Encryption NAS Environments WP (En) v2 Web
Encryption NAS Environments WP (En) v2 Web
Encryption NAS Environments WP (En) v2 Web
Executive Summary
The very attributes that make network-attached storage environments invaluable to enterprisestheir accessibility, centralization of assets, and flexibilityalso make them valuable targets to malicious insiders and external criminals, and susceptible to accidental exposure. This paper details why encryption is vital in NAS environments that house sensitive assets, and offers some key considerations for picking the right NAS encryption platform.
1 Ponemon Institute, 2010 Annual Study: U.S. Cost of a Data Breach Report, March 2011, http://www.symantec. com/content/en/us/about/media/pdfs/symantec_ponemon_data_breach_costs_report.pdf
Distributed. The fact that most NAS environments are replicated, both on backups and onto offsite locations for disaster recovery purposes, can increase the risks and exposure of sensitive assets that are stored in that environment. Vague legal protections. For companies that manage their intellectual property digitally, the blurred legal definitions of illegal theft that have surfaced in a recent case further underscore the fact that companies have to protect the digital assets in their NAS environments, and cannot rely on the threat of arrest and jail time as a deterrent to keep employees from stealing those assets. In the case in question, a Goldman Sachs engineer who stole the source code of a proprietary trading application was found not guilty. The court opinion ruled, that in this case, because software code was stolen rather than physical goods, the theft was of purely intangible property embodied in a purely intangible format. 2
TechCrunch, Court Rules Software Not Protected By Fed Crime Laws, Overturns Conviction of Goldman Engineer, Daniel McKenzie, April 14th, 2012, http://techcrunch.com/2012/04/14/court-software-not-protected-by-federal-criminal-laws-overturns-convictionof-goldman-sachs-engineer/
3 PCI Security Standards Council, Payment Card Industry (PCI)Data Security Standard: Requirements and Security Assessment Procedures, Version 2.0, October 2010, https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
Ultimately, there are two ways to look at the incentives for complying with these types of mandates, the carrot and the stick. The stick is that failure to comply can result in fines and lost business. The carrot is that by complying with these types of guidelines, organizations can strengthen security and effectively guard against breaches. For example, the 2012 Data Breach Investigations Report indicated that 96 percent of data theft victims that were subject to PCI DSS had not achieved compliance.4 Ensuring Control in Outsourced Environments For the vendors that serve larger enterprises, these compliance mandates can also have a trickle-down effect as larger enterprises and government agencies are increasingly requiring vendors to comply with their mandates. This is especially critical for enterprises that look to cloud providers and outsource IT or developmentsituations in which NAS systems may need to be accessed or managed by third parties via the Internet. Encryption can play an integral role in gaining the control needed to safeguard assets and address policies in outsourced environments. For example, if a NAS environment is made accessible by external parties via the Internet, encryption provides an invaluable layer of security in the event access methods are compromised.
and have them propagated across all pertinent areas. Encryption efficiency. This also represents a more efficient model: As opposed to point encryption, where data on one platform would have to be decrypted and re-encrypted when it is transmitted to another platform. With this approach, a specific asset can be encrypted once and distributed to multiple systems, and only needs to be decrypted when an authorized user needs access to it. Unified auditing and remediation. Finally, having all keys centralized can also significantly streamline auditing and remediation by housing audit logs that encompass all key-related activities. Within this context, the Key Management Interoperability Protocol (KMIP) standard, which was ratified in 2010, represents a significant development. The KMIP standard was developed by the Organization for the Advancement of Structured Information Standards (OASIS). KMIP was developed in order to establish a single, comprehensive protocol for standard communication between key management servers and the enterprise-wide cryptographic clients that use these keys. By leveraging technologies that adhere to the KMIP standard, organizations can begin to centralize key management for a number of disparate encryption platforms that may currently be deployed in the enterprise. Encryption Platform Deployment When implementing encryption in NAS environments, security teams can choose from a broad range of platform types. Following are a few options and considerations: Full disk encryption. While the simplicity of having a drive that has its own encryption capabilities can sound appealing, the reality is that these alternatives do not give most organizations the kind of control needed to comply with regulations, or prevent employees from accessing sensitive information. For example, if the HR folder and the Finance folder are stored on the same disk or disk array, employees in Finance could have full access to HR files, and vice versa. Full disk encryption ensures that if the drive is physically removed from the data center, no one can access the information. On the other hand, this approach does nothing to protect credit card data, patient information, employee records, or other sensitive information from employees within the organization. Switch-based encryption. Alternatives that perform encryption within the switch itself can be highly effective. However, this approach is extremely expensive, and, in most cases, requires an extensive infrastructure overhaul to implement. Agent-based encryption. Many encryption solutions require an agent to be installed on every client that needs to access encrypted data. In larger enterprises, this can result in thousands of clients requiring the installation, administration, and updating of agents, which can pose a number of administrative challenges. Inline encryption. These encryption alternatives leverage a hardware appliance that is deployed on the network, either inline or connected to a switch, acting as a virtual proxy. The advantage of this approach is that it typically does not require any network changes. Further, it is an approach that can be completely transparent to end users and work with a heterogeneous collection of NAS servers. Consequently, in a number of organizations, inline encryption alternatives often make the most sense from a security, cost, and administrative perspective. Granular Data Isolation and Encryption Many alternatives only enable encryption at the volume level. However, it is important to have as much flexibility as possible when it comes to determining which assets will be encrypted. This is important because the more granular control, the more efficient the encryption
deployment. This is true for two key reasons: Performance. No matter which encryption platform is employed, theres always a computation hit associated with encrypting or decrypting assets. By having granular controls, for example, that enable encryption at the folder level, organizations can ensure that only sensitive assets are being encrypted, and thus minimize the performance cost associated with encryption. Storage efficiency. Encrypted data cannot be deduplicated or compressed. Consequently, encryption can negate some of the storage efficiencies that NAS platforms deliver. With solutions that enable more granular, folder-level encryption, organizations can encrypt only the folders that contain sensitive data and leave the other folders unencrypted, which helps optimize storage efficiency. In addition, granular encryption affords higher levels of security, helping ensure that only authorized people can access certain encrypted folders or files. The less granular the encryption, the greater the risk of private data accidentally being exposed to someone without the proper rights. (See the section on full disk encryption above.) To maximize control and efficiency, encryption platforms should offer the flexibility to assign different encryption keys and policies to an individual share, folder, or file. This is vital for enabling security administrators to provide segregation of encrypted storage between users, groups, and, in the case of service providers, clients and other entities. High Availability When encryption is employed, the importance of having encryption and decryption capabilities continuously available cannot be overstated. Quite simply, if the encryption platform goes down, users cannot access encrypted data, which is often comprised of some of the organizations most vital resources. Consequently, its important to leverage encryption platforms that ensure continuous availability of critical cryptographic processing and data. Toward that end, look for encryption offerings that provide the following capabilities: Clustering. Look for encryption platforms that offer capabilities for clustering multiple appliances, which helps organizations ensure vital encryption capabilities and encrypted data are always available when needed. With these capabilities, all keys, policies, and configuration information can be shared among appliances within a cluster, so that if a primary appliance goes offline, a secondary appliance in the cluster can take on the required workload. High throughput and minimal latency. It is important to leverage an encryption platform that is based on a dedicated, robust security appliance. This appliance should feature specialized hardware and parallel processing in order to deliver the scalability and responsiveness required. Further, look for solutions that offer support for 1 and 10 gigabit Ethernet networks, ensuring organizations can meet both their near- and long-term security and throughput needs. Support for Disaster Recovery. The ability to instantaneously access the necessary encryption keys at a remote site in order to access critical data after a disaster is vital. This means the encryption keys must be replicated to a remote location as soon as they are created, rather than as part of a daily backup cycle. With the above capabilities, organizations can enjoy the security benefits of encryption, while minimizing the implications encryption can have on network reliability and performance. Granular, Efficient Access Controls The extent to which an encryption platform integrates with and supports existing access control infrastructures and policies is a vital determinant to the ultimate success of the encryption deployment. Following are a few of the features to look for in supporting this
objective: Support for two-factor authentication. To maximize the security of an encryption deployment, it is vital to leverage encryption platforms that support two-factor authentication. This can be a vital line of defense, for example, if a client with NAS access is compromised. Integration with authentication frameworks. Depending on the specific objectives and infrastructures of a given organization, it can be highly advantageous if a security platform can be configured to leverage an existing authentication framework, such as Active Directory, LDAP, or NIS. This can help security teams more seamlessly leverage existing policies and administrative efforts within the domain of access to encrypted data, which helps ensure administrative efficiency and consistent policy adherence. Independent access control lists. In addition, it may be important to consider encryption platforms that can be configured to have their own access control listswhether run independently or to augment those of the existing authentication framework. By leveraging a platform that can work independent of any existing authorization scheme, organizations can implement safeguards that, for example, could offer protection against a rogue Active Directory administrator, preventing them from using their administrative privileges to decrypt sensitive data that they are not authorized to access.
Conclusion
Done correctly, deploying encryption in NAS environments can boost security and strengthen compliance. Done improperly, it can be a costly exercise that offers limited security and hampers business productivity. By leveraging the guidelines outlined aboveincluding deploying an encryption platform that centralizes cryptographic keys, delivers high availability, offers granular encryption and access controls, and moreorganizations can maximize the chances of success with their NAS encryption initiatives.
About SafeNet
Founded in 1983, SafeNet, Inc. is one of the largest information security companies in the world, and is trusted to protect the most sensitive data for market-leading organizations around the globe. SafeNets data-centric approach focuses on the protection of high-value information throughout its lifecycle, from the data center to the cloud. More than 25,000 customers across commercial enterprises and government agencies trust SafeNet to protect and control access to sensitive data, manage risk, ensure compliance, and secure virtual and cloud environments.
Contact Us: For all office locations and contact information, please visit www.safenet-inc.com Follow Us: www.safenet-inc.com/connected
2012 SafeNet, Inc. All rights reserved. SafeNet and SafeNet logo are registered trademarks of SafeNet. All other product names are trademarks of their respective owners. WP (EN)-04.24.12