1 / 34

StorageSecure Appliance Overview

StorageSecure Appliance Overview. Module 1: Lesson 4 SafeNet StorageSecure Storage Security Course. Lesson Objectives. By the end of this lesson, you should be able to: Describe the various SafeNet StorageSecure models Describe SafeNet StorageSecure components and features.

marika
Download Presentation

StorageSecure Appliance Overview

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. StorageSecure Appliance Overview Module 1: Lesson 4 SafeNet StorageSecure Storage Security Course

  2. Lesson Objectives • By the end of this lesson, you should be able to: • Describe the various SafeNet StorageSecure models • Describe SafeNet StorageSecure components and features

  3. StorageSecure Models

  4. SafeNet StorageSecure Appliance Models All models are: • 19” depth, Rack mountable, 2U • Redundant and hot-swappable power modules • Redundant but not hot-swappable internal fans

  5. Chassis Features • Secure chassis with intrusion detection to protect against physical probing attacks • Field upgradeable Storage Encryption Processor (Firmware) • No hard drives or other magnetic media; internal compact flash stores configuration database and encrypted keys (16GB) • LEDs for local system status • Smart Card reader for system card • Zeroize button for battlefield deployment

  6. The SafeNet StorageSecure Appliance • Front panel for both models • Rear panel and connectors 10Gb SFP Ethernet ports: one for hosts, and one for storage ports Serial port Management ports 1Gb SFP Ethernet ports: one for hosts, and one for storage ports

  7. Cover Removed

  8. Cover Removed (Cont.)

  9. LED Indicators / Card Reader/ Zeroize Button

  10. Rear View

  11. Appliance Features

  12. SafeNet StorageSecure Appliance Features • Standards based • Ethernet, TCP/IP, iSCSI(Available in Release 1.1) • CIFS, NFS, HTTPS, FTP (HTTPS / FTP are Available in Release 1.1) • Plays well with others • Transparent deployment • No changes to systems, applications, or network • No change to user workflow • Transparent initial encryption and rekeying (Available in Release 1.1) • Ease of use • Can be installed with zero downtime • Secure Web-based management and robust command-line interface • Performance • Interface speeds : 1-Gb Ethernet, 10-Gb Ethernet • Less than 100-microsecond latency

  13. SafeNet StorageSecure Features • Tampering • Whenever the StorageSecure is tampered, all the keys and configuration will be deleted from the appliance and the ALM led will be turned on. • Zeroize • By deleting encryption keys, all copies of encrypted data are instantly and permanently rendered unreadable, regardless of location • Configurable security settings • Allows administrator to tune defense settings and security policy • Separate administrative roles • Full administrator • Specialty administrators • Read only administrators

  14. Secure Disaster Recovery

  15. SafeNet StorageSecure Appliance Components

  16. StorageSecure Components • StorageSecure Motherboard and CPU • Tile Mpower Motherboards and Tile64 Processor • Contains 64 Tiles (or Cores) • http://www.tilera.com • Storage Encryption Processor (SEP) • SafeNetOkemo SEP • Firmware upgradeable. • Hardware-based true random number generator (TRNG) enables high-entropy key generation • Clear text keys never leave the SEP module • Encryption boundary is physically protected by a FIPS 140-2 Level 3 chassis to prevent physical probing attacks

  17. The TILEMPower Main Board

  18. StorageSecureComponents – Cont. • StorageSecure OS • Hardened implementation of TileLinux • Not customer accessible, except through CLI commands • SafeNetStorageSecure Management Console • Management interface for KeySecure and SafeNetStorageSecure appliances • Setup Wizard: Initial configuration, recovery, and cluster configuration wizard • Smart Cards • SafeNet KeySecure • Automated backup of keys • Backup of SafeNet StorageSecure appliance configuration

  19. KeySecure Architecture • Each SafeNet StorageSecure appliance provides automated, self-contained key management. • Keys are automatically and securely replicated to additional cluster nodes. • All SafeNet StorageSecure appliances across the enterprise back up their keys to the KeySecure Appliance, providing automated, enterprise-wide key management.

  20. Key Sharing Methods Key Translation • Key translation is the process of sharing encryption keys from one SafeNet StorageSecure appliance with another SafeNet StorageSecure appliance using the KeySecure Appliance.

  21. Key Sharing Methods StorageSecure Recovery • Encryption keys and configuration information may be recovered to a replacement SafeNet StorageSecure appliance Cloning • Encryption keys and configuration information may be copied to another SafeNet StorageSecure appliance, creating a clone of the original

  22. Key Sharing Methods Cluster • The SafeNet StorageSecure appliance may be clustered, in which case all configuration data including encryption keys are shared with the SafeNet StorageSecure appliance joining the cluster (limited to 2 StorageSecures per cluster) Trustee • SafeNet StorageSecure appliances may also enter into a trust relationship with another SafeNet StorageSecure appliance. • SafeNet StorageSecure trust is a bidirectional, point-to- point link between appliances that allows encryption keys to be shared.

  23. Battery and Intrusion Detection • Battery life time is 7 years. • Different battery architecture than NetAppDataFort E-Series. • It is now possible to power off the appliance for a long period of time, power it back up and continue to work without having the “intrusion detected” activated. • In case of low battery do the following • Make sure that the StorageSecure is backed up. • RMA the existing appliance or obtain a new appliance. • Restore the configuration and keys to the newer appliance.

  24. Battery thresholds There are two battery low thresholds • First thresholdat or around 2.95V • Will light the front panel LED and create a log entry. • All other functions are available. • Second threshold at 2.5-2.6V • Will “Tamper” the box • No security functions can be performed. • The appliance will not load the configuration • The box needs to be RMA’ed to replace the low battery when the second threshold is tripped.

  25. SafeNet StorageSecure Smartcards • Authentication services • Establishes credentials • Privacy services • Encryption • Compromise resistant • Compromise of a single component will not compromise the system • Secure hardware • FIPS and Common Criteria certification

  26. Simplified Key Hierarchy

  27. System Card • Required: • Once initialized, each system card is unique to that SafeNet StorageSecure appliance • Secure communication channel between SEP and system card • Unlocks the master key • Required to start encryption services; can be removed • Card reader in the SafeNet StorageSecure appliance • No PIN is used

  28. Admin Card • Optional: • Provides two-factor authentication • Can be shared between SafeNet StorageSecure appliances • Card reader at management station • No PIN is used

  29. Recovery Cards • Required: • Secret to access the Recovery Policy Key is split and shared across Recovery Cards • Secret sharing ensures multiple people are required to access cryptographic functions • Card reader at management station and KeySecure server • PIN is required per Card.

  30. Recovery Policy Key

  31. Quorum of Recovery Cards • Required to perform critical operations • Quorum options: • 2 out of 5 (default) • 3 out of 5 • 2 out of 3

  32. Ignition

  33. Lesson Summary • In this lesson, you should have learned to: • Describe the various SafeNet StorageSecure models • Describe SafeNet StorageSecure components and features

  34. Module Summary • In this module, you should have learned to: • Describe data security standards and principles • Provide an overview of SafeNet StorageSecure • Describe SafeNet StorageSecure components and features

More Related