ABC of Storage Security

M. Granata – NetApp System Engineer

Ease of Installation

No Performance

Impact

Meet Regulatory

Requirements

Scalability

� Encrypt data at wire speeds

� No impact to existing applications

� Have requirement for no additional CPU overhead

� Plug seamlessly into current IT environment

� Realize zero downtime or disruption to workflow

� Make no modifications to hosts, servers,

applications, or forklift upgrades to storage

� As data grows, scale cost-effectively

� Government and industry regulations mandate protection of data at rest; for example, FIPS 197, California SB 1386, PCI, HIPAA, Basel II and so on

Data Encryption Challenges

NetApp Storage Security Value Proposition

NetApp Storage Security will help you to:

� Meet regulatory requirements

� Secure data at rest

� Enforce separation for multi-tenancy applications

� Enable data privacy

Pillars of Storage Security and Privacy

Key ManagementSafeNet

NASSafeNet

FDENetApp

NetApp

Multi-Tenancy

SafeNet StorageSecureNext Generation NAS Encryption

� Transparent network-based file

and block encryption:

• Windows®, UNIX®, Linux®,

and Solaris

� Targeted at IP-SAN and NAS

� Industry standard protocols

� 1-GbE and 10-GbE interfaces

� Encryption keys managed

through KeySecure

� Low latency, wire-speed

encryption and

decryption engine

� High reliability

SafeNet KeySecure k460

� Universal Enterprise Key Management:

• NetApp DataFort (all models)

• NetApp Lifetime Key Management appliance

• NetApp Storage Encryption

• Brocade Encryption Switch

• SafeNet StorageSecure™

Compliance with OASIS Key Management Interoperability Protocol (KMIP) ensures broad

compatibility with future encryption products across all participating vendors.

7

NSE: Full Disk Encryption (FDE)

� Always-on Protection

• Simple set and forget, no configuration

• Protects your data when returning spares, repurposing, upgrading, or moving

� Optimized Performance

• Minimal performance impact (<1%)

• Works with NetApp storage efficiency and AV scanning

� Standards Based Security

• AES 128or 256 bit encryption (drive specific)

• FIPS 140-2 level 2 validated drives

• Trusted Computing Group (TCG)

• Standards-based KMIP server for key management

• 600 GB SAS ot 3 TB SATA

7

How Does NSE Work?

� The Authentication Key is backed up to the external KMIP Server and retrieved only during Data ONTAP startup

� Authentication Key wraps the Disk Key in order to “lock” the drive

� Disk Key resides on the drive and is used to encrypt/decrypt data

8

The Security Challenge

� Secure environments traditionally require

dedicated resources

� Inefficient and inflexible

• Costly to deploy and manage

• Low utilization rates

• Difficult to change

� How to gain efficiencies of virtualization – while maintaining security?

ERP HR CRM

ERP Apps HR Apps CRM Apps

9

Examples include but are not

limited to:

� Customers

� Applications

� Business Units

� Departments

Shared Infrastructure

Customers

What is a “Tenant”?

– An organizational unit within a shared infrastructure

used to group objects or entities with common

requirements and administrative isolation

10

A B

Applications

App1 App2

Business Units

Finance

Departments

Dept BSales Dept A

Adding Security to Virtualized Infrastructure

ERP HR CRM

No Compromise: Share, Control, and Improve Efficiency

� Secure Multi-tenancy

� End-to-end isolation

� Share more infrastructure across all your customersand applications

� Share more = save more

� Maintain the same control physical silos provided

� Increase infrastructure efficiency

� Reduce risks in deploying shared infrastructures

Storage

Servers

Network

Apps

11

NetApp MultiStore

12

Secure IP Space

� Discrete, private secure network

partition

� Logical partitions within the NetApp

array

Secure VLAN Interface

� Securely maps VLANs directly to

IP spaces

Network VLAN

� Used to logically partition networks

� Separates broadcast domains

NetApp provides the industry’s only complete tool set for providing path isolation from the

disk through the network. This level of security is mandatory for multi-tenant

environments.

Virtual Storage Controller

Customer B

Virtual Storage Controller

Customer C

Data

Data

Data

Data

Data

Data

Virtual Storage Controller

Customer A

Data

Data

Data

Multi-Tenancy

� Quality of service (QoS)

� Control operations or raw throughput used by tenants

� Control bully workloads

� Limit I/O to Vservers, flexible volumes, files, or LUNs

13

LIFLIF

Example of Partnership Architecture - SMT

Solution Overview

� NetApp, Cisco, and VMware jointly

developed end-to-end virtualized

and secure Infrastructure as a Service (IaaS)

� End-to-end Secure Multi-Tenancy

� Defense in depth throughout the

infrastructure

Customer Benefits

� Proven highly scalable

infrastructure supporting all applications through one unified architecture

� Drive significantly higher economies of scale, increased

utilization, and better SLAs

vSphere, vCenter

vShield Zones 2.0,

Nexus 5000, 1000V,UCS, VLAN, 10GbE

MultiStore, NFS, FC/oE,SnapMirror HR BU APP

14

NetApp Storage Security SummarySafeNet

StorageSecure

(Ethernet based)

NetApp Storage

Encryption (NSE)

Secure Multi-

Tenancy

Encryption

Device

External Appliance Based on Hard Drive OS Embedded

Protocols

Supported

CIFS, NFS, iSCSI Protocol Independent FC/FCoE, CIFS, NFS, iSCSI

Encryption

granularity

Share/volume/iSCSI LUN Entire disk/HA pair (system level)

N/A

Key

Management

SafeNet KeySecure KMIP compatible

(SafeNet KeySecure)N/A

Performance

1/10Gb Ethernet 10k or 15k High PerfDrive

Or 7.2k Capacity DriveNon influential

CertificationsFIPS 140-2 level 3 FIPS 140-2 level 2 Joint Validated design

Primary

Use Cases

•Enhanced ACLs

•Cryptographic separation

•Heterogeneous storage

•Cloud

• Disk theft /misplaced

• Non-returnable disk

• Preserves storage efficiency

•Shared Infrastructure

•Cloud

•Consistent QoS

15