TSM Symposium September 2007

TSM encryption options: Using IBM tape hardware encryption

Christina Coutts FTSS Removable Media [email protected]

IBM System Storage © 2007 IBM Corporation

TSM Symposium September 2007

Security of Data: a Business Imperative ƒ Many government agencies are requiring disclosure of security breaches – 32 states in USA have security breach similar legislation, Source: www.Privacyrights.org

ƒ Industry organizations are also increasing scrutiny of security procedures. – Source: Payment Card Industry Security Audit Procedures V i 1 Version

ƒ Over 150 million consumers have been notified of potential security breaches regarding personal information since 2005 – Source: www.Privacyrights.org

ƒ Information is the most valuable property of a company – Computer crime grows steadily

2

Tape encryption | Christina Coutts

IBM System Storage

IBM System Storage™

Other Regulatory Drivers for Encryption ƒ EU – Directive on Data Protection of 1995 

Implemented p by y National Legislation g



Generally Does not require Encryption



Generally imposes fines for failure to adequately protect subject information

ƒ Payment Card Industry (PCI) Data Security Standard 

Applies to all member merchants of Visa, Mastercard, and other credit card companies that store cardholder data. Applies to commerce conducted via retail, phone, mail, and e-commerce channels



PCI recommends encryption as “the ultimate mechanism” to protect stored data.



VISA Merchants that fail to comply potentially face hundreds of thousands of dollars in penalties, in addition to the costs of notification notification, credit monitoring and new account creation creation.

ƒ Basel II

Page 3



Applies to Large Global & Money Center Banks



Requires establishment of separate Capital Accounts restricted from traditional uses like lending , trading, etc. to offset Operational Risk



Initiatives (like Data Security) that reduce Operational Risk free up this capital for productive use.

© 2007 IBM Corporation

TSM Symposium September 2007

Agenda ƒ Storage security ƒ TSM and data security ƒ Encryption overview yp ƒ TSM and encryption – –

Client software-based Hardware-based

ƒ Encryption implementation in the tape drive – –

Encryption methods LME components

ƒ Encryption Key Manager and other SW components ƒ Key serving: LTO and TS1120 ƒ More information? 4

Tape encryption | Christina Coutts

IBM System Storage

IBM System Storage™

Storage Security ƒ Parameters and settings: 

Ensure resources are available to authorised users and trusted networks



E Ensure resources are unavailable il bl tto everyone else l

ƒ Parameters and settings controlled in:

Page 5



Organisation’s policies



Communications protocols



Programming



Hardware

© 2007 IBM Corporation

TSM Symposium September 2007

Securing Data at Rest 1. Establish a Perimeter: Secure Mobile Data • Enforce password protection / encryption of confidential data on all laptops • Monitoring agents • Implement encryption on all data stored on tape

6

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Securing Data at Rest 2. Strengthen Fortifications Limit Access based on Roles • Implement table / database level encryption leveraging hardware Crypto Providers • Share keystores & key management environment

7

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Securing Data at Rest 3. Implement DASD Encryption (when available) Complete Protection Initiative • Secure remaining data files • Secure HDDs for loss of control / process escapes during MA & de-acquisition

8

Tape encryption | Christina Coutts

IBM System Storage

IBM System Storage™

TSM and Data Security ƒ Authentication, Authorization, Access control 

Are you who you say you are? – Passwords – Admin Centre and Web Admin server – Firewall support based on TCP/IP port specification



Do you have permission to do, or access, this?



Control lists or role-based access.

ƒ Protection of data – in flight, g , and at rest

Page 9



Encryption



Cyclic Redundancy Checks



Data Retention Protection



Data shredding (secure data erase)

© 2007 IBM Corporation

TSM Symposium September 2007

Agenda ƒ Storage security ƒ TSM and data security

ƒ Encryption overview ƒ TSM and encryption – –

Client software-based Hardware-based

ƒ Encryption implementation in the tape drive – –

Encryption methods LME components

ƒ Encryption Key Manager and other SW components ƒ Key serving: LTO and TS1120 ƒ More information? 10

Tape encryption | Christina Coutts

IBM System Storage

IBM System Storage™

What is Encryption? ƒ Transformation of readable, understandable data to a form that is not (cipher text) ƒ Transformation is based on a mathematical formula ƒ There are formulas for the transformation of different types of data  Keys  Text  Personal Identification Numbers ƒ Some advanced functions associated with cryptography are combinations of basic cryptographic functions applied in a specific manner against specific data ƒ A number of cryptographic functions are used: DES, AES128, AES256

HELLO!

LIOBOHMMGMLJ

[Example shown uses STEW ( Symmetric Transient Encryption Wave) ] Page 11

© 2007 IBM Corporation

TSM Symposium September 2007

Helps protect data from unauthorised access Encryption Process Clear or plain text

Encryption algorithm (e.g. AES)

K Key

Cipher Text ((Encrypted yp Data))

Decryption Process Cipher Text Encryption algorithm

Clear or plain text

Key ƒ Data that is not encrypted is referred to as “clear text” ƒ “Clear “Cl ttext” t” iis encrypted t db by processing i with ith a “key” “k ” and d an ““encryption ti algorithm” l ith ” –

Several standard algorithms exist, include DES*, TDES and AES

ƒ Keys are bit streams that vary in length – 12

For example AES supports 128, 192 and 256 bit key lengths

Tape encryption | Christina Coutts

*DES, invented by IBM in 1974

IBM System Storage

TSM Symposium September 2007

Symmetric Encryption

ƒ Same S k key used d to t encryptt and d decrypt d t ƒ Symmetric Keys must be stored and secured against unauthorized access

13

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Asymmetric Encryption

ƒ A key pair is used to encrypt and decrypt – The key used to encrypt is often referred to as the Public key – The Key used to decrypt is referred to as the Private key

ƒ The Public key may be made widely available without fear of compromise ƒ The Private Key must be secured against unauthorized access ƒ Public / Private encryption is widely used for exchange of data between organizations (eMail) 14

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Agenda ƒ Storage security ƒ TSM and data security ƒ Encryption overview

ƒ TSM and encryption yp – –

Client software-based Hardware-based

ƒ Encryption implementation in the tape drive – –

Encryption methods LME components

ƒ Encryption Key Manager and other SW components ƒ Key serving: LTO and TS1120 ƒ More information? 15

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

TSM and encryption ƒ TSM Client encryption – Encryption in software – Performed by client host – Keys managed by TSM client or server

PLUS new methods using tape drive hardware: ƒ Application Managed Encryption – Keys managed by TSM server

ƒ Library Managed Encryption – Encryption is transparent to TSM – Keys managed externally – Library hardware provides proxy

ƒ System managed encryption – Encryption is transparent to TSM – Keys managed externally – Device driver on server provides proxy 16

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Enabling TSM Client encryption ƒ Set encryption options (dsm.opt, dsm.sys, or Client Server Options) – Select data to encrypt

TSM Clients AES128 or DES56

• •

“include.encrypt” “exclude.encrypt”

– Select encryption method •

“encryptiontype=aes128” for AES128

ƒ Encryption key is derived from an Encryption Key Password TSM Server TSM DB

– “You” You supply and save key • •

– Key randomly generated and TSM server saves key with meta data •

17

Tape encryption | Christina Coutts

“encryptkey=save” “encryptkey=prompt”

“enableclientencryptkey=yes”

IBM System Storage

TSM Symposium September 2007

TSM client versus hardware encryption ƒ Client Encryption

ƒ Hardware encryption

– Protects data while being written (“over the wire”)

– No performance overhead at the host server

– Remains encrypted while at rest on-line

– Encryption is transparent to write performance

– Remains encrypted while at rest on removable media – Hardware vendor agnostic – Increased CPU utilization during backup – so performance may suffer – No compression on tape – so backup sizes may double – Uses AES128 or DES56 key format

– Encryption applied after compression so data will be compressed p as normal – Uses AES256 key format – Data is not encrypted during write transfer – Requires hardware encryption capability and key management on restore

– Requires software key and management on restore

18

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Agenda ƒ Storage security ƒ TSM and data security ƒ Encryption overview ƒ TSM and encryption – –

Client software-based Hardware-based

ƒ Encryption implementation in the tape drive – –

Encryption methods LME components

ƒ Encryption Key Manager and other SW components ƒ Key serving: LTO and TS1120 ƒ More information? 19

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

IBM Encryption Capable Tape Drives ƒ Shipped on all new TS1120 drives shipped 9.8.2006 or later – Feature Code # 9592 – Encryption Capable, Plant installed – No charge (NC) feature – Identified by label on drive canister

ƒ Can be added to existing TS1120 3592E05s by MES Upgrade – Feature Code # 5592 – Encryption Capable – Field – CE Installed – new hardware and drive microcode

ƒ Shipped on all LTO Generation 4 drives – All LTO4 have encryption yp hardware – No additional charge on drive

So what does having encryption hardware mean? 20

Tape encryption | Christina Coutts

IBM System Storage

TSM Symposium September 2007

Encryption in the Tape Drive

ƒ Look-aside decryption & decompression help assure data integrity ƒ Preserves performance and compression characteristics

Clearr

– Virtually no performance or capacity impact (