1 / 20

DECRU

DECRU. Data At Rest Security Opportunity Chris Gale Chris.gale@decru.com. Storage Insecurity. Feb 2003 – Visa, Amex, MasterCard Hacker breaches 8 million credit card accounts through a third-party processor Feb, May 2004 – Microsoft and Cisco Source Code Stolen

hugh
Télécharger la présentation

DECRU

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. DECRU Data At Rest Security Opportunity Chris Gale Chris.gale@decru.com

  2. Storage Insecurity • Feb 2003 – Visa, Amex, MasterCard • Hacker breaches 8 million credit card accounts through a third-party processor • Feb, May 2004 – Microsoft and Cisco Source Code Stolen • Sept 2004 – Guilty plea in $50 million identity theft case • Helpdesk employee stole tens of thousands of identities from credit databases • Feb 2005 – Bank of America • 1.2 million user accounts, including U.S. Senators and Defense Department employees, are exposed when cleartext backup tape is lost June, 2004 AOL software engineer arrested after stealing 92 million names, selling to spammers for $100,000

  3. Compliance Drivers: Visa CISPCardholder Information Security Program • CISP information security program applies to vendors, merchants, and service providers who handle confidential cardholder data • Compliance is verified by third party auditors; fines and other sanctions for non-compliance or for data breaches caused by poor security Sec. 3 of 12: Protect Stored Data • Requirement to protect confidential cardholder data at rest • Encryption highly recommended • Need-to-know access controls • Strong algorithms, strong key management

  4. Perimeter Security is Insufficient Insider Threat • 50-80% of electronic attacks originate inside the firewall • 67% of companies reported internal breaches • Average loss from breach of proprietary data was $2.7 million Source: FBI/Computer Security Institute

  5. Storage TrendsStorage protocols have never evolved from cleartext… = Risk Multipliers Consolidation Replication Outsourcing

  6. Network Administrators Outsourcing Vendors Storage Administrators DR Storage Administrators Storage Repair/ Service Staff Tape Courier System Administrators Backup Administrators Who has access to sensitive data? CEO Customer data Storage Earnings releases CFO Salaries and reviews Litigation docs General Counsel

  7. Traditional Encryption Compromises • Performance degradation • Key management complexity & security • High availability issues • Application changes and downtime • Database changes required • Changes to desktops, servers, workflow The Decru solution addresses all of these concerns.

  8. About Decru • Founded 2001 to solve emerging storage security problems • Regulatory compliance • Privacy • Insider threat • Well funded by top tier investors over $45m • NEA, Benchmark, Greylock, In-Q-Tel (CIA-funded) • Seasoned, proven management team • DataFort platform is shipping and deployed, with customers on three continents “Top 10 Products of 2004” Nominated: “Best Enterprise Security Product 2003” “12 Hot Startups” “Top 10.”

  9. Partner Ecosystem

  10. Decru DataFort™Storage Security Appliances DataFort provides the first unified platform for securing data at rest across the entire enterprise. DataFort integrates transparently into NAS, DAS, SAN, iSCSI & tape environments, and protects stored data with wire-speed encryption, access controls, authentication, and tamper-proof auditing. NAS/DAS: DataFort E-Series (1Gbit) SAN/Tape: DataFort FC-Series (2Gbit) Tape: DataFort S-Series (2Gbit) Lifetime Key Management™ for automated, secure enterprise-wide key management Rating: Deploy Top 10 lab score: 8.4/10 Security: 10/10 Top 10 Products of 2004

  11. Storage Encryption Cryptainer1 Cryptainer2 Cryptainer3 Authentication/Storage VPN AES-256 Encrypted Decru: End-to-end storage security Authentication Granular ACLs Secure logging Storage Network DataFort Clients/ Hosts DataFort protect the data path for applications and users, eliminating “back doors” and simplifying security

  12. Decru: Tape Encryption Unsecured Tape Backup CUSTOMER SSN AMT John Magnus 544-89-3021 $304.31 Susan Wong 522-35-1105 $91.05 Ken Hernandez 670-32-1145 $21.88 Alicia Sparr 435-98-0498 $209.95 M.J. Satyr 594-22-9038 $76.55 Dan Spencer 543-09-3451 $413.03 Mary Jones 495-38-8971 $90.74 Jerome White 613-98-8932 $247.11 Martin Ng 339-77-9201 $20.89 Fay Dunlap 784-29-6290 $401.92 Takeshi Doi 544-09-3193 $29.01 Sarah Fisher 432-92-7105 $142.28 Ingrid Parker 595-29-7406 $102.48 Cleartext FC SWITCH Cleartext Secured Tape Backup DYHY^C^@^@^@~]<F2>^? z<B2>0 ^N<E4>q<91><CD>xl<CB>^A^@^@^@ ^\<84>1<92><F6>^Cq<89><90><CF><9C> <D9>1#<F6><8E><C1><CF><86><DA>B<EB> <F7>A.\<AD><CF><F0><D2>-<CA><C3><DA> <8E><F1><B7>^C^L<EE><E5><9E><A4><9E> _^W<CE><AD><BB>2<95>`<D3>E^Tl<8D> <A7>^<CD><93><A6>/<F5><AC><DF>s<88> <87>,<F3>"=<F2>:P;<F3><B1><9F><82> <97>^Q<BA><ED>o<AF><C5><DF>u"6,Q^D <A7><B9>ol<87>\8<D3><B6><8D>k<9D><A8> )9^^A^Q)<F0><FE>-<C0><FB>^LI<82><DB> <E0><C8><D9>a<8E>W<BB><88>q<CC><C0>+ ^B^\L<FA><DA><DD><E3><A5>O^O<D7>T7<9 Decru DataFort Encrypted FC SWITCH Encrypted

  13. Hardware-based security Hardware-based encryption provides crucial advantages over software-based solutions: • Wire-speed performance • All encryption and key management are processed by specialized encryption hardware: Decru Storage Encryption Processor (SEP) • Multi-gigabit throughput, sub-100 microsecond latency • Encryption and key management are maintained in secure hardware • Software encryption stores keys in…. Windows. • DataFort provides military-grade hardened architecture (FIPS 140-2 Level 3 certified) with storage optimized AES-256 • Encryption keys never exposed in an open operating system (e.g. Windows, Linux…)

  14. High Availability for Encrypted Data • DataFort cluster failover • DataFort cloning • Software recovery

  15. Secure Secure Decru Lifetime Key Management™Automated, Secure, Enterprise-Wide Key Management 1 1. Each DataFort appliance provides automated, self- contained key management. 2 Secure Key DB Secure 2. Keys are automatically and securely replicated to additional cluster nodes. LKM 3 3. All DataFort appliances across the enterprise replicate keys to Decru Lifetime Key Management™ (LKM) system, providing automated, secure enterprise-wide key management. Recovery smart cards enforce quorum approval for sensitive operations.

  16. Global Investment BankSecure Consolidation Shared storage UNIX Development Environment DataFort E-Series Developer A Cryptainer A Cryptainer B Developer B Cryptainer C Developer C Access Controls Authentication AES-256 Encryption Cryptainer™ Vaults

  17. Fortune 5 CompanyGLBA Compliance, Secure Offshoring Transaction Processing Servers SAN Storage DataFort FC-Series Secure Replication to DR FC switches Port Locking SAN Host Authentication AES-256 Encryption Cryptainer™ Vaults

  18. UK National Health ServiceTape Encryption for Patient Privacy Backup Servers Backup Tape Libraries DataFort FC-Series Fibre Channel Fibre Channel Encrypted FC switches Encrypted Encrypted Port Locking SAN Host Authentication Data Compression AES-256 Encryption Cryptainer™ Vaults

  19. Secure DR: Multiple Copies of Data Headquarters DR Site/Outsource Server Server WAN WAN FC switch FC switch DataFort DataFort Data Exposed Data Secured Data Exposed Data Secured Cipher Text Clear text Data Exposed Cipher Text Clear text Data Exposed Data Secured Data Secured Clear Cipher Text Tape System Storage Storage

  20. Questions ????

More Related