Around the Storage Block Blog : security

NPI Day Part 2

CalvinZ — Mon, 17 Nov 2008 23:00:00 GMT

By Calvin Zito

In my previous post, I talked a little bit about our New Product Introduction (NPI) process and gave some pointers to a number of things that came from the latest NPI. Here are a few more things to highlight:

We announced the HP StorageWorks SAN Virtualization Platform a couple of weeks ago - you can see the product page at www.hp.com/go/SVSP.
We also had publicly announced updates to the StorageWorks Secure Key Manager at SNW Dallas back in mid-October. You can learn more about the enhancements at www.hp.com/go/storagesecurity or on the product page.
We also announced new functionality on our XP24000 and XP20000 Disk Array family. You can learn about the XP enhancements on the XP Disk Array product page. Jim Hankins is writing a blog about External Storage Disaster Recovery with details so I won't spoil his fun. Also new with the XP is support for Solid State Storage Technology. One of our competitors predicted that we wouldn't have solid state storage technology until 2009. I think we beat that by a bit. Now we have solid state for both our BladeSystem and XP disk array with more to come. No hype, just keeping it real!
Utility Ready Storage is an interesting solution that we've offered for a while and I'm guessing will get more interesting for customers with the looming economic situation. There are some new services with Utility Ready Storage and a very good feature article describing it. Here's a link to the article: Aligning storage costs and usage with Utility Ready Storage.

I've only touched on some of the NPI enhancements today but hopefully I've given you a small glimpse into what is going on.

Calvin Zito

Storage Security at SNW

CalvinZ — Mon, 13 Oct 2008 16:36:00 GMT

This week is the fall Storage Networking World in Dallas. At the show, we made an announcement today focused on storage security - a topic growing in importance.

Threats to storage security are real and can be a significant liability. Seems as though not a week goes by in the press without another story of some data being lost, stolen or hacked. And there is a cost associated with these type of breaches. Here's an interesting web-based tool from Tech//404 that calculates the cost of data loss from security breaches and identity theft. The site also talks about a number of class action suits with class sizes ranging from a quarter of a million people to two million seeking damages in the range of $1,000 to $21,000 per person in the class. There could be some mind-boggling settlements.

Encryption is relatively easy - managing keys is the challenge. Multiple key management systems increases complexity and lowers the success of recovery. We believe that centralized key management trumps a disparate systems approach because it's more efficient and offers better data availability. Today's announcement has two components:

Enhancements to our HP StorageWorks Secure Key Manager - increasing the capacity to 2 million encryption keys per cluster and lowered entry price with a single client/node configuration.
Disk encryption for the XP24000 and XP20000 - encrypts data on disk drives so that data can not be read off a disk drive that is removed without having the key. Here's a short white paper that talks about the XP disk encryption.

We have a web page that has a number of white papers, including from a leading analyst firm Enterprise Strategy Group, and other information on today's announcement. While the announcement today focuses on storage, we have a broader security initiative called HP Secure Advantage Solutions. We're driving solutions that protect data, protect resources, and provide validation.

Here's hoping your data is secure and that we have a more secure week in the financial markets.

I've been personally impacted by lost tapes

jim hankins — Wed, 17 Sep 2008 17:55:00 GMT

Hi Folks,

Yesterday I received a letter in the mail at home that started off:

Dear Sir or Madam,

We are writing to let you know that computer tapes containing some of your personal information were lost while being transported to an off-site storage facility by our archive services vendor. While we have no reason to believe that this information has been accessed or used inappropriately, we deeply regret that this incident occurred....

So the first question I have is how does an archive vendor lose tapes? How hard can it be to take the tapes from your customer put them in a secure truck and drive them to the storage facility? Isn't that your whole business model - you will pick up, transport and store these tapes safely and securely 100% of the time?

Now I understand that any activity with humans involved cannot be guaranteed to work 100% of the time. So what really happened? A bit more of an explanation would have been helpful, such as the truck was in an inadvertent accident and the contents of the truck were spilled into a river or all over the highway and could not all be recovered. Without more details I'm left wondering did someone make off with the tapes by accident or on purpose? Or was this just sloppy work by the company?

Anyway, I hope this is a call to action for this company to do at least two things to prevent such an incident in the future.

1. Look into tape encryption such as the LTO-4 offers. I would have been more much pleased if that second sentence read "While the tapes were physically lost, the data they contained cannot be accessed or read by anyone because the data on the tapes is securely encrypted with sophisticated technology requiring encryption keys to make the data readable. Our security policy ensures that these keys are always stored in or transported to physically separate locations from the computer tapes."

2. Consider the use of replication and electronic vaulting for moving data off-site for archiving. With new technologies such as deduplication and low-bandwidth replication, this company would perhaps be able to reduce the amount of data that is stored on tapes and physically transported to archive storage. Again, I don't know the specifics here, but as an example let's say this company had four sites that they were backing up to data to tape and transporting those tapes to off-site archives. With replication and electronic vaulting, they could replicate data from three of their sites to just one site for backup to tapes and then only have to move tapes from the one site to archive storage thereby reducing their risk exposure by 75%.

If you're worried about how a similar incident could impact your company and what risks are involved HP is here to help. We can work with you to significantly reduce your data security exposure from the desktop to your data center. On the storage side, we offer a FREE storage security risk assessment. For more details on HP's other data security options beyond storage please check HP's Security web page.

How are you securing your unstructured data?

jim hankins — Thu, 03 Jul 2008 17:04:00 GMT

-by Jim Hankins

We've all being hearing about the difficulties of deploying enough storage to keep up with the growth of unstructured data (email, Microsoft Word, PowerPoint, audio, video, etc.).

I just saw this article over at Computerworld,

http://www.computerworld.com/action/article.do?command=viewArticleBasic&articleId=9105818

that says not only is storage growth a problem, but only 23% of IT professionals believe that unstructured data is being adequately secured in their companies. Have you been thinking about this issue at your company? Could you be putting your company at risk or perhaps even your job if one of these pieces of unstructured data gets into the wrong hands?

We have a FREE tool that allows you to assess the security of your storage and backup environment. Give it a try at: www.hp.com/storage/securityassessment.

Also, if you have a few minutes take a look at our Storage Security solutions at: www.hp.com/go/storagesecurity or if you are looking for security solutions across other areas of your IT infrastructure please take a look at our Secure Advantage portfolio www.hp.com/go/security.

And have a safe, secure and happy 4th of July!

RSA2008 Conference

BlogArchive — Tue, 08 Apr 2008 12:13:00 GMT

- by Carlos Martinez

With 17,000 attendees and over 350 exhibitors the RSA2008 Conference can be an intimidating experience for IT storage professionals who are investigating privacy solutions for data-at-rest. HP is a comforting and familiar face for these storage professionals because they know HP is committed to both storage and security with the power of our Secure Advantage portfolio. HP addresses security holistically from the desktop to the data center to protect resources, data and provide validation for audits.

HP StorageWorks has several new Secure Advantage proof points to display at the RSA show including:

A fabric switch designed to offer privacy for legacy tape data.
A simple encryption kit single tape autoloaders and small libraries.
Integration of the Secure Key Manager with the HP Compliance Log Warehouse to extend our value for compliance.
The new HP Storage Security Assessment tool enables customers to gauge their data protection privacy vulnerabilities online and free of charge.

Data-at-rest is a huge privacy risk but HP is definitely there to help with solutions, tools and services which you can see demonstrated here at the RSA Conference.

Unencrypted Tape Creates Security Vulnerabilities

BlogArchive — Tue, 11 Mar 2008 12:33:00 GMT

-by Carlos Martinez

One of the top storage security vulnerabilities for enterprises today is unencrypted tape. Most enterprises store tape cartridges off the premises as protection against site disaster. This is a good thing. But the unaccounted for cartridge vulnerability arises during transportation or at a 3rd party storage facility. Considering how much sensitive data can reside on a tape and the volume of cartridges handled, it is only a matter of time before some confidential data has unauthorized exposure. Regulations such as CA SB1386 require public disclosure when unencrypted data is lost or stolen. The majority of the states in the U.S. have similar laws. Even international companies doing business in the U.S. need to heed these laws.

In the 2007 the Ponemon Institute study found that only 11% were encrypting tape and it was single digit prior to that. One can assume that most of this tape encryption was software based. Tape encryption is a much more viable solution today because with embedded native hardware encryption, performance is not compromised and some suppliers including HP include encryption in the drive price. Actually the encryption is the easy part of the equation. What requires serious consideration is the key management system because the volume of the keys will multiple over time and data-at-rest keys can live for many years. Enterprise caliber key management systems addressing tape should integrate with LTO4 and be very automated, secure and redundant. Native tape encryption with solid key management will become standard practice in the enterprise in the not too distant future, and then we’ll see SMBs following right behind. Prevention of a breach is much less costly than addressing it after the fact.

EMC/RSA: Key Management? Nice try... (Part 2)

BlogArchive — Tue, 05 Feb 2008 19:07:00 GMT

Last time, I talked about how EMC’s key management product didn’t quite live up to ours hardened appliance. Here, I’ll go into the nitty-gritty details of why this is true.

The SKM is a preconfigured server and key management application with no other software loadable by the user or an attacker. Furthermore, unnecessary ports and services are disabled; it features built-in strong user authentication and is physically hardened.

No doubt, enterprises that are serious about privacy would consider the many practical security advantages of a hardened appliance. The SKM fits the bill in this regard because it’s complete and already locked down “out-of-the-box,” whereas the user would have to procure the HW and OS, and do all the installing and configuring with a software key management product and hope they didn't miss anything.

Their additional challenge would be to keep tight control over root access forever. HP is so adamant about striving for excellence in user confidence in the SKM that we’re undergoing the very rigorous FIPS 140-2 cryptographic validation process and subjecting it to review by an accredited independent laboratory (Check out the NIST website).

EMC/RSA does not have a key management product undergoing this process, though they do have limited toolkit and discrete components that have been validated.

Additional areas the SKM shines over EMC/RSA key management solutions are high availability, clustering and failover. The SKM boasts multiple layers of redundancy and DR: dual AC power, dual power supplies, dual network paths and mirrored disk – all in the appliance itself. The minimum 2-node SKM cluster automatically and transparently replicates keys and policy configuration across all cluster members.

Key management clients rotate across all available SKMs automatically by tier for geographic failover. The SKM features internal and external backup and provides the ability to recover a node or cluster from a backup and bare metal if needed.

Unencrypted tape is a privacy vulnerability enterprises are grappling with today. EMC/RSA needs to partner with 3^rd party vendors that must inject costly encryption appliances; conversely the SKM integrates seamlessly with the embedded hardware encryption capability on HP LTO-4 enterprise libraries.

HP allows flexibility in security policies such as a key/cartridge or a key/library partition. And practically, this allows incorporation of encryption at the customer’s pace as opposed to a forklift upgrade or being relegated to legacy tape solutions.

Carlos Martinez

EMC/RSA: Key Management? Nice try... (Part 1)

BlogArchive — Tue, 05 Feb 2008 02:27:00 GMT

Posted by Carlos Martinez

Storage security: Yet another area where EMC is playing catch up to HP StorageWorks.

EMC spent over $2 billion on the RSA acquisition in 2006 and still does not have an enterprise-caliber encryption key management solution.

We, on the other hand, quietly leveraged the HP Secure Advantage experts to develop the Secure Key Manager (SKM), which was announced last October.

HP Secure Advantage key management architecture is designed to accommodate future encrypting clients of various types and technologies across the infrastructure. HP is aggressively advocating key management standards that will maximize cross-portfolio and cross-vendor interoperability in the long run.

With HP’s breadth of storage, servers, applications, printing and mobile devices we have a vested interest in pursuing centralized key management. Storage pure-plays like EMC will be challenged to make this happen infrastructure wide.

To be honest, no one has “arrived” yet when it comes to “THE” secure key management solution, but HP is certainly leading EMC/RSA and others in proving the enterprise-caliber solution the industry is asking for.