neoscale systems, inc. - acsac 2017 · neoscale systems, inc. integrating storage security into an...
TRANSCRIPT
![Page 1: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/1.jpg)
NeoScale Systems, Inc.Integrating Storage Security
into an Overall Security Architecture
Robert A. (Bob) Lockhart - Chief Systems [email protected]
![Page 2: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/2.jpg)
12/15/2005 Slide 2
ConsolidationOffsite ReplicationOutsourcing
InsidersLost TapesData Breaches
IndustryNationalLocal
Why Storage Security Now?
Information Attacks
Regulatory Compliance
Storage Drivers
Vulnerable Data Real Threats Liability* *
= HIGH RISK
![Page 3: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/3.jpg)
12/15/2005 Slide 3
Data / Storage Vulnerability Points
Gartner: By year-end 2006, 85% of Fortune 1000 ente rprises willencrypt most critical "data at rest" (0.9).
Eavesdropping
Uncontrolled Host Access
Media Theft
Host Spoofing
Unauthorized Data Access
MAN WAN
MAN WAN
![Page 4: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/4.jpg)
12/15/2005 Slide 4
Unauthorized Data Access
Problem:¯ Controlling unauthorized access to data by users and applications
Solutions:¯ Centralized Directory Services¯ Two Factor Authentication¯ Application Level Access Control
� What’s missing?¯ Application to OS access controls so that only applications have
access to specific files or volumes versus usersUser access directly to files versus User access via applications
¯ Best solved by adding additional appliances to the mix? NO!Worst case add agents to control access to dataThis really needs to be in the OS and Application itself
New version of Database Applications are adding field level access control
![Page 5: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/5.jpg)
12/15/2005 Slide 5
Uncontrolled Host Access to Storage
Problem:¯ Maintaining control over data in a Storage Network
Solutions:¯ Zoning (Fancy word for VLAN on steroids), LUN Masking and LUN
Mapping¯ Stateful SAN firewalls
Goes beyond traditional Zoning and LUN Masking by mapping flows similar to traditional Firewalls found in IP based environments
¯ DH-CHAP Host to Switch Authentication� New Standards for SAN Security
¯ T11.3 FC-SP DH-CHAP to support authenticated connectivity between a host and the network
Authentication happens between the Host HBA and SAN Switch today¯ Long term end to end authentication will resolve access control and
host spoofing issues
![Page 6: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/6.jpg)
12/15/2005 Slide 6
Host Spoofing
Problem:¯ Host re-addressing was built into the Fibre Channel standard on
purposeOriginally created for clustered high performance computing environments
¯ This threat usually means malicious intent that takes planning and forethought
Solutions:¯ A combination of Hard and Soft Zoning used with LUN Mapping
features found in modern arrays¯ DH-CHAP authentication resolves by verifying system identity
� New Standards for Security¯ T11.3 FC-SP DH-CHAP to support authenticated connectivity
between a host and the networkAuthentication happens between the Host HBA and SAN Switch today
![Page 7: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/7.jpg)
12/15/2005 Slide 7
Media Replacement, Loss or Theft
Problem:¯ Loss or theft of removable media¯ Failed disks still contain data
Solutions:¯ Media Wiping¯ Media Destruction¯ Encryption
Standards in Development include T11.3 FC-SP, IEEE P1619 Work Group and T10 has created a study group for Key Exchange over SCSI
� There has been a lot of press attention here¯ Depreciated/old array sold on eBay with data intact¯ Tapes lost in transport
Data that leaves a site should be considered data-i n-flight¯ How do you protect your remote data connections today?
![Page 8: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/8.jpg)
12/15/2005 Slide 8
Eavesdropping
Problem:¯ Data capture and analysis is a well known technology¯ Optical networks can be tapped with relatively little expense
Devices that macrobend fiber are used to tap into signals
Solutions:¯ Optical Loss Detectors built into devices¯ Sealed Conduits that are pressurized end to end¯ Link Encryption
Networks have used IPSec to protect traffic for a long time
� New Standards are in Development¯ Optical Loss Measurement devices at all points in a link where a tap
is possible¯ T11.3 FC-SP is also tasked with development of the FCSec standard
FCSec is based on IPSec including re-keying and encryption algorithms
![Page 9: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/9.jpg)
12/15/2005 Slide 9
Distinct Requirements for Storage
SAN Response TimeHigh Availability
Primary StorageDAS, SAN & NAS
Meeting Backup WindowsMedia ManagementSecondary Storage
MAN & WAN Response TimeHigh Availability
SAN Extension
Enterprise SecurityPolicy & key managementSecurity certifications�
![Page 10: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/10.jpg)
Storage SecurityEncryption Options
![Page 11: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/11.jpg)
12/15/2005 Slide 11
Data Encryption Alternatives
VariesReplace Device
Vendor differences
Network Device Impact
Fibre Channel or iSCSI
Switch/Router
Immediate, Transparent
Per Environment
Per App
Deployment
Strong Per App
Schema Per Application
Server Impact? App Response
Application / File System
Bump in Wire
Server Impact? App Response
Performance
StrongCentralizedStorageSecurity
Appliance
Varies
Keys on clients or Storage
Management server
Storage Management
S/W
SecurityManageabilityAlternatives
![Page 12: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/12.jpg)
12/15/2005 Slide 12
Disk Encryption Appliance Solutions
SAN
Advantages:•Storage agnostic
Considerations:•Host agent integration•Patch management•Server overhead•Single point of failure•Latency delays
Host Agent Encryption
Disk
SecurityAppliance
Server
Agent
Advantages:•Encryption offload•Application invisible•Native redundancy•Wire-speed performance•End-end integrity•Minimal latency
Inline Appliance
Security Appliance
SAN
DiskServer
Advantages•Encryption offload
Considerations:•Storage re-mapping•Limited redundancy•Performance impact•Integrity w/caching•Latency delays
Proxy Appliance
SAN
DiskServer
SecurityAppliance
![Page 13: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/13.jpg)
12/15/2005 Slide 13
Primary StorageEncryption/Decryption of Payload Only
FCHeader
SCSICommand
FCEoF
FCSoF
No Encryption
CRC
4 Bytes 24 Bytes Up to 2112 Byte Payload 4 Bytes 4 Bytes
28+ Byte FCP Command
FCP Command Frame
DataBlock
FCHeader
DataBlock
DataBlock
FCEoF
DataBlock
FCSoF
Encryption of Payload Only
CRC
4 Bytes 24 Bytes Up to 2112 Byte Payload 4 Bytes 4 Bytes
512 Byte Block 512 Byte Block 512 Byte Block 512 Byte Block
Modified CRCFibre Channel Data FrameNo Encryption
![Page 14: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/14.jpg)
12/15/2005 Slide 14
Tape Security AlternativesServer-Based
EncryptionEncrypt in backup
application
Pros : •Software add-on to backup application
Cons :• No compression • Server CPU overhead• Reduced throughput• Insecure key mgmt
Pros: •Invisible to backup apps
Cons:•No compression•More complex recovery•Requires encrypting all sensitive data on primary storage
Disk-Based Encryption
Encrypt data-at-rest and backup to tape
Backup Server
Tape
Pros: • Invisible to backup apps• Native backup performance• Secure key management• Appliance simplifies security
Cons:•Additional hardware device
Storage Security Appliance
Encrypt in network-based security appliance
Backup Server
Backup Server
Security Appliance
TapeTape
Disk
![Page 15: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/15.jpg)
12/15/2005S
lide 15
NeoS
cale Tape Form
atS
imilar to P
roposed GC
M tape form
at
�N
eoScale Labels
¯N
eoScale 1K
Byte T
ape Label
¯32 B
yte per block prepend and append
¯Label is encrypted using P
ool Ke
y
�Legacy T
ape Support
¯E
xisting unencrypted tapes will pass data through C
ryptoS
tor w
ithout requiring additional configuration
NeoS
cale Data
Norm
al Tape D
ata
NeoScale Tape Label1024 Bytes
Tape Header orData Block
NeoScale Block Header32 Bytes
Data BlockSize Varies by Application
and Compression
NeoScale Block Trailer32 Bytes
NeoScale Block Header32 Bytes
Data BlockSize Varies by Application
and Compression
NeoScale Block Trailer32 Bytes
NeoScale Block Header32 Bytes
Data BlockSize Varies by Application
and Compression
NeoScale Block Trailer32 Bytes
NeoScale Block Header32 Bytes
NeoScale Block Trailer32 Bytes
File M
ark
![Page 16: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/16.jpg)
12/15/2005 Slide 16
Fibre Channel Link Security - FCSec
Deployment: Looks like traditional link encryptionActs like traditional link encryptionExcept it uses Fibre Channel instead of IP
Primary Remote
Replication Protocol
![Page 17: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/17.jpg)
12/15/2005 Slide 17
Native SAN Encryption
� Optional compression, Encapsulation, and encryption of entire Fibre Channel frame
¯ Equivalent of IPSec Tunnel Mode¯ Referred to as FCSec Tunnel Mode
� No conversion to IP required to provide encryption¯ Lower latency for real time applications such as synchronous
mirroring and remote storage¯ Recommended encryption modes are CBC or potentially GCM
� Support for Fibre Channel Layer 4 Protocols¯ Proprietary and Interoperability Modes
Tunnel Mode (FC Frame Encapsulation)
FCHeader
Upper Level ProtocolsSCSI, FiCON, IP, VI, HiPPI
FCSecFC Header
FCSoF
FCEOF
FCCRC
FCSecCRC
ESP
![Page 18: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/18.jpg)
Encryption ModesBeing Proposed for
Data at Rest
![Page 19: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/19.jpg)
12/15/2005 Slide 19
Modes of Operation – LRWProposed for Primary Storage
� Tweaked Narrow Block Mode
TK = Tweak Key – Based on 2 nd Disk Key and Physical Block Number
EncryptionOperation
�
TK
EncryptionOperation
�
TK
EncryptionOperation
�
TK
1 2 32
![Page 20: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/20.jpg)
12/15/2005 Slide 20
Modes of Operation – GCMProposed for Tape Based Storage
� Galois/Counter Mode
ICV is the Cryptographic Authentication Information about the block
Header Sequence Clear Text Block of Data
Header Sequence Encrypted Block of Data ICV
GCM Encryption�
![Page 21: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/21.jpg)
Key ManagementThe Real Problem to Resolve
![Page 22: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/22.jpg)
12/15/2005 Slide 22
Key Management Objectives
� Key Repository¯ Must be capable of storing Keys for an indefinite period of time¯ A lot of problems were discovered with the advent of PKI
� Security¯ Access to Keying material is paramount in any Key Management
scheme¯ Transport and use of the keys must be properly maintained
� Types of Keys¯ Public or Private?¯ Which is best for Application? File? Disk? Tape? Link?
� Building a key management architecture that scales from single device to enterprise wide architectures for storage security is critical!
![Page 23: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/23.jpg)
12/15/2005 Slide 23
Distributed ConfigurationSystem Backup and Tape Recovery
Tape Library
Site A
BackupServer
Tape LibraryCS Tape
BackupServer
CS Tape
Site B
IPNetwork
IPNetwork
� Key management¯ Dynamic Key Catalog updates
across all cluster members across locations
¯ Backup System Key to Smart Card(s)
� CryptoStor recovery¯ Execute recovery script¯ Restore System Key from Smart
Card(s) ¯ Obtain policies and import Key
Catalog from cluster
� Tape recovery¯ Automatic via any clustered
appliance at either location
Cluster
�
�
![Page 24: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/24.jpg)
12/15/2005 Slide 24
Disaster SiteSystem Backup and Tape Recovery
Tape Library
Tape LibraryCS Tape
CS Tape
Site 1
Site n
Key Repository
�
CS TapeRecovery
IPNetwork
IPNetwork
��
3rd partyDisaster
Site
�
� Key management¯ Automatic periodic backup of
Encrypted Key Catalogs to Key Repository
¯ Backup System Key to Smartcard(s) at each Site
� CryptoStor Recovery Site¯ Execute recovery script¯ Restore System Key from
Smartcard(s) ¯ Import Key Catalog from Key
Repository
� Tape recovery¯ Fully Automated Solutions make
this business as usual for DR.
![Page 25: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/25.jpg)
Customer SolutionsExamples of Storage Security
![Page 26: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/26.jpg)
12/15/2005 Slide 26
University of Texas� HIPAA Compliance
¯ Demonstrates reasonable and accepted due diligence for HIPAA compliance
� Operational Impact¯ Minimized operational
impact on day to day operations
� Cost Savings¯ Greatly reduced backend
PHI data classification and management costs
Compaq EVADisk Array
(with multipath)
BrocadeSwitches
File/Print Server
CryptoStor FC(clustered)
MS Exchange Cluster
DatabaseCluster
StorageTek L700
CryptoStor Tape(clustered)
![Page 27: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/27.jpg)
12/15/2005 Slide 27
Customer Architecture:Corporate Payments Company
Dell / EMC CX500500GB
CryptoStor FC(clustered via dedicated
out-of-band IP connection)
ISL to form single fabric
Event Processor Server
SQL Server
SQL Server
Controller Master
Admin Server
Monitor Server
Dell Fibre-Channel Tape Library
CryptoStor TapeMcData Switches
Dell Servers
HIPAA, GLBA and SOX Compliance
![Page 28: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/28.jpg)
12/15/2005 Slide 28
Transend Business Services� Storage Security
¯ Encrypts each customers data individually
¯ Shares array between multiple customers with dedicated encryption
One appliance per customerMultiple keys per customer
� Cost savings for Transend¯ Reduced costs by purchasing single
array for short term cost savings and long term operations savings
¯ Customer can control keys or have Transend provide key management
¯ Removed a final hurdle in the Financial Service Provider model where shared storage is involved
¯ Reduced liability from $1,000,000 to $100,000 per incident for one customer
Shared Array
Customer 1 Customer 2 Customer n
IP LAN & VPN WAN
IP LAN & VPN WAN
IP LAN & VPN WAN
IP LAN & VPN WAN
IP LAN & VPN WAN
IP LAN & VPN WAN
![Page 29: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/29.jpg)
12/15/2005 Slide 29
Global ISP Backup Security
� Data Backup¯ Multiple Privacy Laws in
Multiple Countries¯ Tapes need to be ship
between multiple sites including Russia, Japan, Switzerland and the U.S.
� Backup/Recovery via CryptoStor™ for Tape
¯ Redundancy for Backups provided by Primary and Secondary Backup Server
¯ Each with it’s own CryptoStor Tape
Disk Array
SANSwitch
Application Server
Backup Server 1
Tape Libraryw/4 LTO2 Drives
Backup Server 2
CryptoStor Tapes(clustered)
![Page 30: NeoScale Systems, Inc. - ACSAC 2017 · NeoScale Systems, Inc. Integrating Storage Security into an Overall Security Architecture Robert A. (Bob) Lockhart - Chief Systems Architect](https://reader033.vdocuments.net/reader033/viewer/2022042005/5e6f514eaa0f4900df6fbb42/html5/thumbnails/30.jpg)
12/15/2005 Slide 30
NeoScale Storage Security Solutions
Data CenterArrays
Servers
Remote Locations
Vaulting Services
TapeMAN
Secure primary storage- Host access control - Secure data partitioning- Storage behind NAS head
Secure tape backup-Lost/stolen media-Data manipulation
Secure SAN extension-Eavesdropping-Data manipulation
SAN
NAS