1 / 23

Data Encryption, The Last Line of Defense

Data Encryption, The Last Line of Defense. Jim Kaplan Technical Sales Specialist Sun Microsystems james.kaplan@sun.com 714-267-1426. SCCMG – November 2, 2007 NCCMG – November 6, 2007. Today’s Agenda. Focus on security Market drivers Different approaches Device-based encryption

solada
Télécharger la présentation

Data Encryption, The Last Line of Defense

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Data Encryption,The Last Line of Defense Jim Kaplan Technical Sales Specialist Sun Microsystems james.kaplan@sun.com 714-267-1426 SCCMG – November 2, 2007 NCCMG – November 6, 2007

  2. Today’s Agenda • Focus on security • Market drivers • Different approaches • Device-based encryption • Key management • Future directions

  3. The Burning Issue • New legislative requirements worldwide • Average cost per breach = $4.7M USD • Average cost per lost/stolen record = $182 USD • That doesn’t take into account damage to brand • Can easily be $5M per incident • Payment Card Industry requires encryption for data at rest • Many IT organizations are under mandates to encrypt yesterday • Burning issue across all industries

  4. Security Breaches • “The total number of records containing sensitive personal information involved in security breaches over the past two years now stands at over 155,000,000 according to the Privacy Rights Clearinghouse.” Original quote by Keith Regan,eCommerce Times – 9/25/06 Updated number fromwww.privacyrights.org

  5. Global legislation that requires self-reporting to the media and direct notification of all affected California Senate Bill 1386 “DATA” Act (USA) Data Protection Directive (EU) Personal Information Protection Act (Japan) Protecting Data is a Fiduciary Responsibility

  6. Understanding Business Risks • Digital assets • Company data • Employee data • Customer data • Loss of potential sales • Negativebrand impact • Loss of competitive advantage • Loss of consumer confidence • Diversion of funds • Continuity expenses • Lost customers • Recovery expenses • Failure tomeet contracts • Failure to meet privacy regulations • Illegal useractivity • Directorliability (i.e. lawsuits) DirectLosses IndirectLosses ProductivityLosses LegalExposure

  7. Data security can be thought of as a series of protective layers Physical access control Guns & gates Logical access control Firewalls, identity management Data encryption The last layer of security is to alter the data, so that the intruder will not find it useful Encryption insures data integrity – once data is encrypted, it cannot be altered without the key A Multi-Layered Approach toData Security

  8. Security Requires a Delicate Balance Cost Risk

  9. Primary Methodologies In the Storage Device At creation In the network

  10. Encrypting at Data Creation • Data encrypted the momentit’s created, providing the highest level of data security • Platform/application dependent • No compression possible after encryption, cost and performance issues • Bottom line: Good fit for small amounts of highly sensitive, dynamic data in homogeneous environments Host/ServerLayer

  11. In-Band Data Encryption • Encrypts data as it flows acrossthe network • Appliance-based encryption and key management • Poor scalability, cost, network management and security issues • Bottom Line: Easy to implement, and good as a “stop gap” for smaller, localized encryption solutions, good fit for legacy media formats In-Band In-BandAppliances

  12. Data Encryption In Device • Data can be encrypted on atape drive, making iteasy to validate and eliminatingthe performance penalty on the server and network • Most secure solution • Easiest to implement, manageand scale • Bottom line: Good fit for archive data in heterogeneous environments In theStorage Device

  13. Business Value of Tape Encryption • Customer or regulatory body notification is not required as information is not accessible to unauthorized parties • Provides protection from bothoff-site and on-premise information loss • Enables secure shipment of data • Supports time-based data expiration and secure data disposal • Destroy key without touching cart

  14. Managing Encryption • Understanding key managementand having a well-defined key management strategy is crucial • Consider an Encryption Readiness Assessment

  15. Managing Encryption Raises Questions • Who will create and manage keys? • How many keys do we need? • How often should we change keys? • How will we share keys with entities that need to read the data? • How will disaster recovery work? • How will I integrate this into my workflow? • And more...

  16. Key Elements Needed for Data Encryption on Tape • Device-independent appliance • Is designed to deliver a secure and reliable data environment • Has limited or no interaction with other applications to simplify system installation • Can be run independent of any network • Can be directly attached to automated libraries Key Management Station T10000 EnterpriseTape Drive

  17. Token and Token Bay • Holds over 60,000 keys • Easy to quickly secure library • Direct KMS connection supported • Powered from the Token Bay • 1U Token Bay rack unit • Holds 2 tokens • Ethernet connections to drive switch in library Key Token

  18. Encryption-capable tape drives • Sun StorageTek T10000 • Currently supported • LTO4 • Support planned for 2008 • IBM TS1120 • Multiple key management solutions available from IBM

  19. Key Management Overview The KMS generates keys to be placed on the token The token is connected via private line or hand carried to the internal library LAN Key Token Key ManagementStation Media Interface The token downloads the required keysto the drive(s), and retains the encrypted media keys for power-cycle recovery

  20. Storage Encryption Roadmap • KMS management clusters • Continuous database mirroring within KMS clusters • Control of multiple KMS sites from a single KMS • KMS management from a console or remote GUI • Additional device support • API standardization

  21. Tape-Based Encryption Success Government Retail Energy • National grocery retailer needed to encrypt customer data and streamline backup processes while reducingcartridge count • Integrated electricand natural gas utility needed to secure sensitive customer data for off-site backup and disaster recovery • Heavily-involved in the development of encryption methodology • Set our direction for ultimate security

  22. “The value provided by securing sensitivedata with encryption, access controls, andaudit functionality outweighs the cost of implementation. With regulations requiring security at varying levels, and non-compliance costs adding up quickly, can you afford notto secure your data?” Avivah LitanGartner Security AnalystIT Security Summit, May 2006

  23. Questions? Jim Kaplan Technical Sales Specialist Sun Microsystems james.kaplan@sun.com 714-267-1426 SCCMG – November 2, 2007 NCCMG – November 6, 2007

More Related