Hot Technologies in Storage

Continued from page: 3

Tuesday, July 03, 2007

Security for Data-in-store Can't take it for Granted

Print

Comment

Email

Digg

Del.icio.us

Reddit

Twitter

Over the past few years we have seen instances where we have realized an underlying need for securing data-in-store. It's not always the data-in-transit that is vulnerable. Let's see how it is done.

Over the past few years, there's been a sizable increase in malicious attacks on corporate computer systems and electronic thefts of private information. To provide protection from these attacks, most companies have secured their systems and network from outsiders, implementing perimeter-based security strategies with firewalls and virtual private networks (VPNs) to ensure that external users can't access sensitive data without authorization. But that's not enough anymore. Today, you also have to secure data from unauthorized employees and erroneous or unwanted use by an authorized user.

What comprises storage security?
Typically, there are three parts to storage security-Authentication, Access control and Encryption. Authentication ensures that only those people can access data who have been authorized. For making authentications on a network we have several standards and protocols, such as Remote Access Dial-in User Security (RADIUS) and Challenge Handshake Authentication Protocol (CHAP). In the mean time, new storage-specific methods and standards, such as Diffie-Hellman CHAP, are also emerging that enable organizations to add authentication to the storage infrastructure.

Access control maps and controls a user or a system to a particular set of data. On a network, users can only view data allowed by router access control lists (ACLs) and directory services that control access. Within the storage infrastructure, which servers have access to what data is controlled by techniques like zoning and (Logical Unit Number) LUN masking (discussed in PCQuest May2007 pg. 76 and 77).

Encryption also forms a key part of an effective storage strategy. There are two key components in encryption, viz., the encryption algorithm and the key. There are several standards for implementing encryption. Most systems use specific algorithms for specific operations, such as 3DES for encrypting data at rest and AES for encrypting data in flight.

Key lifecycle for data-in-store

Additional considerations
Besides encryption, it is also necessary to ensure that the encrypted data remains unaltered till decryption. Message digests or secure hashes consist of a fixed-length bit string that can be used to verify the validity of data. There are various mechanisms to calculate secure hash. While most common ones are MD5 and SHA1, but stronger hashes like SHA256, SHA384 and SHA512 are recommended. Alternatively, the Keyed Hash Message Authentication (HMAC) with a stronger hash is also an advisable option. Then there should be the involvement of an Internet-based Certificate Authority for making key exchanges

Key management
Encryption is not the end of it. In fact, it gives rise to another important aspect of key management. There are basically two kinds of encryptions that one can have-symmetric keys encryption or asymmetric keys encryption. Symmetric keys encryption is the preferred for data at rest. There are two standards being worked upon by IEEE, namely P1619 (for disks) and P1619.1 (for tapes), for symmetric keys encryption.

No matter what encryption standards you are following, you should always have a key hierarchy. The hierarchy must consist at least two levels of keys-data encryption key and a key encryption key (KEK). As the name suggests, KEK is used to encrypt and store the key itself. The deeper the hierarchy of keys, the more robust the key management system required for operations.

A key management system is one that combines the devices, people and operations required to create, maintain and control keys. Some of the common components of a key management system are:

• Key generators: They can be manual or preferably a random number generator. Ideally, the random number generators should be non-deterministic. Although till date no certified or accepted Non-deterministic Random Bit Generator (NRBG) exists due to lack of a standard verification process. Until one is developed, it is a good practice to use a DRBG (deterministic) certified by an appropriate agency or by the Government where the storage device is kept.
• Transport of keys: This can again be done manually through smart cards or automatically.
• Encryption devices: This defines the granularity of the key, that is, at which level (disk, directory or individual file level) to encrypt data. It depends on the sensitivity of data.
• Key archive systems: This provides for easy recoverability of keys. These are maintained in some tamper-proof hardware to ensure key security.
• Key backup files or devices: It's different from key archiving, as it is a practice to securely back-up keys and restore them in case of any disaster. Ensuring control of key backup system is extremely important to key security and integrity.

Conclusion
Data encryption is nothing new, but becomes important in case of high-volume storage. It poses some formidable challenges as well. For example, encryption and decryption are processor-intensive activities which may slow down access to stored data. The situation will become worse when organizations are storing and accessing massive amounts of information.

Then the management of the encryption keys should also be handled in an efficient, reliable and secure way. Moreover the application should be completely abstracted from where and how the encryption is being done and the whole process of storage security should be automated.

Page(s)   1  2  3  4  5  6