I've been sitting on video of a security dramatization that the Nth Generation Players did at the recent Nth Generation Symposium I attended. I had talked to Rich Baldwin (founder and former CEO of Nth) who was thrilled that his team had found another way to make an event new and fresh - I've never seen drama used at a tech event but this was done very effectively. And lucky for me, they did it a second time because the first time I didn't have my Zoom Handy (audio recorded) connected to the sound board. The video is longer than most I do but interesting in my opinion.
After VMworld ended, I was lucky enough to be on the same flight from Las Vegas to San Francisco as Archie Reed. Archie attended many of our Cloud Advisor events including the one that we hosted for bloggers on Tuesday night. Security isn't in my wheel house so this was great to be able to get some time with Archie and talk about the big picture. Here's the podcast with Archie:
By Calvin Zito
In my previous post, I talked a little bit about our New Product Introduction (NPI) process and gave some pointers to a number of things that came from the latest NPI. Here are a few more things to highlight:
- We announced the HP StorageWorks SAN Virtualization Platform a couple of weeks ago - you can see the product page at www.hp.com/go/SVSP.
- We also had publicly announced updates to the StorageWorks Secure Key Manager at SNW Dallas back in mid-October. You can learn more about the enhancements at www.hp.com/go/storagesecurity or on the product page.
- We also announced new functionality on our XP24000 and XP20000 Disk Array family. You can learn about the XP enhancements on the XP Disk Array product page. Jim Hankins is writing a blog about External Storage Disaster Recovery with details so I won't spoil his fun. Also new with the XP is support for Solid State Storage Technology. One of our competitors predicted that we wouldn't have solid state storage technology until 2009. I think we beat that by a bit. Now we have solid state for both our BladeSystem and XP disk array with more to come. No hype, just keeping it real!
- Utility Ready Storage is an interesting solution that we've offered for a while and I'm guessing will get more interesting for customers with the looming economic situation. There are some new services with Utility Ready Storage and a very good feature article describing it. Here's a link to the article: Aligning storage costs and usage with Utility Ready Storage.
I've only touched on some of the NPI enhancements today but hopefully I've given you a small glimpse into what is going on.
Threats to storage security are real and can be a significant liability. Seems as though not a week goes by in the press without another story of some data being lost, stolen or hacked. And there is a cost associated with these type of breaches. Here's an interesting web-based tool from Tech//404 that calculates the cost of data loss from security breaches and identity theft. The site also talks about a number of class action suits with class sizes ranging from a quarter of a million people to two million seeking damages in the range of $1,000 to $21,000 per person in the class. There could be some mind-boggling settlements.
Encryption is relatively easy - managing keys is the challenge. Multiple key management systems increases complexity and lowers the success of recovery. We believe that centralized key management trumps a disparate systems approach because it's more efficient and offers better data availability. Today's announcement has two components:
Enhancements to our HP StorageWorks Secure Key Manager - increasing the capacity to 2 million encryption keys per cluster and lowered entry price with a single client/node configuration.
Disk encryption for the XP24000 and XP20000 - encrypts data on disk drives so that data can not be read off a disk drive that is removed without having the key. Here's a short white paper that talks about the XP disk encryption.
We have a web page that has a number of white papers, including from a leading analyst firm Enterprise Strategy Group, and other information on today's announcement. While the announcement today focuses on storage, we have a broader security initiative called HP Secure Advantage Solutions. We're driving solutions that protect data, protect resources, and provide validation.
Here's hoping your data is secure and that we have a more secure week in the financial markets.
Yesterday I received a letter in the mail at home that started off:
Dear Sir or Madam,
We are writing to let you know that computer tapes containing some of your personal information were lost while being transported to an off-site storage facility by our archive services vendor. While we have no reason to believe that this information has been accessed or used inappropriately, we deeply regret that this incident occurred....
So the first question I have is how does an archive vendor lose tapes? How hard can it be to take the tapes from your customer put them in a secure truck and drive them to the storage facility? Isn't that your whole business model - you will pick up, transport and store these tapes safely and securely 100% of the time?
Now I understand that any activity with humans involved cannot be guaranteed to work 100% of the time. So what really happened? A bit more of an explanation would have been helpful, such as the truck was in an inadvertent accident and the contents of the truck were spilled into a river or all over the highway and could not all be recovered. Without more details I'm left wondering did someone make off with the tapes by accident or on purpose? Or was this just sloppy work by the company?
Anyway, I hope this is a call to action for this company to do at least two things to prevent such an incident in the future.
1. Look into tape encryption such as the LTO-4 offers. I would have been more much pleased if that second sentence read "While the tapes were physically lost, the data they contained cannot be accessed or read by anyone because the data on the tapes is securely encrypted with sophisticated technology requiring encryption keys to make the data readable. Our security policy ensures that these keys are always stored in or transported to physically separate locations from the computer tapes."
2. Consider the use of replication and electronic vaulting for moving data off-site for archiving. With new technologies such as deduplication and low-bandwidth replication, this company would perhaps be able to reduce the amount of data that is stored on tapes and physically transported to archive storage. Again, I don't know the specifics here, but as an example let's say this company had four sites that they were backing up to data to tape and transporting those tapes to off-site archives. With replication and electronic vaulting, they could replicate data from three of their sites to just one site for backup to tapes and then only have to move tapes from the one site to archive storage thereby reducing their risk exposure by 75%.
If you're worried about how a similar incident could impact your company and what risks are involved HP is here to help. We can work with you to significantly reduce your data security exposure from the desktop to your data center. On the storage side, we offer a FREE storage security risk assessment. For more details on HP's other data security options beyond storage please check HP's Security web page.
- by Carlos Martinez
With 17,000 attendees and over 350 exhibitors the RSA2008 Conference can be an intimidating experience for IT storage professionals who are investigating privacy solutions for data-at-rest. HP is a comforting and familiar face for these storage professionals because they know HP is committed to both storage and security with the power of our Secure Advantage portfolio. HP addresses security holistically from the desktop to the data center to protect resources, data and provide validation for audits.
HP StorageWorks has several new Secure Advantage proof points to display at the RSA show including:
- A fabric switch designed to offer privacy for legacy tape data.
- A simple encryption kit single tape autoloaders and small libraries.
- Integration of the Secure Key Manager with the HP Compliance Log Warehouse to extend our value for compliance.
- The new HP Storage Security Assessment tool enables customers to gauge their data protection privacy vulnerabilities online and free of charge.
Data-at-rest is a huge privacy risk but HP is definitely there to help with solutions, tools and services which you can see demonstrated here at the RSA Conference.
-by Carlos Martinez
One of the top storage security vulnerabilities for enterprises today is unencrypted tape. Most enterprises store tape cartridges off the premises as protection against site disaster. This is a good thing. But the unaccounted for cartridge vulnerability arises during transportation or at a 3rd party storage facility. Considering how much sensitive data can reside on a tape and the volume of cartridges handled, it is only a matter of time before some confidential data has unauthorized exposure. Regulations such as CA SB1386 require public disclosure when unencrypted data is lost or stolen. The majority of the states in the U.S. have similar laws. Even international companies doing business in the U.S. need to heed these laws.
In the 2007 the Ponemon Institute study found that only 11% were encrypting tape and it was single digit prior to that. One can assume that most of this tape encryption was software based. Tape encryption is a much more viable solution today because with embedded native hardware encryption, performance is not compromised and some suppliers including HP include encryption in the drive price. Actually the encryption is the easy part of the equation. What requires serious consideration is the key management system because the volume of the keys will multiple over time and data-at-rest keys can live for many years. Enterprise caliber key management systems addressing tape should integrate with LTO4 and be very automated, secure and redundant. Native tape encryption with solid key management will become standard practice in the enterprise in the not too distant future, and then we’ll see SMBs following right behind. Prevention of a breach is much less costly than addressing it after the fact.
Last time, I talked about how EMC’s key management product didn’t quite live up to ours hardened appliance. Here, I’ll go into the nitty-gritty details of why this is true.
The SKM is a preconfigured server and key management application with no other software loadable by the user or an attacker. Furthermore, unnecessary ports and services are disabled; it features built-in strong user authentication and is physically hardened.
No doubt, enterprises that are serious about privacy would consider the many practical security advantages of a hardened appliance. The SKM fits the bill in this regard because it’s complete and already locked down “out-of-the-box,” whereas the user would have to procure the HW and OS, and do all the installing and configuring with a software key management product and hope they didn't miss anything.
Their additional challenge would be to keep tight control over root access forever. HP is so adamant about striving for excellence in user confidence in the SKM that we’re undergoing the very rigorous FIPS 140-2 cryptographic validation process and subjecting it to review by an accredited independent laboratory (Check out the NIST website).
EMC/RSA does not have a key management product undergoing this process, though they do have limited toolkit and discrete components that have been validated.
Additional areas the SKM shines over EMC/RSA key management solutions are high availability, clustering and failover. The SKM boasts multiple layers of redundancy and DR: dual AC power, dual power supplies, dual network paths and mirrored disk – all in the appliance itself. The minimum 2-node SKM cluster automatically and transparently replicates keys and policy configuration across all cluster members.
Key management clients rotate across all available SKMs automatically by tier for geographic failover. The SKM features internal and external backup and provides the ability to recover a node or cluster from a backup and bare metal if needed.
Unencrypted tape is a privacy vulnerability enterprises are grappling with today. EMC/RSA needs to partner with 3rd party vendors that must inject costly encryption appliances; conversely the SKM integrates seamlessly with the embedded hardware encryption capability on HP LTO-4 enterprise libraries.
HP allows flexibility in security policies such as a key/cartridge or a key/library partition. And practically, this allows incorporation of encryption at the customer’s pace as opposed to a forklift upgrade or being relegated to legacy tape solutions.