Keep Data Storage Costs Contained While Meeting Security, Control and Governance Objectives
Highlights
Challenges
Solution Western Digital’s ActiveScale™ cloud object storage along with Storage Made Easy’s Enterprise File Fabric™ platform reduce costs, and improve availability and oversight, by moving end-user data off traditional filesystems. ActiveScale provides a cost-effective modern storage system that is scalable, durable and fast. The file fabric unifies ActiveScale along with other private and public data stores into a single, centrally managed virtual filesystem, with web, desktop and mobile entry points. A Powerful solution from Western Digital and Storage Made Easy The exponential growth of unstructured data has created huge challenges for enterprises and service providers. Storage and compliance costs take an ever-growing slice of the budget as companies manage petabytes and even exaabytes of data while also dealing with increased regulatory oversight. How can organizations keep data costs contained while tackling the regulatory requirements from GDPR and other new privacy regulations?
2017 was not an easy year to be a CIO or CISO, and 2018 isn’t showing any signs of being easier. With so many career-ending-level data breaches in 2017 (e.g.Equifax, Uber, Yahoo to name a few) and with the stronger regulatory requirements worldwide, CIOs / CISOs have a corporate responsibility to rethink their approach to data security. Regulatory compliance aside, companies have a responsibility to their customers and shareholders to protect data, and minimize its exposure not only to external attackers but also to employees. The most common method of data breach in 2017 was phishing Email sent to the company’s internal employees (See 2017 Data Breach Investigation Report), This makes the employees unwillingly complicit in the data breach. Over 80% of successful cyber attacks have a critical human element that enabled them. The average-employee who opens the innocent-looking attachment or link, unintentionally jeopardizing the company's data. While there is no 100% protection”, there are common sense rules to decrease the attack surface of any company.
A corporation that treats its data as the source of its business advantage, and understands how sensitive it is to its customers, how should it minimize the attack surface, and why are AFAs (All Flash Arrays) in the way of this? When the org-chart dictates the security method Conway’s law has long taught us that the organizational structure directly impacts the results / design more than anything else. In the context of security this is fairly simple: If the CISO and storage manager are highly coordinated in their work, you are going to find your data encrypted in the storage layer, and the “encryption” box will be checked. Storage is also the “path of least resistance” as storage arrays can instantly enable encryption without any performance penalty. However, is storage level encryption helping to reduce your attack surface? A little, yes. It still leaves ALL other layers unencrypted, and that data traverses the network unprotected.
Think of it this way - the higher up the encryption of personal / sensitive data happens, the more layers remain protect. Each row in the table below represents your attack surface if you choose a specific layer to encrypt the data in.
Noticed how little storage level encryption actually protects? And yet this is a commonly used data security method. Why Are All-Flash-Arrays Increasing Your Attack Surface? While most (if not all) AFAs offer disk level encryption, that is the only level of encryption they allow—data is encrypted anywhere else, the AFAs can’t perform data reduction and the entire economics of AFAs break. AFAs must rely on data reduction (1:3 and 1:6) to minimize the price premium to a point where the customers can afford it. This means customers choosing to base their production infrastructure on All-Flash-Arrays are effectively blocking themselves from implementing an end-to-end encryption policy, which all regulations of data privacy require (GDPR, SB-1386, HIPAA, PCI-DSS, NY-DFS and others). When “Optimal” Meets Feasible This optimal approach for data security is often limited by pre-existing realities: - The 10-year-old application that doesn’t offer encryption and is no longer support. The business critical app that takes a year to receive maintenance for. - The application owner who won’t invest the time to encrypt. When the rubber hits the road, compromises are often needed to accelerate your data security adoption. Many customers will opt to encrypt these environments in lower levels of the stack (DB/VM/OS) to be able to comply with corporate and regulatory requirements. This approach is often mandatory to meet compliance deadlines, however it’s worth limiting the number of separate approaches the company uses to avoid a high overhead. It’s worth noting (again) that all these alternatives have the same effect—limiting the data reduction of AFAs, and increasing their storage TCO.
There is no doubt that data security is an increasingly critical concern for organizations worldwide. Lack of effective technology and weak security policies can leave an organization open to liability. One of the drawbacks to improving security is the perceived administrative overhead associated with doing so. An organization must weigh new processes and technologies with all of the new complexity in securing and managing that data. Within the industry there is an expectation of friction between ease of administration and implementation of comprehensive data security, which can be a barrier organizations must overcome. Or, alternatively, they must find a way a better way to get the results they desire. Pure Storage believes that data needs to be secured to the highest possible standards, and that this level of security should be transparent to customers. By transparent, we mean invisible to the customer and requiring zero management. Pure Storage® accomplishes this by securing data at rest with AES-256 bit encryption. Moreover, our data encryption occurs without impact to performance and while maintaining full data reduction capabilities. Pure Storage FlashArray encryption is FIPS 140-2 certified, NIST compliant, NIAP/Common Criteria validated, and PCI-DSS compliant. The efficacy of our data encryption and data erasure have been validated by Kroll OnTrack, one of the industry’s leading security firms. With the increase in data protection and compliance regulations required by various industries, countries and regions, the high level of built-in security and encryption capability available in a FlashArray represents an effective way to help achieve data protection regulatory compliance. To see how FlashArray can contribute to the European Union’s General Data Protection Regulation, read our report, FlashArrays and GDPR Compliance. Achieving high levels of security does not equate to product complexity – Pure Storage FlashArray encryption at rest is protected by an internal process that removes key management from users. Not only does this allow our customers to focus on data storage, it also removes human error from the process. Our key management is sophisticated, including automatic key rotation, periodic key regeneration, and unreadable partitioned keys that are spread over FlashArray flash modules. In the event of total array loss, multiple steps are required to reconstruct the data, requiring physical access to a majority of the modules of the array, access to all secure keys that are partitioned across all flash modules, and a deep understanding of the hidden logical structure of the internal databases. To completely lock down the array, even in the event of total loss to a highly-skilled intruder with deep product-specific knowledge, Pure Storage also provides Rapid Data Locking through two optional external key technologies: - USB connected Spyrus Rosetta II Smartcards. A FlashArray can be completely locked (data rendered permanently unrecoverable) with the removal of the smart card and power loss to the array. - KMIP (Key Management Interoperability Protocol) remote key server. A FlashArray can be locked down by revoking a remote key and powering off the FlashArray.
The FlashArray encrypts data with the use of three dependent layers of internal keys:w an Array Key (figure 1), an SSD Key (figure 2), and a Data Encryption Key (figure 3). The array key is generated with a random secret and then broken up over a number of SSDs. This method assures that half of the array drives, plus two more, are required to recreate the current access keys. SSD keys are never exposed on any array interface, nor does any single SSD contain a full encryption key
When a flash module needs to be replaced, it is inserted into the array and initialized. At this point, a device-specific access key is created and sent to the device. The FlashArray must supply the access keys to unlock any flash module – and once the device key is written to the flash module, it cannot be read back. These various flash module access keys are only accessible with the Array key.
Finally, the array uses a data encryption key to encrypt data stored on flash modules. Like the SSD access key, the encryption key is also partitioned across all of the devices. An array’s data encryption key is constant for the life of the array, but it is re-encrypted each time the array creates new device access keys. Like SSD access keys, array data encryption keys cannot be exposed or read back.
The Array Key expires every 24 hours – this is required to unlock the flash modules, which have a unique ID that must match the FlashArray to device hash. Once a quorum of drives are unlocked (half of the drives plus two), only then can the Data Encrypting Key be read. This process runs continuously in the background, assuring that no single device, or even half of the devices, can allow data access.
Some environments require external key management for locking down an array that is forward deployed. There are two solutions:
With Smartcard RDL, customer-programmable Spyrus Rosetta II Smartcards act as security tokens that enhance SSD access keys and participate in key regeneration at power-on. Once unlocked, flash modules are accessible, but when smartcards are removed from the USB connected readers, the SSDs cannot be unlocked at power-on. For example, if an array is transported separately from its smartcards, data on its SSDs cannot be read or written, even with specific Pure Storage knowledge and the required skills in cryptography. The smart cards act as a secondary SSD key, and without access to them, none of the flash modules can be unlocked.
Conceptually, KMIP RDL works the same way – a secondary user-controllable key is introduced that allows for unlocking the array’s flash modules. Instead of being physically connected to the array through a USB card reader, KMIP keys are remotely accessed from a KMIP server. Without access to the server, the flash modules cannot be unlocked on power-on. RDL can be enabled during installation, or at any time thereafter. Once enabled, RDL is permanent. It applies to all of an array’s SSDs, including those added afterward.
COMPLIANCE AND CERTIFICATION The FlashArray is FIPS 140-2 certified, Common Criteria certified, and PCI-DSS compliant. The following are the NIST validations for the algorithms used for encryption. AES [FIPS 197 and SP 800-38A] AES: http://csrc.nist.gov/groups/STM/cavp/documents/aes/aesval.html Validation nr. 3181 [FIPS 198-1] HMAC: http://csrc.nist.gov/groups/STM/cavp/documents/mac/hmacval.html Validation nr. 2007 [FIPS 180-4] SHS: http://csrc.nist.gov/groups/STM/cavp/documents/shs/shaval.htm Validation nr. 2633 [FIPS 140-2 Certification] https://csrc.nist.gov/projects/cryptographic-module-validation-program/Certificate/2467\n NIAP Certification (with Purity 4.7+ ) https://www.niap-ccevs.org/st/Compliant.cfm?pid=10664 Common Criteria (CC) Information The Common Criteria Recognition Arrangement (CCRA) is an international agreement that defines criteria for specifying and evaluating security in information technology products. Strict CC compliance requires certain Pure Storage FlashArray capabilities – for example, PhoneHome and RemoteAssist – be restricted. These features can be enabled, but full relaxation of Common Criteria compliance would require Technical Support engagement. Payment Card Industry Data Security Standard (PCI-DSS) PCI-DSS is a standard for managing credit card information of customers. It defines rules of security for various data center devices. PCI-DSS specifies a number of requirements which are met or exceeded by criteria in the Pure FlashArray Common Criteria certification. Payment Card Industry Data Security Standard (PCI-DSS) PCI-DSS is a standard for managing credit card information of customers. It defines rules of security for various data center devices. PCI-DSS specifies a number of requirements which are met or exceeded by criteria in the Pure FlashArray Common Criteria certification.
Pure Storage, with a continuous emphasis on simplicity, has implemented rigorous security measures including AES256 bit encryption, data erasure, rapid data locking technologies, key management, and a robust encrypt/decrypt process. These features meet or exceed internationally recognized security standards such as FIPS 140-2, NIAP/ Common Criteria and PCI-DSS. Coupled with comprehensive organizational security measures, FlashArray can help customers meet security requirements and data compliance regulations around the world – including the recently updated GDPR. Pure Storage has achieved this without compromise in product serviceability, performance, or our industry leading data reduction capabilities