape.
Re-keying in a Storage Environment. Re-keying is the operation where a new key is used to encrypt and decrypt data. If the system re-key was a result of potential exposure of the key or data, the old key should be marked for deletion. There are situations where re-keying data at rest must be planned. One case is tape media, where re-keying should be planned when media are rotated due to age. Because tape can be kept for many years, a good archiving mechanism is imperative to ensure the recoverability of the key when the media is recovered, replaced, or expired. A final consideration that can alleviate some of the concerns of constant re-key operations is to use granular keys such that exist for each type of media such as Key per Tape, Key per LUN, or Key per File.
Key Recovery. Key recovery from an archive in a data at rest scenario is extremely important. An archive should be capable of retaining keys for long periods of time and providing those keys when needed. If the organization chooses to implement automated key recovery, the process should be tested at regular intervals to ensure that it meets the organization's needs, no matter the type of archive the keys are stored.
Key Deletion. The most challenging part of any key management system is ensuring that, once a key has been exposed or retired, or the data media on which it was stored has been lost, deleted, stolen, or replaced so it cannot be recovered by any malicious party. Key management systems should include automated and manual processes to ensure that all copies of a key are deleted from all devices, archives, and backups.
Key Logging. A good key management system must track every key, logging which users have used it, and when and what actions the users conducted with the key. This is called key logging. From the time a key is generated until it is finally deleted, all events related to that key should be logged in one or more types of logs. Automating the alert process is important, simplifying the day-to-day operations of the key management system and ensuring that the appropriate individuals are notified in a timely fashion when an event occurs.
Different concerns exist when implementing key management at single or multiple sites.
In a single-site implementation, particular attention must be paid to key backup and recovery. The organization must ensure that keys are regularly backed up to an offsite location, such as a disaster recovery site.
On the other hand, multiple-site implementations have the benefit of a remote site at which to replicate keys within the organization, as long as the appropriate security mechanisms are implemented. Not only should administrative versus security functions be separated but keys should be archived locally and regular backups should be conducted remotely to provide full recovery capabilities. Logging should be replicated between at least two sites for local as well as centralized secure audit logging.
Key management is a critical part of encryption, no matter what is being encrypted. The longer data must be maintained in an encrypted form, the more important key management becomes. And when encryption is part of a storage security solution, ensuring that keys can be managed, maintained, and recovered can help an organization mitigate many of the risks that exist when encryption is used improperly.
Key management systems today must provide three key elements: security, automation, and openness. Security delivers appropriate access limitations to keys based on the requirements of the organization and the type of data being encrypted. Automation ensures that keys are available when and where encrypted information is read. Openness ensures the seamless integration into the enterprise security infrastructure.
While architecting a complete key management system can be time-consuming, companies must implement a key archive and backup policy, with appropriate access controls, to minimize risk. In addition, by performing a risk analysis for the data in question--prior to implementing an encryption solution--organizations can help ensure that the right data is protected by the right solution.
Dore Rosenblum is VP of marketing for NeoScale (Milpitas, CA).
|Printer friendly Cite/link Email Feedback|
|Title Annotation:||Storage Security|
|Publication:||Computer Technology Review|
|Date:||Mar 1, 2006|
|Previous Article:||The threat from within: the evolution of cyber attacks.|
|Next Article:||InfiniBand comes into its own.|