• No results found

Keep Your Data Secure: Fighting Back With Flash

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Keep Your Data Secure: Fighting Back With Flash"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Executive Summary

For enterprises of any size, data at rest protection remains a critical concern. Currently, with more corporate reliance on mobility and the use of portable devices (laptops, tablets, etc.), the definition of a data storage endpoint goes well beyond a traditional desktop. Such security is increasingly important for all sections of an enterprise, from the personal laptops and portable devices that employees use, to storage devices in the data center.

The situation is compounded by the fact that today’s data center is comprised of recording media that had not been traditionally considered to be removable: hard drives, SSDs, other storage devices, even servers. All are becoming smaller in physical size, which is good for space and power efficiency, but adds portability, which can be a key concern. It’s now easier than ever to lose sensitive business data.

These are important reasons why encryption of both stationary data and data-on-the-go should be part of the overall security strategy for any large company. In addition, the growing need of information security to comply with a number of federal and industry regulations cannot be understated.

Keep Your Data Secure:

Fighting Back With Flash

CONTENTS:

Executive Summary ...1

Data Encryption: Ensuring Peace of Mind ...2

Enhanced Encryption and Device Decommission in the Enterprise ...3

Freeing Up IT Resources ...4

The Micron Approach ...4

(2)

As corporate leaders adopt specific measures, they’re benefiting from an important feature: the transition of the encryption workload from the CPU to the storage device. Security built into data storage hardware, such as a fully encrypted SSD, ensures a lack of performance degradation, compared to a similar SSD that does not encrypt data. In this white paper, we explore the benefits of hardware encryption for strengthening data security across the enterprise while freeing up IT to take on other important data center tasks.

Data Encryption: Ensuring Peace of Mind

As today’s corporate workforce transitions from reliance on desktops to the increased flexibility of mobile

computing, this very mobility threatens the safety of corporate data. Moreover, removable media and the increased portability of computers and storage devices have made data more vulnerable than ever to loss or theft. Firewalls, virus protection, security protocols, and software tools all offer key safeguards, but self-encrypting drives (SEDs) provide the last line of

defense, protecting critical data stored at the endpoints. AES (Advanced Encryption Standard) 256-bit

encryption built into the storage hardware is the gold standard for keeping sensitive corporate data locked down and secure. A Self Encrypting Drive (SED) means data is automatically encrypted and decrypted through an AES engine built directly into the SSD.

Removing the encryption burden from the host computer, and moving the encryption workload off to the storage device, ensures that stored data receives

the highest level of 256-bit encryption with absolutely no performance penalty. Moreover, verifiable protection protocols ensure that lost data is unreadable, no matter what happens to that device.

It’s important to note the SED by itself is not the complete solution in protecting data at rest. Also necessary is encryption management software, which provides the interface to the device to enable encryption and allows only authenticated access to the device. These software packages enable strong authentication to protect against unauthorized access to a lost device. In addition, such encryption tools provide advanced capabilities to ensure data remains safe, no matter where a device is located.

Centralized password backup and corporate-level access and authentication represent two additional capabilities to protect data.

Bringing such advanced features to market requires well-designed and widely accepted protocols and standards. As a globally recognized, not-for-profit organization, the Trusted Computing Group (TCG) is the body that brings these standards to the world. The goal of the TCG is to enhance the security of the computing environment in disparate computer platforms. TCG protocols for data storage devices can bring verifiable security to any business that stores sensitive data. Business-based content of all sorts can benefit, from employee-focused data and protected health information to corporate tax and financial records and reports.

(3)

The TCG maintains protocols that cover encryption and data protection across the full spectrum of computing environments, from endpoint and data processing to data transmission. However, the pertinent protocols specifically for data storage are the storage sub-system classes (SSC):

• TCG SSC Opal: This protocol refers to mobile computing performed using laptops and tablets as well as to aspects of desktop computing. It effectively secures data at rest for powered off or authentication-locked devices. The Opal protocol provides for pre-boot authentication, which enables authentication before the operating system boots, preventing any OS-level application from detecting or intercepting the authentication key or password. • TCG SSC Enterprise: This data security standard

refers to storage devices used in servers, enterprise main storage and data centers, and other enterprise-class applications. It ensures that data at rest is protected through encryption, even in the event that physical security measures in the data center fail, and a storage device or system goes missing. As in the Opal SSC, the encryption key is generated by the SSD and can never leave the drive. This is especially important in enterprise-class computing, in that the resource-intensive key generation function is done automatically by the storage devices, alleviating a great burden from the IT team. The TCG Enterprise protocol enables enterprise-level security that is managed from a system console controlling a TCG Enterprise compliant RAID card or Host Bus Adapter (HBA).

Although the TCG Opal and Enterprise specifications were created in parallel over the last several

years, TCG Enterprise has been more recent in implementation. TCG Opal has been considered more critical because of the immediate importance to protect mobile computers. Enterprise encryption, in general, has been widespread, but much of that encryption has been done by the host computing system. The more recent introduction of SEDs within the enterprise represents a powerful and significant new storage security innovation.

Enhanced Encryption and Device

Decommission in the Enterprise

As more end users rely on mobile computing, and as storage devices grow ever smaller, the risk of physically losing control of important data is obvious. Less obvious is the growing risk of losing control of data when a storage device is decommissioned.

It’s unfortunately common for data on devices from high-profile companies and government agencies to be inadequately deleted before the devices are disposed of, redeployed or even donated to charities like the local grade school. This lack of effective media “sanitization” has led to sensitive data being inadvertently released into the public domain.

(4)

4

enable data to be purged in a much more efficient, fast, and inexpensive method.

Cryptographic erase of SSDs is a process that simply changes the encryption key on the drive. The system administrator, once authenticated, can issue a simple command to start a process where a random number generator on-board the SSD creates a new 256-bit encrypted key, and securely erases the old key. Once completed, literally in a matter of seconds, all the data on the drive is effectively unreadable.

SSDs also provide the uniquely fast and efficient ability to securely erase or sanitize the drive, even if encryption is not available. While physically deleting the bits on a spinning hard drive can take many hours, for an SSD that process can be performed within minutes.

This element of speed represents a key advantage of SSDs compared to traditional rotating devices. Crypto erase and the fast and easy sanitize process provide an enterprise with efficient and verifiable means to ensure that retired or redeployed devices don’t take sensitive data with them.

Freeing Up IT Resources

SEDs, especially solid state SEDs, provide other advanced efficiencies when managing IT resources. On an SED, the encryption engine is always on, meaning that all the stored data is encrypted, regardless of whether authentication control has been enabled.

This means that when these security features are enabled, there is no requirement for a long encryption process for data that has already been stored on the device. As a result, an IT department can rapidly image

many devices, or quickly encrypt a few, and then move on to other important tasks.

As mentioned previously, the TCG Opal protocols, which allow remote access to lost computers through a console in the IT office, further alleviates the IT burden. For example, an IT manager can locate a notebook anywhere in the world, gain access, and wipe the drive to ensure data stays protected, or lock authentication to the device, such that an intruder is effectively unable to access sensitive data.

The Micron Approach

Micron Technology allows TCG SSC Opal and TCG SSC Enterprise compliant SEDs to meet all the data protection and security requirements of today’s data-centric

enterprise. Micron provides the ability to protect data in the event of hardware loss or theft, and guards against the intrusions that can result from that loss.

Micron’s SEDs implement verifiable data protection methods, following protocols that allow customers to know for certain that their data is protected, both at rest and after device decommissions.

(5)

Currently, the amount of data end users generate grows exponentially on a daily basis. Micron understands that the definition of a data storage endpoint goes well beyond a traditional computer or storage array. Micron is uniquely positioned to take advantage of the opportunity to offer comprehensive data at rest security with TCG encryption for client and enterprise SEDs.

Conclusion

When it comes to mobility in the enterprise, it’s easy for a computer or storage device to move around, after hours or during business travel. More and more companies are recognizing the inherent risks of this mobility. The end users of data storage systems are searching for concrete steps they can take to secure their data storage and to gain peace of mind. These companies require assurance that their important, sensitive data moves through the world protected against loss or theft.

But mobile computing is not the end of the story. Today, much more data is being stored in the cloud, whether public or private. This has led to much higher attention paid to enterprise encryption. The advantage of moving the encryption workload to the storage device is

becoming increasingly evident. C-level executives and IT professionals have a clear choice: SED adoption satisfies regulations and standards compliance, lowers the TCO, increases IT efficiency, and secures data while preventing data breach due to lost or stolen devices.

References

Download now ( PDF - 5 Page - 610.62 KB )

Related documents

XTREMIO DATA AT REST ENCRYPTION

It describes the technology behind the XtremIO encryption solution and how the architecture combines encryption with XtremIO’s unique data protection and Inline Data

Encryption of Data At-Rest

According to the Information Systems Audit and Control Association (ISACA), “The most critical aspect of encryption is the determination of what data should be encrypted

Singaporean Youths Must Have Wings And Yet Know Where Their Nest Is

This examination includes: policies towards young offenders (and criminality generally), highlighting the anxiety the state feels about the non-conformity of young

Endpoint data protection solutions for Healthcare

Figure 1: Our end-to-end data protection solution powered by Asigra ensures that your confidential corporate data across devices is protected in a secure offsite data

Chapter 7. Information security services to be provided by a database server. in a virtual web database environment

RBAC allows a set of permissions to be assigned to a role such as “members”. In the virtual web database environment, the application server would be connecting through to

Non governmental organisations and the rule of law: The experience of Latin America

These include: direct provision of justice services, either in substitution of, or co-production with, the state, for example, pro-bono work for individuals lacking legal

Decrypting Enterprise Storage Security

Tiered data protection and security strategies can be deployed leveraging storage system-based encryption for data at rest combined with appliance-based encryption to protect

The Future of Flash in the Data Center

Server-Side PCIe Flash with Sharing Software Microsecond Latency, Millions of IOPs. Optimized CPU Utilization Repurpose