Tape Encryption Solutions

advertisement
IBM System Storage™
IBM Tape Encryption
and
TKLM v2.0.1
© 2012 IBM Corporation
IBM System Storage®
Agenda
 Tape Encryption Overview
 TKLM – Tivoli Key Lifecycle Manager
 TKLM
v2.0.1 Enhancements
 Implementation Considerations
 Demo
Page 2
© 2012 IBM Corporation
IBM System Storage®
IBM Tape Data Encryption
 LTO6 / LTO5 / LTO4 Tape Drive
 Standard feature on all FC & SAS LTO6/5/4 Tape Drives
 Supports
“traditional” and “encrypted” modes of operation
 TS1140 / TS1130 / TS1120 Tape Drive
 Standard feature on all new TS11xx Tape Drives
 Supports “traditional” and “encrypted” modes of operation
 TKLM – Tivoli Key Lifecycle Manager
 AIX, Sun, Linux, Windows and z/OS
 Serves keys
 ISKLM – IBM Security Key Lifecycle Manager
 z/OS
Page 3
Tivoli Key
Lifecycle
Manager
© 2012 IBM Corporation
IBM System Storage®
FIPS 140-2 Certification
 FIPS – Federal Information Processing Standard
 Cryptographic Service Providers - certified


CE2 Card
IBM Java Cryptographic Extensions (JCE)
 Tape Drives

TS1120 – Certified
TS1130 – Certified
TS1140 – In process
LTO4 – Certified
LTO5 - Certified

http://csrc.nist.gov/groups/STM/cmvp/validation.html




Page 4
© 2012 IBM Corporation
IBM System Storage®
Tivoli Key Lifecycle Manager
Encryption Methods
Library-Managed________
TS3500, TS3400, TS3310_________
TS3200, TS3100, 3494________
Policy
System-Managed________
z/OS, AIX, Solaris__________
Windows & Linux_________
Application-Managed
(TSM, NBU, et. al.)
Page 5
Policy
Policy
© 2012 IBM Corporation
IBM System Storage®
Library Managed Encryption Components
Open Systems
Host
Fibre
• TKLM/drive key exchange
occurs over the LDI and
TCP/IP paths
Host – zOS, AIX, Linux,
Windows, Solaris
Key Store
TKLM
Crypto Services
LDI
Host – zOS, AIX, Linux,
Windows, Solaris
Key Store
Proxy
TKLM
Crypto Services
Page 6
© 2012 IBM Corporation
IBM System Storage®
AME / LME Comparison
 LME
 AME
Allows
TSM control
Transparent
–Device Class
to Backup application
– No TSM Admin required
– No TSM Upgrade required
3584
Transparent Encryption
feature code not required
Keystore
TKLM
Will
not required
FIPS
is encrypted
140-2 certified
work with other end points
– Tape, Disk, SAN, HBAs
Keys encrypted in transit to tape
drives

Allows
Not
for separation of duties
limited to TSM Backup/Archive
only
Page 7
© 2012 IBM Corporation
IBM System Storage®
System Managed Encryption Components – zOS
zOS
Java Virtual Machine
Key Store
ISKLM
Crypto Services
Host - AIX, Linux,
Windows, Sun
TCP/IP
And/Or
Key Store
FICON/ESCON Proxy
TCP/IP
TKLM
Crypto Services
SMS Policy
DFSMS
Data Class
FICON/ESCON
Fibre
• TKLM/drive key exchange
occurs over the fibre and
FICON/ESCON paths
• Encryption Policy defined by
SMS policy, DD statement
Control Unit
Page 8
© 2012 IBM Corporation
IBM System Storage®
System Managed Encryption – TS7700
Host - zOS, AIX, Linux, Windows, Sun
Host
Key Store
TKLM
Crypto Services
FICON
Network
Host - zOS, AIX, Linux, Windows, Sun
TS7700
Key Store
TKLM
Proxy
Page 9
The proxy in the
TS7700 provides the
bridge between the
drive FC and the
network for TKLM
exchanges.
Crypto Services
Encryption policy is based on
Storage Pool which is controlled
through Advanced Policy
Management (APM): Storage
Group and Management Class
© 2012 IBM Corporation
IBM System Storage®
Symmetric Encryption
Private Key, Secret Key, Data Key
 User Data Encryption
 Keystore Encryption
 TKLM Backup Encryption
Page 10
© 2012 IBM Corporation
IBM System Storage®
Asymmetric Encryption
Public Key, Public/Private Key Pair, Key Encrypting Key






Drive authentication
Session security
Encrypting Data Keys
SSL between TKLM and device
SSL between TKLMs
TKLM web GUI communications
Page 11
© 2012 IBM Corporation
 Built-in AES 256-bit data
encryption engine
 <1% performance and capacity
impact
 Authentication: TKLM queries
drive certificate and uses public
key to authenticate exchanges
FC Port 0
Drive
Firmware
Host Interface DMA
ear

Compression
Decompression
AES
Encryption
AES
Decryption
@MA8%w*q03!k3iKm4*^Fj&fgtrSIaasl
 Look-aside decryption &
decompression help assure data
integrity.
FC Port 0
#*4msW Clear Clear
TS11xx and LTO
Encryption
Clear Clear Clear
IBM System Storage®
Processor
Code
Memory
w*q03!k3iKm4Aw^1*
Application Specific Integrated Circuit
Buffer
ECC and Format Encoding
Read/Write Electronics
Read/Write Head
Drive
Certificate
with
Drive’s Public
Key
Tape Drive with Private Key
Tape Media
Page 12
© 2012 IBM Corporation
IBM System Storage®
LTO Consortium based format
 Standard LTO media
 Entire volume is encrypted or non-encrypted
 Common scratch pool with full re-format between encrypted and non-encrypted
Control Volume
Structures Label
Encrypted Host Records and/or
File Marks
End of
Data
EOT
BOT
cartridge memory
“KeyIdentifier” generated from Key Label/Alias or
provided by the application is encoded in each
Host Data Record & format recording element per
LTO specification.
Page 13
Data area
symmetric
encryption
AES-256
with DK
© 2012 IBM Corporation
IBM System Storage®
TS11xx Media Format Elements
 Standard 3592 media
 Entire volume is encrypted or non-encrypted
 Common scratch pool with full re-format between encrypted and non-encrypted
 Full support for wrapping keys

Simplifies key management and DR/ BP scenarios
 Two Wrapped Key Structures (EEDKs) may be active on a cartridge
Control Volume
Structures Label
EEDK1/2
Encrypted Host Records and/or
File Marks
End of
Data
EEDK1/2
"wrapped keys" KEK[DK]
Asymmetric encryption
RSA-2048 with KEK
Page 14
EOT
BOT
cartridge memory
Data area
symmetric
encryption
AES-256
with DK
© 2012 IBM Corporation
IBM System Storage®
Agenda
 Tape Encryption Overview
 TKLM – Tivoli Key Lifecycle Manager
 TKLM
v2.0.1
 Implementation Considerations
 Demo
Page 15
© 2012 IBM Corporation
IBM System Storage®
Tivoli Key Lifecycle Manager (TKLM)
 IBM Licensed Program
 Serves data keys to drive

TS11xx

LTO

DS8000
 Runs on the same or
different server than the
tape application
AIX
TKLM
Other OS
Other OS
Page 16
IP
Fibre Channel
SAS
FICON
© 2012 IBM Corporation
IBM System Storage®
TKLM OS Support
 AIX 5.3 or later
 AIX 6.1 or later
 Red Hat Enterprise Linux 4.0 (32 bit)
 Red Hat Enterprise Linux 5.0 (32 bit and 64 bit)
 SuSE Linux 9 (32 bit)
 SuSE Linux 10 (32 bit and 64 bit)
 Solaris 9 Sparc
 Solaris 10 Sparc
 Windows Server 2003 (32 bit and 64 bit)
 Windows Server 2008 (32 bit and 64 bit)
 z/OS 1.9, 1.10, 1.11 (TKLM v1 only)
Page 17
© 2012 IBM Corporation
IBM System Storage®
Release History
 EKM (z/OS and Open)
 Sept
2006
– Bundled with IBM Java
 TKLM 1.0 (z/OS and Open)
 Nov
2008
– DB2 and browser based GUI
 TKLM 2.0 (Open only)
 Aug
2010
– RBAC
– KMIP 1.0
Page 18
 ISKLM 1.1 (z/OS only)
 Apr
–
–
–
–
2011
Built on EKM for z/OS
No DB2 or Websphere
New device support
Service path for EKM for
z/OS
 TKLM 2.0.1
 Oct
2012
– Automatic cloning
– KMIP 1.1
– HSM support
© 2012 IBM Corporation
IBM System Storage®
Automated clone replication
 Up to 5 Clones
 Clones
 Keystore
 DB2
tables
 Config file
 Replication is encrypted
 Master and clone systems must be identical
Page 19
© 2012 IBM Corporation
IBM System Storage®
KMIP v1.1 support
Device Credentials – how does a consumer of keys identify itself





Serial number identifying the client or device
Network address
Instance or volume identifier
Group
Shared secret
Device Credentials are used:
• To help with PCI-DSS compliance, only serve keys to known devices
• Ease of use for deployment – can use certificates as a right to connect rather than
managing a certificate per device
Improved asymmetric key support
• Major contributions from PGP and RSA
• Will be the basis for managing the key material in certificates
Grouping of keys
• Default and fresh attributes now supported
• Useful for pools of shared media
• Useful for key rotation
Page 20
© 2012 IBM Corporation
IBM System Storage®
TKLM Resources
 TKLM Website: www.ibm.com/software/tivoli/products/key-lifecycle-mgr
TKLM
Info Center
TKLM Installation and Configuration Guide
Flash Demos
– Information Infrastructure Security with IBM
– TKLM GUI demo
 TKLM Data Sheet
ftp://ftp.software.ibm.com/common/ssi/pm/sp/n/tid14031usen/TID14031US
EN.PDF
 White Paper: Simplifying Key Management with Tivoli Key Lifecycle Manager
ftp://ftp.software.ibm.com/common/ssi/sa/wh/n/tiw14026usen/TIW14026US
EN.PDF
 Red Book: IBM System Storage Tape Encryption Solutions
http://www.redbooks.ibm.com/abstracts/sg247320.html?Open
 Red Paper: ISKLM for z/OS
http://www.redbooks.ibm.com/redpapers/abstracts/redp4646.html?Open
Page 21
© 2012 IBM Corporation
IBM System Storage®
Today’s Cryptographic Environment
Enterprise Cryptographic Environments
Collaboration &
Content Mgmt
Systems
Portals
Production
Database
Disk
Arrays
Enterprise
Applications
CRM
Backup
System
WAN
LAN
VPN
Replica
File Server
Backup
Disk
eCommerce
Applications
Business
Analytics
Staging
Dev/Test
Obfuscation
Email
Key
Management
System
Key
Management
System
Key
Management
System
Page 22
Backup
Tape
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
Key
Management
System
© 2012 IBM Corporation
IBM System Storage®
KMIP Overview
 Key Management Interoperability Protocol (KMIP)
 Key-management to encryption client protocol
 Enables key lifecycle management

Generation, submission, retrieval, and deletion
 Supports



Symmetric keys
Asymmetric keys
Digital certificates
 http://www.oasisopen.org/committees/tc_home.php?wg_abbrev=kmip
Page 23
© 2012 IBM Corporation
IBM System Storage®
TKLM v2 Supported Devices
 IBM Tape Drives
LTO4
/ LTO5 / LTO6
TS1120
/ TS1130 / TS1140
 IBM Tape Libraries
3494
DS5000
DS3000
Emulex
– OneSecure HBAs
TS3400
Brocade
TS3310
/ TS3100
TS2900
 Non-IBM Tape Libraries
Quantum
(ADIC) i2000
Quantum (ADIC) i500
Page 24
DS8000
 KMIP Supported Devices
TS3500
TS3200
 IBM Disk Drives
(IBM OEM)
– IBM SAN32B-E4 (2498-E32)
– FC: 3895 - Encryption Blade
NetApp
–FAS2040
–FAS3200
–FAS6200
© 2012 IBM Corporation
IBM System Storage®
Agenda
 Tape Encryption Overview
 TKLM – Tivoli Key Lifecycle Manager
 Implementation Considerations


Design Considerations
TS3500 (3584) Implementation
 Demo
Page 25
© 2012 IBM Corporation
IBM System Storage®
TKLM Design Considerations
 What Operating System?
 Server sizing?
 Dedicated Server or LPAR?

Dedicated LPAR or Shared LPAR?
 TKLM - Local or Remote?
 How implement HA?
 Moving keys offsite
 What to Encrypt?
 Key rotation?
 Number of Keys?
Page 26
© 2012 IBM Corporation
IBM System Storage®
What Operating System?
 AIX
Keystore and
Crypto Services
 Linux
 Solaris
 Windows
 z/OS
TKLM
Drive Table
Configuration
Page 27
© 2012 IBM Corporation
IBM System Storage®
What Size Server?
 CPU
 Memory
 Disk
Page 28
© 2012 IBM Corporation
IBM System Storage®
High Availability
Keystore and
Crypto Services
Keystore and
Crypto Services
TKLM
Page 29
TKLM
Drive Table
Drive Table
Configuration
Configuration
© 2012 IBM Corporation
IBM System Storage®
Dedicated Server or LPAR?
Option 1
Option 2
Option 3
Option 4
TKLM
TKLM
Other Apps
TKLM
Tape
Application
Page 30
TKLM
Tape
Application
Tape
Application
Tape
Application
© 2012 IBM Corporation
IBM System Storage®
TKLM – Local or Remote?
TKLM
Option 1
Tape
Application
TKLM
Tape
Application
TKLM
Tape
Application
Option 2
Tape
Application
TKLM
TKLM
Tape
Application
Page 31
Tape
Application
© 2012 IBM Corporation
IBM System Storage®
TKLM Deployment – DR Site
Main Site
Disaster Recovery site
Second production site
• Cold DR site:
- 2:0, Go to 0:2 after disaster
• Hot DR site:
- 1:1 or 1:2 If you have high network availability
- 2:1 or 2:2 If you have concerns about network outages.
Page 32
© 2012 IBM Corporation
IBM System Storage®
Moving Keys Offsite
DR
Keystore 
TS11xx
LTO
Page 33
(Using TKLM
Backup/Restore)
Business
Partner
 Public Key
EEDK w Hashed
Key Label
Keystore 
 Public Key
(Using TKLM
Backup/Restore)
- tklmkeyexport
© 2012 IBM Corporation
IBM System Storage®
What to Encrypt?
 Selective Encryption
 Encrypt All
 Recovery
Page 34
AES
xR%pW@7
=
© 2012 IBM Corporation
IBM System Storage®
Key Rotation
 My_2012_Key
My_2013_Key
My_2014_Key
 My_1Q-2012_Key
My-2Q-2012-Key
My-3Q-2012-Key
Page 35
© 2012 IBM Corporation
IBM System Storage®
Internal or External Perform Resource?
 IBM Implementation Services for tape systems - tape encryption and key
management
 Tasks Performed
Planning
session meeting
Architecture
and Design
Implementation
Procedure
Skills
Development
transfer
 IBM Benefits
Proven
methodology
Support
Basic
from IBM’s dedicated storage specialists
skills instruction for client staff
Accelerated
Page 36
implementation
© 2012 IBM Corporation
IBM System Storage®
Agenda
 Tape Encryption Overview
 Tape Encryption Process
 Tape Encryption Implementation
 Design
Considerations
 TS3500
(3584) Implementation
 Demo
Page 37
© 2012 IBM Corporation
IBM System Storage®
TS3500 Library Implementation
 Install or upgrade tape drives
 Upgrade drive firmware
 Update TS3500 firmware
 Enable drives for encryption (LME)




Set up TKLM IP address
Update drive encryption method
Setup Barcode Encryption Policy (Optional)
Run Key Path Diagnostic Test
 Enable drives for encryption (SME)

Page 38
Update drive encryption method
© 2012 IBM Corporation
IBM System Storage®
Questions?
Page 39
© 2012 IBM Corporation
IBM System Storage®
Demo
Page 40
© 2012 IBM Corporation
Download