TSM Symposium September 2007
TSM encryption options: Using IBM tape hardware encryption
Christina Coutts FTSS Removable Media
[email protected]
IBM System Storage © 2007 IBM Corporation
TSM Symposium September 2007
Security of Data: a Business Imperative Many government agencies are requiring disclosure of security breaches – 32 states in USA have security breach similar legislation, Source: www.Privacyrights.org
Industry organizations are also increasing scrutiny of security procedures. – Source: Payment Card Industry Security Audit Procedures V i 1 Version
Over 150 million consumers have been notified of potential security breaches regarding personal information since 2005 – Source: www.Privacyrights.org
Information is the most valuable property of a company – Computer crime grows steadily
2
Tape encryption | Christina Coutts
IBM System Storage
IBM System Storage™
Other Regulatory Drivers for Encryption EU – Directive on Data Protection of 1995
Implemented p by y National Legislation g
Generally Does not require Encryption
Generally imposes fines for failure to adequately protect subject information
Payment Card Industry (PCI) Data Security Standard
Applies to all member merchants of Visa, Mastercard, and other credit card companies that store cardholder data. Applies to commerce conducted via retail, phone, mail, and e-commerce channels
PCI recommends encryption as “the ultimate mechanism” to protect stored data.
VISA Merchants that fail to comply potentially face hundreds of thousands of dollars in penalties, in addition to the costs of notification notification, credit monitoring and new account creation creation.
Basel II
Page 3
Applies to Large Global & Money Center Banks
Requires establishment of separate Capital Accounts restricted from traditional uses like lending , trading, etc. to offset Operational Risk
Initiatives (like Data Security) that reduce Operational Risk free up this capital for productive use.
© 2007 IBM Corporation
TSM Symposium September 2007
Agenda Storage security TSM and data security Encryption overview yp TSM and encryption – –
Client software-based Hardware-based
Encryption implementation in the tape drive – –
Encryption methods LME components
Encryption Key Manager and other SW components Key serving: LTO and TS1120 More information? 4
Tape encryption | Christina Coutts
IBM System Storage
IBM System Storage™
Storage Security Parameters and settings:
Ensure resources are available to authorised users and trusted networks
E Ensure resources are unavailable il bl tto everyone else l
Parameters and settings controlled in:
Page 5
Organisation’s policies
Communications protocols
Programming
Hardware
© 2007 IBM Corporation
TSM Symposium September 2007
Securing Data at Rest 1. Establish a Perimeter: Secure Mobile Data • Enforce password protection / encryption of confidential data on all laptops • Monitoring agents • Implement encryption on all data stored on tape
6
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Securing Data at Rest 2. Strengthen Fortifications Limit Access based on Roles • Implement table / database level encryption leveraging hardware Crypto Providers • Share keystores & key management environment
7
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Securing Data at Rest 3. Implement DASD Encryption (when available) Complete Protection Initiative • Secure remaining data files • Secure HDDs for loss of control / process escapes during MA & de-acquisition
8
Tape encryption | Christina Coutts
IBM System Storage
IBM System Storage™
TSM and Data Security Authentication, Authorization, Access control
Are you who you say you are? – Passwords – Admin Centre and Web Admin server – Firewall support based on TCP/IP port specification
Do you have permission to do, or access, this?
Control lists or role-based access.
Protection of data – in flight, g , and at rest
Page 9
Encryption
Cyclic Redundancy Checks
Data Retention Protection
Data shredding (secure data erase)
© 2007 IBM Corporation
TSM Symposium September 2007
Agenda Storage security TSM and data security
Encryption overview TSM and encryption – –
Client software-based Hardware-based
Encryption implementation in the tape drive – –
Encryption methods LME components
Encryption Key Manager and other SW components Key serving: LTO and TS1120 More information? 10
Tape encryption | Christina Coutts
IBM System Storage
IBM System Storage™
What is Encryption? Transformation of readable, understandable data to a form that is not (cipher text) Transformation is based on a mathematical formula There are formulas for the transformation of different types of data Keys Text Personal Identification Numbers Some advanced functions associated with cryptography are combinations of basic cryptographic functions applied in a specific manner against specific data A number of cryptographic functions are used: DES, AES128, AES256
HELLO!
LIOBOHMMGMLJ
[Example shown uses STEW ( Symmetric Transient Encryption Wave) ] Page 11
© 2007 IBM Corporation
TSM Symposium September 2007
Helps protect data from unauthorised access Encryption Process Clear or plain text
Encryption algorithm (e.g. AES)
K Key
Cipher Text ((Encrypted yp Data))
Decryption Process Cipher Text Encryption algorithm
Clear or plain text
Key Data that is not encrypted is referred to as “clear text” “Clear “Cl ttext” t” iis encrypted t db by processing i with ith a “key” “k ” and d an ““encryption ti algorithm” l ith ” –
Several standard algorithms exist, include DES*, TDES and AES
Keys are bit streams that vary in length – 12
For example AES supports 128, 192 and 256 bit key lengths
Tape encryption | Christina Coutts
*DES, invented by IBM in 1974
IBM System Storage
TSM Symposium September 2007
Symmetric Encryption
Same S k key used d to t encryptt and d decrypt d t Symmetric Keys must be stored and secured against unauthorized access
13
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Asymmetric Encryption
A key pair is used to encrypt and decrypt – The key used to encrypt is often referred to as the Public key – The Key used to decrypt is referred to as the Private key
The Public key may be made widely available without fear of compromise The Private Key must be secured against unauthorized access Public / Private encryption is widely used for exchange of data between organizations (eMail) 14
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Agenda Storage security TSM and data security Encryption overview
TSM and encryption yp – –
Client software-based Hardware-based
Encryption implementation in the tape drive – –
Encryption methods LME components
Encryption Key Manager and other SW components Key serving: LTO and TS1120 More information? 15
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
TSM and encryption TSM Client encryption – Encryption in software – Performed by client host – Keys managed by TSM client or server
PLUS new methods using tape drive hardware: Application Managed Encryption – Keys managed by TSM server
Library Managed Encryption – Encryption is transparent to TSM – Keys managed externally – Library hardware provides proxy
System managed encryption – Encryption is transparent to TSM – Keys managed externally – Device driver on server provides proxy 16
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Enabling TSM Client encryption Set encryption options (dsm.opt, dsm.sys, or Client Server Options) – Select data to encrypt
TSM Clients AES128 or DES56
• •
“include.encrypt” “exclude.encrypt”
– Select encryption method •
“encryptiontype=aes128” for AES128
Encryption key is derived from an Encryption Key Password TSM Server TSM DB
– “You” You supply and save key • •
– Key randomly generated and TSM server saves key with meta data •
17
Tape encryption | Christina Coutts
“encryptkey=save” “encryptkey=prompt”
“enableclientencryptkey=yes”
IBM System Storage
TSM Symposium September 2007
TSM client versus hardware encryption Client Encryption
Hardware encryption
– Protects data while being written (“over the wire”)
– No performance overhead at the host server
– Remains encrypted while at rest on-line
– Encryption is transparent to write performance
– Remains encrypted while at rest on removable media – Hardware vendor agnostic – Increased CPU utilization during backup – so performance may suffer – No compression on tape – so backup sizes may double – Uses AES128 or DES56 key format
– Encryption applied after compression so data will be compressed p as normal – Uses AES256 key format – Data is not encrypted during write transfer – Requires hardware encryption capability and key management on restore
– Requires software key and management on restore
18
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Agenda Storage security TSM and data security Encryption overview TSM and encryption – –
Client software-based Hardware-based
Encryption implementation in the tape drive – –
Encryption methods LME components
Encryption Key Manager and other SW components Key serving: LTO and TS1120 More information? 19
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
IBM Encryption Capable Tape Drives Shipped on all new TS1120 drives shipped 9.8.2006 or later – Feature Code # 9592 – Encryption Capable, Plant installed – No charge (NC) feature – Identified by label on drive canister
Can be added to existing TS1120 3592E05s by MES Upgrade – Feature Code # 5592 – Encryption Capable – Field – CE Installed – new hardware and drive microcode
Shipped on all LTO Generation 4 drives – All LTO4 have encryption yp hardware – No additional charge on drive
So what does having encryption hardware mean? 20
Tape encryption | Christina Coutts
IBM System Storage
TSM Symposium September 2007
Encryption in the Tape Drive
Look-aside decryption & decompression help assure data integrity Preserves performance and compression characteristics
Clearr
– Virtually no performance or capacity impact (