The promise of painless storage security
New specs from a standards group could bring easy-to-manage, built-in security to storage devices.
Lately, it seems like the whole world has been drawn into information security. Whether it's consumers, government agencies or technology vendors, everyone now realizes that information security is the price we pay for pervasive global communications.
Storage professionals and vendors are part of this mix, but a quandary exists. Storage devices are at the back of the technology stack, relatively blind to the software logic above. Protecting storage devices is a worthy goal, but what users truly want are information safeguards, not just spinning disks and magnetic media. Leading storage vendors have noticed this trend and are preparing strategies for information-centric security, a concept similar to secure information lifecycle management (ILM). The goal is to classify data based on business rules; protect data based on value; and enforce security, privacy and usage policies regardless of information location.
Secure ILM is a great idea, but how will it evolve? The Enterprise Strategy Group (ESG) believes the industry will receive a major push from an unfamiliar source, the Trusted Computing Group (TCG).
TCG describes itself as "an industry standards body, composed of computer and device manufacturers, software vendors and others with a stake in enhancing the security of the computing environment across multiple platforms and devices." It's best known for the PC-based Trusted Platform Module (TPM) and TPM Software Stack (TSS). TPM/TSS is instrumented into integrated circuits, systems and apps, and is available on new PCs and laptops because it's built into microprocessors from AMD and Intel, and systems from companies like Acer, Dell, Fujitsu, Hewlett-Packard and IBM. At the beginning of 2006, approximately 50 million TPM-based PCs were deployed worldwide; the resident TPM chips can be used for device authentication, rogue software detection and secure credential storage.
Coming to disk drives in 2007
A trust-based architecture depends on a chain where multiple systems, apps and devices are bound by formal and tamperproof trust relationships. To that end, TCG will publish its Storage Work Group specs in early 2007, which can be viewed as an extension of the existing TPM model.
The Storage Work Group specifications provide three main security/operational benefits:
- Introduce the concept of trust relationships between storage devices and hosts. Through mutual identity, authentication, and the trust of hosts and storage devices, the trust environment is extended beyond the TPM and into storage devices. This limits who can read or write to a device.
- Enable secure control over storage device features. TCG-enabled storage can place storage devices in a "trusted state," enabling specific configurations or security features. In this way, TCG-enabled storage provides protected storage for specific users, systems or apps, and also allows exclusive control over data-at-rest encryption on storage devices.
- Create secure communications between storage devices and hosts. Secure storage provides session-oriented security commands on top of general host-to-storage communications through security extensions of SCSI (ANSI/INCITS T10) and ATA (ANSI/INCITS T13).
Like the PC implementation, TCG-enabled storage hard-codes security functionality into device-resident security processors and firmware, and thus can't be moved or altered. TCG-enabled storage devices contain cryptographic engines and enable different trust-based apps for protected storage. Security services are called through specific APIs, which isolate storage functions behind a "trust boundary." Only trusted entities with access and authorization to the API can see and use the TCG trusted storage functionality.
ESG believes storage providers should actively embrace TCG-enabled storage because it can help them deliver:
Granular storage security configuration enforcement. TCG-enabled storage provides a framework for granular, role-based configuration management and change controls. For example, individual storage functionality "containers" (TCG calls them service providers or SPs) on the storage device are "sandboxed" and exclusively controlled by a designated owner. This provides tight control over storage assets and functionality where access control is based on credentials.
Improved storage access controls. To protect storage from rogue apps and systems, admins use zoning, LUN masking and access control lists. TCG-enabled storage takes access control methods a step further with the concepts of enrollment and connection. This process can map specific hosts to specific storage devices and/or specific storage devices to specific hosts. The TCG-enabled storage provides more granular mapping and defines what protected storage locations can be allocated to specific users, systems or apps.
Scalable, device-level encryption. TCG-enabled storage provides an onboard encryption engine for high-speed encryption at the device level. This can help overcome the performance and scalability problems often associated with encryption. Cryptographic operations are handled by a dedicated processor in the drive. And because encryption is done on a drive-by-drive basis, encryption capacity scales with the addition of new drives. The TCG storage model complements encryption with read- and write-locking.
Automated backup. TCG-enabled storage can allow backup from one secure "service provider" (i.e., storage sandbox) to another. In this scenario, the SP owner must have access to another SP with registry capabilities on another storage device. With this permission in place, TCG-enabled storage can mirror SPs on one or multiple devices.
TCG-enabled storage helps to lock down storage infrastructure and the data residing on it. Access controls are based on establishing trust relationships that are authenticated at run time with credential checks. These tight controls reduce the possibility of an accidental or intentional breach of storage infrastructure or valuable data.
TCG and information lifecycle security
When the ILM concept was introduced in 2003, the lack of security protection built into the model was striking. Three years later, ILM has been enhanced with security features, but implementation remains an issue. TCG-enabled storage could overcome these problems through its support of the following:
Distributed cryptographic and key management services. ILM will require critical data to be copied, verified, distributed and encrypted. Managing multiple copies of documents and their associated encryption operations could mean managing multiple, redundant encryption systems. And if encryption keys are lost, critical data might be unrecoverable. TCG-enabled storage promises to ease ILM key management by baking cryptographic services such as signing, hashing, verification and encryption into the storage infrastructure. ILM vendors can use the storage device's base-level cryptographic services to focus on key and policy management rather than on storage layer encryption services.
Pervasive logging. Similar to cryptographic services, trusted storage will also support logging and clocking capabilities. With this infrastructure in place, ILM vendors can focus on log aggregation and analysis rather than on basic data collection.
Operationally efficient data deletion. When users want to retire or move storage devices, there are a number of choices for data deletion--from physical device destruction to full compliance with the Department of Defense (DoD) 5220-22.M process. However, the choices may not be ideal for everyday moves, adds and changes. Physical destruction means demolishing potentially usable assets, while DoD 5220-22.M requires costly certification and validation. TCG-enabled storage provides a more pragmatic and cost-effective option, and guarantees destruction of encryption keys.
Ultimately, ILM vendors and users will benefit from TCG-enabled storage devices. ILM vendors can accelerate security enhancements by building management functionality on top of the TCG API and utilizing the TCG security plumbing. For users, TCG-enabled storage should ease the inevitable interoperability problems posed by multiple ILM implementations because products will call the same APIs, use the same commands and harvest the same device-resident data.
The bottom line
When it comes to security, the storage industry went from a state of denial to a state of confusion. This isn't unusual with information security because there are often more questions than answers.
In this perpetual enigma, the TCG storage specification may be a breath of fresh air. By baking security and software functionality into the disk drives themselves, TCG is providing a secure storage foundation that can be taken advantage of by storage management software vendors and users. This functionality goes beyond securing the storage infrastructure, as it can be extended to become part of secure ILM.