Improving data security by protecting tape-based storage.
Growth of Sensitive Data
Secondary storage with sensitive, trusted and regulated data calls for greater due diligence in its protection. Sensitive data is information that is proprietary to an organization (e.g. financials, intellectual property). Trusted data is third party sensitive information provided to an organization which has an implied or direct fiduciary responsibility to protect that data (e.g. credit reports). Regulated data is information that must be protected due to legislative mandates at the Federal (e.g. FDA) or international levels (e.g. EU directive).
Layers of Defense
Tape media is considered the most reliable and most prevalent source for enterprise data recovery. While enterprises have implemented access controls and tighter infrastructure management provisions, such safeguards fall short of protecting the tape media itself. Firewalls, VPNs, and physical protection do not address the unique attributes of distributed stored data and tape media.
System backup tapes, which are small, portable, and typically stored outside the data center for off-site disaster recovery purposes, may be susceptible to unauthorized access, data theft, misplacement, or corruption. Most stored data on tapes are left in-the-clear on removable media that can be lost, stolen, or compromised. Unauthorized users have more time to readily read tape data, analyze confidential information, and in some cases, re-build entire systems. Tape loss is typically discovered long after it is recognized.
Internal and Third-Party Access Controls
Enterprises are looking at means to alleviate costs associated with storage management and capacity by leveraging outside service providers, which have access to storage resources--hence, increasing the risk of access to stored data. Additionally, storage administrators and service providers who manage and support backup processes/resources have greater knowledge about, and more immediate access to, this data.
Legislation designed specifically for the financial, healthcare, and commerce industries introduce liabilities for enterprises that fail to ensure data privacy. Such mandates include the United States legislation known as HIPAA and GLBA as well as directives from the US and European Union (EC Data Privacy Directive). Mandates can range from tape data, to related metadata (detail about the creation and storage of data), to access logs being accessible over long periods of time. Examples include email, financial transactions, FDA regulated data (e.g. chemicals and biotechnology), and healthcare records.
In summary, secondary storage presents new challenges to protect the media, reduce access risk, and further drive down management costs. Storage media protection and authentication controls at the storage system and media levels can provide strong barriers against unauthorized stored data disclosure, theft, and corruption. Given that sensitive data stored on removable media or virtualized tape subsystems can be stolen, tampered with, or corrupted, more safeguards must be put in place--namely, stored data encryption and authentication.
PROTECTING TAPE MEDIA
Backup and recovery are primarily a means for data preservation, not protection or defense against tape media access. In order to secure the tape media content, strong encryption (i.e. 128 bit key length or longer) is utilized to convert clear data (plain text) into an unreadable form called ciphertext, which cannot be deciphered without the decryption key. Equally important is key management, which determines how keys are created, implemented, protected, distributed, updated and terminated. A key is a value, that when applied to a Cryptographic algorithm, can be used for strong data encryption, authentication, and integrity. Any solution for securing tape media must provide a comprehensive approach that covers all locations and enables consistent enforcement of security policies.
Solutions for tape media protection consist of the following:
Securing the Backup Server: Putting data encryption on the server adds performance overhead--impacting application response and performance. Encryption keys would need to be protected and managed on the system(s)--a difficulty based on the number of hosts and their location(s). Backup applications--both on the local and remote recovery locations--must be decentralized to accommodate encryption and enforcement of security policies and processes.
Securing the Tape Library: Implementing data protection at the tape library would add encryption to the media management and compression capabilities available in most libraries. If available, this may increase the library/system cost as well as form factor. Key management must also be taken into account as the tape library is generally not a secure platform and multi-vendor, remote, or third-party managed library systems would be even more difficult to manage.
Securing a Storage Security Appliance: A tape media security appliance offers the benefit of performance, centralized management, protected/managed keys, flexible deployment, and seamless integration with backup applications. The appliance can operate in a network path and can be flexibly placed before a SAN, NAS, or DAS connected tape library. The purpose built tape media encryptor offloads the processing burden associated with media encryption with nominal latency and can centralize the security management function, which in turn, provides greater policy enforcement and solid key protection.
Designing a tape storage media protection and authentication solution requires the following design factors: transparent operation, centralized security management, and data management/recovery. The following are considerations in each of these areas.
Transparent Operation: Media protection is usually adopted when it is transparent. For storage media encryption to be applied and managed "invisibly", it requires compressing, encrypting, and authenticating stored data at the block level prior to being written to tape. It must also be taken into account the unique formatting and cataloging of the backup application.
Performance: Implementation will dictate that security should not impede the performance (read-write data rates) of the tape device. Without adequate performance, backup windows will be affected or lost.
Compression: A value-added feature in many tape libraries is the ability to compress stored data to increase capacity. The encryption process "flattens" data sets, which ultimately affects compression rates. This requires the security device to support compression options prior to encryption.
Compatibility: Storage media protection can be accomplished at different points including application software, controllers, host adapters, and storage devices. Such implementation can pose compatibility issues--besides placing an additional burden on the storage administrator. Applying storage media protection as an in-line service shields it from the host storage boundary and can be readily deployed independent of the application, subsystem, vendor, application, or other media management tasks.
Unobtrusive: The system cannot affect the way administrators configure backup/restore, tape labeling, or cataloging. Operators must be able to perform their tasks normally. Securing stored data should be policy-driven and such policies must be made in terms that the operator understands; such as volumes and pools. If such policy-driven functionality can be deployed both centrally and at remote sites, distributed tape controls can be cost-effectively executed.
The benefit of transparent operation for backup and storage administrators is the ability to incorporate storage security into their functions without compromising data recovery or normal operating policies, processes, and procedures.
Centralized Security Management
Remote and local administration will require authenticated user access, role-based privileges, and proven crypto key processing.
Role-based privileges: Authorization determines if a user can monitor the system as well as recover keys/policies and create rules and encryption keys. Administrators will need to scale to support both simple environments (where the security officer and storage administrator are the same), as well as more complex, diverse models with delegated authority.
Key Automation: The system should be able to generate or accept a set of master keys according to recognized security standards and proven public algorithms. Master keys can be used to protect the encryption keys and to authenticate as well as check the integrity of the appliance policy. The media encryption rules and associated encryption keys create the system policy. The appliance should protect all keys by digitally encrypting the rule keys, encrypting and authenticating the system policy, and authenticating administrative access. This simplifies the number of keys to be managed and used to recover encrypted data.
Secure Key Storage: The system should monitor chassis access to ensure that if an attempt to physically access the unit occurs, the result would be the automatic zeroing-out of all encryption keys. The use of visual cues (e.g. labels, displays) should also indicate if there has been evidence of tampering.
By centrally controlling storage protection policy and delegating tasks using proven best security practices, rules and defenses can be consistently implemented, audited, and maintained.
Data protection must take into account storage media attributes and backup processes.
Key Protection: Since the media is typically removable, remote and / or persistent, data protection will require unique keys that are associated with individual media (e.g. each tape). Keys will need to be mapped to media catalog data (which is vendor specific) or they can affect long-term archival recovery.
Key Life: Encryption keys, by necessity, will have a longer life thus, they will require protection against brute force attack (e.g. 56-bit DES won't suffice) and offer re-keying options (replacing an original key used in data protection with a new key).
Key Binding: The system should facilitate binding key information to the media. Therefore, the media can be independently managed after encryption. This process will allow for much greater protection and streamlined recovery, regardless of storage duration.
Distribution: It is likely that backup systems are distributed; it is imperative that storage security be remotely manageable and protection should not materially impede recovery or accessibility. As mentioned above, the policy (containing rules and associated keys) must be encrypted and digitally hashed to enable secure export to a remote smartcard(s) or directory(ies).
Integrity: Stored data encryption should eliminate integrity issues by authenticating tape media at the block level. This process further complements the backup application's responsibilities of ensuring the integrity of data stored.
Recovery: The distributed nature of storage would also mandate a secondary appliance or a software-only means to recover encrypted data. This mandates a process, which facilitates authorized users (credentialed users with associated master key pair and optional policy file) to be able to recover encrypted stored data should the appliance fail either locally or remotely.
The range of applications that provide storage media protection and authentication solutions for tape back-up are broad. Below is a list of benefits:
Eliminate data theft and liability risks: In the event a tape is lost or stolen, deleting the encryption key makes the information unreadable inside or outside of the company.
Shared / Managed Tape Resources: Storage pooling or tape vaulting vendors can be leveraged without worry of misuse of the information.
Compliance with eCommerce, Healthcare, FDA, EU and other privacy legislation: Compliance with regulatory and legal mandates avoids costly and embarrassing disclosures.
Tape media and virtualized tape systems play a vital role with ensuring business continuity and protection of enterprise data. Secondary storage was once considered remote and isolated from external forces. That is no longer the case given the greater accessibility associated with highly distributed and networked storage infrastructures; the use of third parties for data recovery; and business continuity and data processing. Storage media protection and authentication functionality ensures that secondary storage can meet the recovery needs of enterprises without the risk and expense of unauthorized data access.
By NeoScale Systems, Inc.
NeoScale Systems, Inc. is located in Milpitas, CA
|Printer friendly Cite/link Email Feedback|
|Publication:||Computer Technology Review|
|Date:||Mar 1, 2005|
|Previous Article:||IT Governance and regulatory compliance: a silver lining.|
|Next Article:||SATA disk drives; 3 versus 1.5 gigabit/sec: dispelling the myth of higher interface rates.|