Basel II Overview

1
Secure Data Storage Thanes Bordeesorn Network
Appliance (Thailand) Ltd.
CIO16
2

• Are you at RISK of becoming a Headline of data
  compromisation?
• A security breach is not the type of publicity
  any company wants.
• Secure Storage Challenge

3
Topics

• NEWS Risks ? Secure Data Storage
• Data at rest Risk Exposure
• Generic Secure Storage Architecture
• How to avoid this case?

4
Storage InsecurityAggregation replication
expose terabytes

• TriWest Healthcare
• Stolen disks contained medical records on 500,000
  military personnel
• IBM Global Services
• IBM notifies customer, Co-operators Life
  Insurance, that a disk containing personal and
  financial information on up to 180,000 customers
  is missing, presumed stolen.
• Visa, Amex, MasterCard
• Hacker breaches 8Million credit card accounts
  through a third-party processor
• Canadian Customs Revenue Agency
• CCRA loses unencrypted data on 120,000 Canadians
  in server theft from regional office. Leads to
  literally millions of calls and checks within
  our system."

July, 2003 Ricoh Executives Bow in Apology For
Losing Backup Tape with Customer Data
5
On the NEWS
6
Sample Incidents

• http//www.privacyrights.org/ar/ChronDataBreaches.
  htm
• http//attrition.org/dataloss/

7
Security Principles

• Availability
• System failure
• Human error
• Natural/Man made disaster
• Integrity
• Data/Files/E-mail modification
• Audit log modification
• Required electronic data to be protected
• Using electronic as evidence
• Confidentiality

8
All factors are dynamic and related!
SLA
Investment in Availability
9
Worst scenario
SLA
10
Worst scenario
Investment in Confidentiality/Integrity
Confidentiality
Integrity
Availability
SLA
Investment in Confidentiality/Integrity
11
Holistic thinking / Phasing implementation
Availability
Confidentiality
Integrity
SLA
Plan for all security dimensions Phasing
implementation based on Value of information
12
Data at RestRisk Exposure
13
Technology Implications

• Can your existing infrastructure provide
  adequate?
• Controls
• Protection
• Disaster Recovery
• Protection from
• Accidental Errors
• Intentional Errors
• Support for the process and procedure generated
  by analysis of exposure through scenario analysis

14
Traditional Layered Network Security
VPN
Layered Network Perimeter Security Firewalls,
VPN, SSL, IDS, Security audits focused on
external intrusion
IDS
Firewalls
Weak Storage Security LUN Masking File system
permissions Administrators have full access to
storage data Storage is in clear text Backups are
in clear text Disks go offsite for repair and
disposal Data Mirroring and DR data is clear text
15
Storage Security Drivers
Best Practices
Compliance/Law
Consolidation
Insider threat
Replication
Brand protection
Outsourcing
Gartner By year-end 2006, failure to encrypt
credit card numbers stored in a database will be
considered legal negligence in civil cases of
unauthorized disclosures.
16
Who has access to sensitive data?
50-80 of attacks originate behind the firewall
(source FBI)
CEO
Customer data
Storage
Earnings releases
CFO
Salaries and reviews
Litigation docs
General Counsel
17
Type of Data

• Structured Data
• DataBase
• ECM
• Semi-Structured
• Email
• Unstructured
• MS Office
• Home Grown applications
• Etc
• Unstructured data constitutes gt80 of archived
  data
• MS Offices documents, Web Pages, Digital Images,
  A/V files, etc

18
Data Service Elements

• Data Protection
• Need to ensure protection from Natural and
  Un-Natural Disasters
• Data Permanence
• Need to ensure immutability to allow for
  reproduction in a lawsuit scenario
• Data Security
• Privacy of information for protection from misuse
• Data Classification
• Understanding exposure by understanding what you
  have
• Data Discovery
• Finding information when required

19
Generic Secure Storage Architecture
20
Storage Compliance Architecture
21
Data Protection

• In the event of a disaster, ability to reproduce
  lost information
• Backup and Disaster Recovery are key components
• Time/frequency definitions result in lower risk
  profile
• Distance/location another factor
• Matrix to measure
• RPO How much data lost can you afford?
• RTO How fast system needs to get back online?

22
Disaster Protection Scenarios

Site Failure
Regional Disasters
Primary Data Center

• Terrorist Attacks
• Human Error
• HVAC failures
• Power failures
• Building Fire
• Architectural failures
• Planned Maintenance downtime.

• Electric grid failures
• Natural disasters
• Floods
• Hurricanes
• Earth Quake

• Local High Availability
• Component failures
• Single system failures

23
Data Permanence

• Need for immutable storage is critical to ensure
  original data and intent is preserved
• In the case of an audit by a regulatory body or
  during a lawsuit
• Day to Day business practice might require
  unedited copy of data
• Write Once Read Many (WORM) functionality
  provides a level of comfort and guarantee

24
Data Privacy

• Malfeasance is often a big concern both from an
  internal and external perspective
• Loss of data is inevitable
• Exposure can be minimized via Data Encryption
• Record management can involve end customers
  should that be a valued service
• Will also lower risk profile
• Encryption Key management help to reduce risks

25
Analogy of encryption/decryption and keys

• When leaving a house,
• Using a key to lock up Encryption
• When entering a house,
• Using a key to open a house Decryption
• To sneak into the house,
• Crack the lock Brute force attack
• Steal the key Hacking keys
• Key duplication Copying keys
• Taking key to copy and return silently
• Hijacking electronic keys eg. car remote control
• How many keys do you have today?
• How many keys you handles,
• 10 keys? 100 keys? Or 1,000 keys?
• Can you handles if all those keys required to
  change from time to time?

26
Data Classification/Awareness

• Knowing what you have and where its located
• Under audit or legal proceeding producing the
  right information minimizes exposure to penalties
• Classification can result in proper treatment of
  information set
• Minimize exposure by moving sensitive information
  behind encryption systems
• Protect information by WORMing them

27
NetApp Overview
28
How to Avoid All Case?NetApps Unified, Complete
Approach
29
DR Solutions Portfolio
Wide Area

Campus

• Async SnapMirror
• Most cost effective with RPO from 10 min. to 1
  day
• MetroCluster (Fabric)
• Cost effective zero RPO protection
• Sync SnapMirror
• Most robust zero RPO protection

Primary Data Center
Within DataCenter
MetroCluster (Stretch)
Clustered Failover (CFO)

• Cost effective zero RPO protection

• High system protection

30
Maximum Flexibility

• Data Classification Migration
• Appliance-based
• Selectively apply to specific volumes, classes,
  and LUNs
• New migration module

• Data Security Privacy
• Selectively encrypt specific volumes, classes,
  and LUNs
• New Lifetime Key Management system

• Data Permanence
• Selectively apply to specific volumes LUNs
• Revised integration with Classification

• Data Discovery
• Search against entire arrays or selectively
  against specific volumes, classes and LUNs

NetApp FAS or NearStore Systems
31
NetApp Differentiators

• The industrys most comprehensive compliance
  solution -
• Cost effective solution for ALL data types, all
  regulatory requirements
• Broad range of platforms span branch office to
  the data center
• Open protocol design means true future proofing
  and fast data access
• Respond quickly to regulatory audits or
  electronic discovery with the industrys fastest
  WORM solution
• Native file formats and open protocols provide
  the best assurance against obsolescence or vendor
  lock in for long term archives
• Flexibility and high ROI of a unified
  architecture
• One NetApp architecture protects existing
  investments, and means no silos, no new
  management tools, no additional training
• Meets multiple business needs, including
  compliance, backup and DR

32
THANK YOU