When a security breach occurs, especially in a large organization, identifying where and how it occurred are immediate first reactions. Next steps include determining how far it has penetrated, what is at risk and, ultimately, how to correct the situation. For certain external data covered by legislation such as Sarbanes-Oxley Act (SBA), Health Information Portability and Accountability Act (HIPAA), Personal Information Protection and Electronic Documents Act (PIPEDA), and more, corrective action is well defined and extremely costly. Those enterprises wishing to avoid finding out how costly have a number of approaches to proactively take control of the access that outsiders have to sensitive information.

Among the first hardware targets for protection are the computer and the network. However, a complete enterprise solution should include other aspects including any hardware that stores the data. Sensitive information on a hard drive or other storage media such as an optical disk is easily accessed when separated from a computer, even one with built-in protection. Software tools have been developed to provide integral protection in storage systems. In addition, compatible hardware is available now for some drive applications and expected to increase in 2008, so several choices will be available. Understanding the recently developed standards is essential to taking advantage of this new protection capability.

Protecting Stored Files

Based on security measures established by the Trusted Computing Group (TCG), storage and essentially every other security aspect of an enterprise has been addressed by specific work groups with experts from the target area. An industry-based organization, TCG consists of several companies developing open specifications to help prevent data loss and theft. Supported by over 170 leading hardware, component, software, service, computing, networking, and mobile phone suppliers, TCG develops open industry standards to provide users products and services with a higher level of trust. TCG approved its pioneering Trusted Platform Module (TPM) in 2000. Today, this hardware element provides the foundation for trust in over 70 million desktop and portable PCs. With Microsoft's use of the TPM as part of the BitLocker Drive Encryption in its Windows Vista operating system, the number of computers with TPMs is expected to increase to over 200 million in 2008.

The TPM is a microcontroller manufactured by several companies that securely stores passwords, digital keys and certificates to provide unique identification. As a separate integrated circuit (IC) or an embedded portion of another IC, such as an Ethernet controller, the TPM uses standard software interfaces with other security methodologies to ensure deployment of secure applications.  A co-processor in the TPM handles cryptographic operations such as asymmetric key generation (RSA), asymmetric encryption/decryption (RSA), hashing (Secure Hash Algorithm (SHA-1)), and random number generation (RNG).

In addition to computers, the TPM provides privacy protection and interoperability across multiple platforms, including cell phones, PDAs, networks and storage systems. In storage systems, the TPM in the computer can be used to enhance full disk encryption (FDE) for trusted drives.

 

In 2007, TCG Storage WorkGroup (SWG) published its draft specification, TCG Storage Specification Overview and Core Architecture Specification, Version 1.0, Revision 0.9, for broad industry review. To manage cryptographic and authentication keys for storage devices that are essential to and based on the draft specification, the work group created the Key Management Services Subgroup (KMSS) to develop specific methods. This subgroup is investigating the full life cycle management of keys.

Secure Storage Solutions

To establish the draft specification, TCG's SWG developed use cases of common problems experienced by the storage industry. Seven categories were identified. A brief description provides essential background to understand the development and application of the specification.

The mating process for a specific storage device to a specific host can be separated into enrollment and connection.   Both storage device-to-host and host-to-storage device mating involve separate consideration.  Enrollment is a process to establish authorization for a storage device and host that will be physically connected later. Initially, an administrator may be involved in enrollment. However, once enrollment is established, secrets, exchanged directly and transparently between the host and storage device, automatically control the connection.

The use case dictates that the secrets needed for connection are not available to any other host process or to physical attack across the interface. In addition, communications regarding the enrollment/connection secrets must be kept confidential.

Storage devices with embedded processors have protected storage locations where system data, outside the normally addressable user space, remains intact even after the user space is repartitioned or reformatted. A host application with the ability to create and delete exclusive access to a protected storage area provides a useful tool for many applications.

While nearly identical to a storage device-to-host connection, locking and encryption use cases require separate read-locking and write-locking. These use cases also identify read/write locking and encryption for different logical partitions of the storage device. A storage device with full encryption is protected against loss or theft. In addition encryption enables re-purposing or end-of-life by simply deleting the encryption key to immediately "sanitize" the drive. FDE drives, with the cryptography implemented directly on the drive in hardware, are available today. With a means for establishing clock time so that log entries can be automatically time stamped, logging services for the host applications can take advantage of protected storage. Trusted logging is most useful for forensic purposes.

Storage device access control mechanisms must be versatile to support different types of authentication algorithms, such as pass code, symmetric key, Hash Message Authentication Code (HMAC), biometrics, or public key authentication, as well as multi-factor combinations. However, this is not the complete requirement. Cryptographic services from other organizations, such as NIST or IETF, that standardize the basic cryptographic algorithms enter into the mix. AES/128 is recommended for symmetric encryption, while SHA-1 and SHA-256 are recommended for hashing, and RSA and Elliptic Curve for public key ciphers.

As noted in enrollment and connection, since the cryptographic services may require hiding keys and keeping one set of keys secret between host applications, these services must allow partitioning of hidden storage space into security providers (SPs) that can be authorized for use by host applications. Exclusive access to storage device feature sets (in SPs) for specific host applications can be assigned by setting access controls.

Manufacturer-authorized firmware downloads to storage devices need to be properly authorized using strong authentication methods. The preferred approach is signed downloads where the storage device confirms the signer and publishes to the trusted platform those entities that are permitted to offer acceptable downloads. 

The industry interest to the availability of the Storage Specification Overview and Core Architecture Specification was apparent at Storage Visions 2008 Conference in January. During the Q& A in the Storage Intelligence and Content Protection session, Dr. Robert Thibadeau from Seagate projected that security in hard disk drives will be commonly available within 18 months.  Those who are interested in the details of the specification are encouraged to review the draft specification.

Managing Keys                       

Among the more recent TCG SWG efforts is the activity of the Key Management Services Subgroup (KMSS). Specifically focusing on keys in an enterprise environment, the recently released TCG Storage WorkGroup Application Note 1: Encrypting Drives in an Array Controller is a work in progress that addresses the historical issues and challenges in key usage, such as incompatibility. The application note gives developers a detailed method and uniform approach for managing the locking and encryption of one or more storage devices, including hard drives.

The life cycle of cryptographic keys has nine distinct stages from policy establishment to addressing the end of life of keys. After requesting key generation, subsequent activities include: Usage, Storage, Retrieval, Modification, Searches, Access Rights, Disabling, and, finally, Destruction. Today, handling all of these aspects requires more than one product, and compatibility between different vendors' products cannot be expected.

By addressing the operations between host platform, an Application and Trusted Devices, the KMSS application note provides secure communication and authentication between the storage device and the host. In addition, the specification allows discovery of the storage device's capabilities while establishing compliance with existing security regulations with the flexibility to meet future state and federal legislation.

To handle the compatibility issue, KMSS used a bottoms-up approach to the secure storage hierarchy. Implementation of the storage specification starts at the lowest level of the storage device. Immediately above this level, a common key management service directly interfaces with the storage device. With this tiered approach, proprietary or customized applications can still be installed that communicate at the system management to network management level as required for a specific business. Below the proprietary level, users are guaranteed that standardized key management servers can communicate directly to the storage devices. By eliminating two levels of complexity, one for the device itself, since it has built-in, standardized security, and the first level of proprietary key management communication to the storage device, this approach provides additional system benefits. To implement the process, the application note provides detailed byte by byte information describing the process to authenticate and exchange keys with a device using actual command strings.

For the data center, this bottom-up approach avoids proprietary solutions across the whole hierarchy. Users can standardize the bottom two layers - both the storage devices themselves and the key management of storage directly on the drive. Simplifying the requirements and the cost for these levels opens the sourcing possibilities to many suppliers. When all hard drive makers supply a storage device with the same interface, the multi-source business model drives competition to improve products for simplified implementation and easier migration.

While laptop drives already exist that meet the initial SWG storage specification, server-level class drives for the data center based on the newest application specifications are expected in the near future. Since the subcommittee members who drafted the KMSS specification represent the leading companies that want to sell storage devices with key management services to banks, hospitals, and government agencies, drives with standardized key management systems are expected to proliferate over the next year.

Optical Disc Security  

The hard disk drive is only one piece of the sensitive data storage puzzle. Critical and highly portable data is frequently stored on removable media such as optical discs. With the increasing capability to hold greater amounts of data, the risk of losing sensitive data increases as well. As with other lost, stolen or simply missing files, recent horror stories are easy to find.  Both compromised privacy as well as a major threat of identity theft occurred for 2.9 million Georgia residents after a company lost a CD that contained the full names, addresses, birth dates, social security numbers and member identification for recipients of Medicaid and other medical programs. The article "raises serious doubts about the measures private companies and public officials take to safeguard individuals from identity theft." In another recent incident, two missing disks with names, dates of birth, bank and address details of 25 million child benefit records could have a similar impact. 

As part of a TCG survey on data security concerns, respondents ranked CD-ROM and USB key storage devices almost equal to hard copy (paper and microfilm) and well above departmental and enterprise servers or transmission over the internet or other unsecure network for vulnerability to unauthorized access. The identified threats and concerns have prompted TCG's Storage WorkGroup to form the Optical Security Subsystem Class (OSSC). OSSC's efforts extend the Storage Architecture Core Specification to an increasingly popular storage medium.  In contrast to copy protection for optical storage, TCG's activity focuses on the unauthorized access to the data on the disk instead of unauthorized copying.

While still in development, OSSC's specification provides the ability to encrypt data on standard optical discs. The Trusted Optical Disc standard provides access control for supporting organizational security policies with strong, n-factor authentication as well as Full Disc Encryption (FDE) using the Advanced Encryption Standard (AES) Data Encryption technique.  The approach does not require a change to the physical format.

The use cases for optical storage include simple, personal password protection for a single user physically carrying files between computers; plural passwords for physically distributing data to different people with selected access; role-based access control for electronic health records; and a secure network endpoint for need-to-know users in a disaster response. With the requirements for encryption and access for these instances in mind, as well as consideration for the response of legacy drives, the OSSC team has started drafting a specification.

The TCG optical disk protection is an application layer that resides above standard disc formats and is compliant with all consumer optical disc standards. The address space is partitioned into three separate areas: (1) Common Volume, (2) Protected Storage, and (3) User Data. The Common Volume space provides predictable behavior when a TCG disc is inserted into a legacy drive. TCG Tables are stored in the Protected Storage Area. Encrypted user data is written to the User Data Area. Only the last two provide secure address space.

Similar to Advanced Access Content System (AACS) for content distribution and digital rights management and DVD Copy Control Association (DVDCCA), a Trusted Optical Disc Authority could provide the certificate authority for drives, application software, server software and security tokens as well as enforcement and compliance authority.

The Optical SSC provides the capability to meet government requirements including the presidential mandate and NSA guidelines as well as satisfying the security needs in electronic health records for personal, archival, and disaster response. In addition, enterprise archiving and distribution will derive additional protection benefits.

Safe Storage?                                                              

TCG's Storage Work Group has made substantial progress within the last year to define the methodologies necessary to secure data in storage devices. Future application notes from KMSS will address key management for tape systems as well as key management for consumer devices including electronic memory. The ongoing efforts of KMSS will extend security to essentially every storage mechanism in the enterprise. Combined with other TCG spec-compliant components such as cell phones, PDAs, servers, desktop and portable computers, and the network itself, those concerned with data security in the enterprise will have the necessary tools to prevent the breaches that are commonplace today.

The short answer to the question posed in the title can be yes - if it uses the protective measures established by the TCG Storage WorkGroup that have been implemented in all enterprise data storage devices and/or storage medium. Otherwise, don't be too quick to say yes.

Dr. Michael Willett received his bachelor's degree from the United States Air Force Academy and masters and doctoral degrees in mathematics from North Carolina State University. Currently, Michael is on the research staff of Seagate Technology, exploring future projects in security and privacy as well as serving on several external standards bodies, including the Trusted Computing Group (TCG).  Within TCG, he is co-chairman of the Storage Work Group.

 

 

Forward this page to a friend

Your Email: *

Your Name: *

Send To: *

Enter multiple addresses on separate lines or separate them with commas.

Message Subject: (Your Name) has forwarded a page to you from NaSPA.com

Message Body: (Your Name) thought you would like to see this page from the NaSPA web site.

Your Personal Message: *

Your vote:

1

2

3

4

5

No votes yet