It is difficult to pick up a newspaper these days without reading about another high-profile data security breach, whether it is the loss of a laptop or a tape. Stored data is finding its way outside the corporate perimeter and into the hands of malicious individuals. The implication is clear: Data is now mobile. No longer can IT assume that important data is only stored within the confines of the glass house. It is shared with business partners, replicated to multiple data centers, and copied onto different media types that may ultimately be transferred to a third party.
A slew of compliance regulations (e.g., SOX, HIPAA, PCI, etc.) at the state and local level have sprung up to regulate data security and protect an individual’s privacy. Meanwhile, the storage security vendors have responded with innovative approaches to securing data at rest. However, with innovation comes choice and confusion. Key management is the most important and least understood aspect in data security today. However, as storage security moves into the mainstream, the need for centralized and automated key management integrated with existing IT business processes will become a reality. Storage managers need to have a strong handle on what key management means and how it will affect traditional storage-related workflows such as backup and recovery, disaster recovery, and storage management.
Keys and data encryption basics
There are two parts to the data security conundrum: securing data in flight and securing data at rest. Data in flight refers to the secure transfer of data from point A to point B across either a corporate network (e.g., LAN or SAN) or over the Internet. Securing data at rest entails protecting data from tampering and access while it is stored on laptops, tapes, and disk systems.
This article focuses primarily on approaches that secure data at rest. However, several of these approaches partially address the issues of securing data in flight, too.
Keys are the linchpins of all data-at-rest security systems. Keys are strings of 1s and 0s that when used in concert with an encryption algorithm allow clear text to be made unreadable. There are two elements that in combination determine the overall strength of the encryption: the type of encryption algorithm and the key length.
First, there are two classes of encryption algorithms: public key algorithms (or asymmetric) and private key algorithms (symmetric). Public key algorithms use public and private key pairs that are mathematically related to encrypt and decrypt data. In public key algorithms, the private key is kept secret, while the public key may be widely distributed. Therefore, to send an encrypted message from point A to point B, point A would retrieve point B’s public key, encrypt the message with it, and send it to point B. Point B would decrypt the message using its own private key without having to share it. In a sense, the public key “locks” a lock, while the private key is required to unlock it. RSA is an example of a public key algorithm in use today.
In the case of private key algorithms, a single shared secret key (also referred to as a symmetric key) is used to encrypt and decrypt data. Each entity that needs to encrypt or decrypt data must have access to that key. Advanced Encryption Standard (AES) and its predecessor, Data Encryption Standard (DES), are examples of widely used symmetric key algorithms.
The second crucial element of any encryption scheme is the overall length of the key. The key length determines how many permutations or key combinations are possible to encrypt a piece of data. The more permutations, the harder the data is to decrypt using a brute-force method. However, key lengths can be deceiving and a user must make sure to compare apples to apples. Public key cryptography uses keys that are substantially longer than private key cryptography. For example, a 128-bit symmetric key (e.g., private key algorithm) and 3072-bit RSA key (e.g., public key algorithm) are considered to be equivalent in terms of strength, while a 15,360-bit RSA key is equivalent to a 256-bit symmetric key. For a public key algorithm like RSA, both the public and private keys are the same length.
Keys and storage security
Since most storage security offerings are in the data path, these products use private key cryptography to deliver wire-speed performance for encrypting the actual stored data. Key lengths are directly related to how much processing power is required. Owing to their shorter key lengths, private or symmetric key systems have significant advantages over their public key brethren because the amount of processing power required to encrypt or decrypt data is much less. Moreover, private key algorithms, such as AES and Triple DES (TDES), can be performed with relatively low overhead in software and can be greatly accelerated in silicon. In fact, the primary advantage of AES over TDES is its even lower overhead. TDES actually requires almost twice as much overhead using general-purpose CPUs than AES.
Most storage security vendors, such as Decru, Maxxan, NeoScale, and Vormetric, use 128-bit or 256-bit private keys and the AES algorithm to encrypt data. Any 128-bit symmetric key is considered strong encryption and not susceptible to an attack using current technology. AES is considered the gold standard in terms of encryption algorithms and has been approved by the National Institute of Standards and Technology (NIST), the governing body tasked with mandating security standards for federal computer systems.
However, public key approaches are also relevant to storage security. For storage security products, private key encryption (e.g., symmetric keys) is used to encrypt the actual data, while public key encryption (e.g., asymmetric keys) is typically used to exchange and distribute the private keys to trusted points throughout the enterprise. In addition to encryption, public key techniques allow for authentication (e.g., confirming a digital identity) and non-repudiation (e.g., proving that both parties received the data or completed the transaction)—two capabilities that private key techniques do not enable. In fact, public key encryption is used to safeguard the transfer of keys outside the physical boundaries of storage security devices. Key exchange and distribution is critical to storage workflows, such as backup and recovery, disaster recovery, and data exchanges with business partners. Most storage security vendors use IPSec and TLS/SLS to conduct secure key exchanges. Both IPSec and TLS/SLS protocols depend on public key encryption techniques (e.g., public-private key pairs).
Owing to the nature of these public keys, the system must use keys that are substantially longer to guarantee the same level of encryption when communicating or exchanging symmetric keys and data over these links. Otherwise, the system is considered only as strong as its weakest link.
The importance of key management
Storage poses unique security challenges. Unlike networking, where a session is transitory, the keys must be stored and maintained for the life of the data. In some cases with new compliance regulations, data must be retained for up to 21 years or longer. Furthermore, given the mobility of data and third-party interactions present in storage workflows, keys need to be securely distributed so that they can follow the data. Therefore, key management becomes critical to not only protect the integrity of the system, but also to ensure a system that is flexible enough to conform to existing storage and IT procedures. This is the delicate balancing act of key management, and it is also a critical point on which to evaluate the different storage security vendors.
Key management combines the devices, people, and operations required to create, maintain, and control keys. The system contains operational practices that must be implemented to make it work effectively. The best way to think of key management is as an automated process that enforces security, but complies with existing IT procedures for storage. Traditionally, key management can be divided into six functions:
Key creation: The key management system must generate a unique key for each LUN, tape, or other data element that needs to be encrypted. Key management systems generate keys using standardized random and pseudo-random number generation algorithms. Private keys must be generated within the secure confines of a device and never be transferred outside the device unless encrypted.
Key deletion: The key management system must “zeroize” all instances of a key, no matter where that key has been transferred or replicated. Deleting a key is crucial to preventing a breach when a key has been exposed.
Key distribution: The key management system must be able to electronically transfer private keys to other trusted key repositories throughout the enterprise. In addition, most key systems support the distribution of keys on smart cards. However, many users complain that the proliferation of too many smart cards (each for different keys) can become an administrative burden.
Key backup and recovery: After keys are created, they must be archived to a secure storage environment where they can be kept for long periods of time. The key management system must be able to survive multiple hardware and site failures and still be able to retrieve the archived keys to unlock encrypted data. Key loss is tantamount to data loss.
Re-keying: Re-keying is the process of re-encrypting data with a new key and invalidating the old key. Re-keying occurs when a key or data has been exposed or as part of the change out of tape media that must be kept for many years.
Key logging: Key logging refers to the process of tracking when keys are created and deleted, who created and deleted them, who used what keys, and what was done with the key. Key logging is imperative for ensuring regulatory compliance and detecting when security may have been compromised.
Key management has become a major battleground in the storage security arena. Earlier this year, NeoScale fired the first salvo by announcing an open key vaulting and key management system designed to interoperate with third-party encryption devices or appliances. Decru quickly followed suit with a similar key vaulting and key management offering. These moves presage an industry movement to global key management systems that interact with a heterogeneous collection of encryption devices that are geographically scattered.
The wildcard is EMC. In June 2006, EMC purchased the leading vendor of public key cryptography: RSA Security. With RSA in the fold, it will be interesting to see how EMC chooses to leverage RSA’s key management facilities to blunt the competitive moves by Decru and NeoScale. Although the dust is still settling from the RSA acquisition, we suspect that EMC will position RSA’s key management capabilities as directly competitive to NeoScale and Decru’s global key management offerings and leverage RSA’s encryption facilities in its storage systems.
Clearly, this is a crucial chokepoint for the storage infrastructure. We foresee a major battle brewing among the major security vendors for control and leadership of this strategic product area. Ultimately, we believe that global key management will be the crucial differentiation point among the major security vendors and that a standard will emerge for exchanging keys securely among heterogeneous devices. However, it will take awhile for that to become a reality.
Key hierarchies and domains
A critical planning consideration in any storage security deployment is how to map the key hierarchy and key domains to the organization’s processes and security requirements. A key domain refers to the set of data to be encrypted by a single key. Key domains can usually be configured to encrypt all data from a given host, LUN, file, file system, directory, tape, or tape loader using a given key. Typically, users want to define key domains that are granular enough so that re-keying data does not mean that all stored data must be re-encrypted (a time-consuming and potentially offline process), but also not too granular to result in undue administrative burden in terms of keeping track of keys and smartcards.
Furthermore, best practices state that the companies create a hierarchy of keys for security purposes. The hierarchy must consist of at least two levels of keys, but usually consists of many more. In any storage security scheme, these are the data encryption keys, which are used to encrypt a specific key domain.
Above the data encryption key is one or more key levels in the hierarchy. For example, an organization may be divided into multiple regional data centers, each of which may merit its regional master key. A regional master key is used to encrypt and sign all the data encryption keys in the region. A good key management system allows administrators to define multiple levels of key hierarchy to map to their businesses. At the highest level in the hierarchy, the master—or Key Encryption Key (KEK)—is used to encrypt all the keys at the top of the hierarchy.
The deeper the hierarchy, the more robust the key management system required for operations. When planning a storage security deployment, you need to give careful consideration to planning the granularity of the key domains and the depth of the hierarchy. Determining how these concepts map to your storage environment is crucial to deploying a workable key management system.
In the next installment of this article, we will cover the key players and various approaches to key management.
Steve Norall is senior analyst and consultant at the Taneja Group consulting firm (www.tanejagroup.com).