Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time...
Transcript of Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time...
![Page 1: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/1.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Experiences of Deploying Encryption and Key
Management in Private, Public and Hybrid Cloud
Environments
Steve Pate Chief Architect
HyTrust Inc [email protected]
![Page 2: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/2.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Who am I?
Long background in OS / storage ICL SCO VERITAS Several startups
Vormetric CTO HighCloud Security CTO and co-founder HyTrust Chief Architect
2
(*)
(*) Encryption and Key Management
![Page 3: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/3.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Before the Cloud …
Why encrypt? Compliance drivers:
PCI, HIPAA, IP, government Laptops and other devices (data leaving the building)
How hard was it? “IT don’t just say no. They say hell no! ” – Fortune 500 CISO
Physical key management Poor performance Multiple platforms Downtime for initial installation / encryption
3
![Page 4: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/4.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
And now, in a post-cloud world
The data is leaving the building! Mistrust is an issue Encryption becoming more prevalent Cross cloud support is important
4
Data from SkyHigh Cloud Computing Trends 2016
![Page 5: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/5.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Who encrypts where?
5
Plus now … • Gateways / Proxies • Cloud fabric (S3) • API-driven Cloud encryption
![Page 6: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/6.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Encryption Solutions – Example 1
VM Encryption: Pros:
Encryption travels with the VM Works in physical, virtual and any IaaS platform
Cons: Agent running in each VM Usually done above dedup and compression
6
![Page 7: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/7.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Encryption Solutions – Example 2
Hypervisor: Pros:
OS guest agnostic No VM agent
Cons: Hypervisor-specific Doesn’t work across clouds Backups in the clear
7
![Page 8: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/8.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Encryption Solutions – Example 3
Self Encrypting Drives: Pros:
Application / OS / VM agnostic Best for performance
Cons: Data coming off the disk is in the clear Key management complex
8
![Page 9: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/9.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Key Management
“Key Management is where encryption projects go to die” – Wall Street CIO
"Key management is the hardest part of cryptography and often the Achilles' heel of an otherwise secure system.” – Bruce Schneier – Preface to Practical Cryptography:
9
![Page 10: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/10.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Key Management Basics
IaaS with on-premise key management
10
![Page 11: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/11.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Key Management Requirements
Simple but secure! Highly-available Standards adoption (FIPS 140-2, CC, …) Support for open standards (e.g. KMIP) Fleibility:
Virtual and/or physical appliances Integration with HSMs and external KMIP servers On-premise and in the cloud
11
![Page 12: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/12.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Simplicity vs Security
How registration looked just a few years ago: Download agent Create certification for each install Install and register:
Provide certificate Provide IP address(es) of Key Cluster node Add one-time passphrase
Authenticate on key server: Repeat one-time passphrase
12
![Page 13: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/13.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Simplicity vs Security
What’s changed since then: Zero-touch model Everything API-driven Support for many thousands of endpoints Support for templates / clones / snapshots
13
![Page 14: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/14.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Performance
Encryption used to carry a high overhead Intel introduced AES-NI in 2009 Performance has improved dramatically
14
https://software.intel.com/en-us/articles/intel-aes-ni-performance-enhancements-hytrust-datacontrol-case-study
![Page 15: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/15.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
The Issues with Virtual Machines
What is a Virtual Machine? Essentially a set of files Easy to copy Easy to backup Easy to migrate
15
![Page 16: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/16.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
The Issues with Virtual Machines
But … Snapshot / clone and you have a copy
Exposes contents of memory on disk Easy to spin up anywhere
Data sovereignty issues Sources of entropy for key generation One reason why people encrypt everything!
16
![Page 17: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/17.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
The Memory Problem!
Snapshot a VM and you expose data
17
![Page 18: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/18.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
18
The Memory Problem!
Intel SGX partly solves this but …
Only Ring 3
![Page 19: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/19.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
What does the Future Hold?
More encryption for sure Recall only 15.8% of data in the cloud is sensitive
This will increase dramatically
Data breaches come with heavy penalties Flexible key management:
Some proprietary APIs More KMIP Better interoperability
International standards
19
![Page 20: Who am I? - SNIA am I? Long background ... Provide IP address(es) of Key Cluster node Add one-time passphrase ...](https://reader037.fdocuments.net/reader037/viewer/2022110111/5abc0edc7f8b9a8f058d2b32/html5/thumbnails/20.jpg)
2016 SNIA Data Storage Security Summit. © HyTrust Inc. All Rights Reserved.
Thank you!
Download this presentation and others from SNIA’s Data Storage Security Summit at:
http://www.snia.org/dss-summit
20