Upload
phungdieu
View
223
Download
0
Embed Size (px)
Citation preview
Ease of Installation
No Performance
Impact
Meet Regulatory
Requirements
Scalability
� Encrypt data at wire speeds
� No impact to existing applications
� Have requirement for no additional CPU overhead
� Plug seamlessly into current IT environment
� Realize zero downtime or disruption to workflow
� Make no modifications to hosts, servers,
applications, or forklift upgrades to storage
� As data grows, scale cost-effectively
� Government and industry regulations mandate protection of data at rest; for example, FIPS 197, California SB 1386, PCI, HIPAA, Basel II and so on
Data Encryption Challenges
NetApp Storage Security Value Proposition
NetApp Storage Security will help you to:
� Meet regulatory requirements
� Secure data at rest
� Enforce separation for multi-tenancy applications
� Enable data privacy
Pillars of Storage Security and Privacy
Key ManagementSafeNet
NASSafeNet
FDENetApp
NetApp
Multi-Tenancy
SafeNet StorageSecureNext Generation NAS Encryption
� Transparent network-based file
and block encryption:
• Windows®, UNIX®, Linux®,
and Solaris
� Targeted at IP-SAN and NAS
� Industry standard protocols
� 1-GbE and 10-GbE interfaces
� Encryption keys managed
through KeySecure
� Low latency, wire-speed
encryption and
decryption engine
� High reliability
SafeNet KeySecure k460
� Universal Enterprise Key Management:
• NetApp DataFort (all models)
• NetApp Lifetime Key Management appliance
• NetApp Storage Encryption
• Brocade Encryption Switch
• SafeNet StorageSecure™
Compliance with OASIS Key Management Interoperability Protocol (KMIP) ensures broad
compatibility with future encryption products across all participating vendors.
7
NSE: Full Disk Encryption (FDE)
� Always-on Protection
• Simple set and forget, no configuration
• Protects your data when returning spares, repurposing, upgrading, or moving
� Optimized Performance
• Minimal performance impact (<1%)
• Works with NetApp storage efficiency and AV scanning
� Standards Based Security
• AES 128or 256 bit encryption (drive specific)
• FIPS 140-2 level 2 validated drives
• Trusted Computing Group (TCG)
• Standards-based KMIP server for key management
• 600 GB SAS ot 3 TB SATA
7
How Does NSE Work?
� The Authentication Key is backed up to the external KMIP Server and retrieved only during Data ONTAP startup
� Authentication Key wraps the Disk Key in order to “lock” the drive
� Disk Key resides on the drive and is used to encrypt/decrypt data
8
The Security Challenge
� Secure environments traditionally require
dedicated resources
� Inefficient and inflexible
• Costly to deploy and manage
• Low utilization rates
• Difficult to change
� How to gain efficiencies of virtualization – while maintaining security?
ERP HR CRM
ERP Apps HR Apps CRM Apps
9
Examples include but are not
limited to:
� Customers
� Applications
� Business Units
� Departments
Shared Infrastructure
Customers
What is a “Tenant”?
– An organizational unit within a shared infrastructure
used to group objects or entities with common
requirements and administrative isolation
10
A B
Applications
App1 App2
Business Units
Finance
Departments
Dept BSales Dept A
Adding Security to Virtualized Infrastructure
ERP HR CRM
No Compromise: Share, Control, and Improve Efficiency
� Secure Multi-tenancy
� End-to-end isolation
� Share more infrastructure across all your customersand applications
� Share more = save more
� Maintain the same control physical silos provided
� Increase infrastructure efficiency
� Reduce risks in deploying shared infrastructures
Storage
Servers
Network
Apps
11
NetApp MultiStore
12
Secure IP Space
� Discrete, private secure network
partition
� Logical partitions within the NetApp
array
Secure VLAN Interface
� Securely maps VLANs directly to
IP spaces
Network VLAN
� Used to logically partition networks
� Separates broadcast domains
NetApp provides the industry’s only complete tool set for providing path isolation from the
disk through the network. This level of security is mandatory for multi-tenant
environments.
Virtual Storage Controller
Customer B
Virtual Storage Controller
Customer C
Data
Data
Data
Data
Data
Data
Virtual Storage Controller
Customer A
Data
Data
Data
Multi-Tenancy
� Quality of service (QoS)
� Control operations or raw throughput used by tenants
� Control bully workloads
� Limit I/O to Vservers, flexible volumes, files, or LUNs
13
LIFLIF
Example of Partnership Architecture - SMT
Solution Overview
� NetApp, Cisco, and VMware jointly
developed end-to-end virtualized
and secure Infrastructure as a Service (IaaS)
� End-to-end Secure Multi-Tenancy
� Defense in depth throughout the
infrastructure
Customer Benefits
� Proven highly scalable
infrastructure supporting all applications through one unified architecture
� Drive significantly higher economies of scale, increased
utilization, and better SLAs
vSphere, vCenter
vShield Zones 2.0,
Nexus 5000, 1000V,UCS, VLAN, 10GbE
MultiStore, NFS, FC/oE,SnapMirror HR BU APP
14
NetApp Storage Security SummarySafeNet
StorageSecure
(Ethernet based)
NetApp Storage
Encryption (NSE)
Secure Multi-
Tenancy
Encryption
Device
External Appliance Based on Hard Drive OS Embedded
Protocols
Supported
CIFS, NFS, iSCSI Protocol Independent FC/FCoE, CIFS, NFS, iSCSI
Encryption
granularity
Share/volume/iSCSI LUN Entire disk/HA pair (system level)
N/A
Key
Management
SafeNet KeySecure KMIP compatible
(SafeNet KeySecure)N/A
Performance
1/10Gb Ethernet 10k or 15k High PerfDrive
Or 7.2k Capacity DriveNon influential
CertificationsFIPS 140-2 level 3 FIPS 140-2 level 2 Joint Validated design
Primary
Use Cases
•Enhanced ACLs
•Cryptographic separation
•Heterogeneous storage
•Cloud
• Disk theft /misplaced
• Non-returnable disk
• Preserves storage efficiency
•Shared Infrastructure
•Cloud
•Consistent QoS
15