Security and EMC EMC Proven™ Professional Knowledge Sharing September, 2007 Jenny Beazley Senior Project Manager EMC Corporation [email protected] Page 1 of 9
Welcome message from author
This document is posted to help you gain knowledge. Please leave a comment to let me know what you think about it! Share it to your friends and learn new things together.
Transcript
-
Security and EMC
EMC Proven Professional Knowledge Sharing September, 2007
Jenny Beazley Senior Project Manager
EMC Corporation [email protected]
Page 1 of 9
-
Page 2 of 9
Table of Contents
1 Security Concepts.................................................................................................................................................. 3 2 Current Security Initiatives..................................................................................................................................... 4 2.1 Certified Data Erasure ......................................................................................................................................... 4 2.2 EMC Secure Remote Support (ESRS) Gateway ................................................................................................ 4 2.2.1 Encryption......................................................................................................................................................... 5 2.2.2 Authentication................................................................................................................................................... 5 2.2.3 Access .............................................................................................................................................................. 5 2.2.4 Audit.................................................................................................................................................................. 6 2.3 Symmetrix Service Credential, secured by RSA................................................................................................. 6 2.3.1 Authentication................................................................................................................................................... 7 2.3.2 Access .............................................................................................................................................................. 7 2.3.3 Audit.................................................................................................................................................................. 7 2.2.4 in addition: Certified Data Erasure............................................................................................................... 7 3 Security Best Practices........................................................................................................................................... 7 3.1 Setting Secure Passwords .................................................................................................................................. 7 3.2 Access Control..................................................................................................................................................... 8 3.3 Encryption............................................................................................................................................................ 8 3.4 Confidential Information....................................................................................................................................... 8 3.5 Social Engineering............................................................................................................................................... 9 4 Where can I find out more? .................................................................................................................................... 9 5 Author Biography.................................................................................................................................................... 9
Disclaimer: The views, processes or methodologies published in this compilation are those of the author. They do not necessarily reflect EMC Corporations views, processes, or methodologies.
-
Page 3 of 9
Security and EMC
A recent RSA survey revealed that EMCs customers fear auditors more than hackers. In the wake of Enron, the Sarbanes Oxley law imposes severe penalties on publicly traded companies for exposure or tainting of financial data. Companies must adhere to are a growing number of regulations and standards, including the California Senate Bill 1386, Gramm-Leach-Bliley Act and the EUs Directive 95/46/EC. Security compliance is now a market discriminator. In 2005, EMC conducted a product security assessment and subsequently initiated several projects to enhance its offerings to meet customer needs. These projects include introducing two-factor or two-pass authentication to storage arrays and connectivity devices, removing static passwords from array management software and creating tamper-proof audit trails. With such a complex product range, changes will not occur overnight. However, all EMC employees can and must take steps to promote storage management security for EMC and our customers. It is the EMC Proven Professionals responsibility to blaze the trail and encourage their colleagues to follow best practices to ensure a more secure environment for both EMC and its customers.
1 Security Concepts
Information Security revolves around a simple AAA concept:
Access Control: controlling entry and resource action; Authentication: verifying users; and Auditing: tracking users
The CIA concept is also important:
Confidentiality: information is not revealed to unauthorized users; Integrity: data is intact and unmodified; and Availability: data is accessible if access is allowed
These two concepts apply at both a product and user/process level. EMC has dedicated departments and personnel to create awareness of all aspects of Information Security, from product engineering & development, procedural, educational and customer perspectives.
-
Page 4 of 9
2 Current Security Initiatives
There are a number of ongoing security initiatives that combine to give EMC a competitive advantage in the world of Information Security. Some highlights are listed below.
2.1 Certified Data Erasure
Organizations are facing growing demands to comply with regulations that either mandate the erasure of, or provide guidelines for the protection of, information. The penalties for non-compliance range from multi-million dollar fines to 10 years of incarceration! EMC has a suite of Certified Data Erasure offerings to ensure that disks can be securely erased to a variety of different standards varying from 1 to 35 overwrites. This enables the complete removal of information and allows assets to be repurposed without compromising information security or regulation compliance.
An audit log tracks successful erasures and a validation certificate can be printed to indicate the overwrite procedure was completely properly.
2.2 EMC Secure Remote Support (ESRS) Gateway
The EMC Secure Remote Support Gateway enables fast, secure remote support. ESRS (1.0) was generally available in January, 2006. Security features include encryption, authentication, and access and audit, allowing customers to meet corporate and industry security compliance regulations.
-
2.2.1 Encryption All communication between the connected devices and EMC is sent securely in encrypted format (128-bit Advanced Encryption Standard, or AES) over the IP-based infrastructure.
2.2.2 Authentication Similar to the SymmIP Remote Connection Console, EMC personnel providing remote support to customers over the ESRS Gateway must first be authenticated against EMCs internal network (either directly or via the Virtual Private Network (VPN).
2.2.3 Access The ESRS Gateway Policy Manager on the Gateway Server allows the customer device and application level control of access to each installed EMC product. The customer is able to specify the timeframes that remote connections are automatically allowed (e.g. during normal business hours from Monday to Friday) or whether EMC support personnel must always ask before connecting.
Page 5 of 9
-
2.2.4 Audit Audit logging provides a detailed record of remote access sessions, which will be maintained at the customer site.
2.3 Symmetrix Service Credential, secured by RSAThe Symmetrix Service Credential (SSC), secured by RSA, is a simple, scaleable security approach for EMCs Symmetrix DMX-3 product that meets our customers security policies. The solution includes a suite of applications that work together to improve user authentication, authorization and auditing on the platform.
This is achieved primarily by introducing RSA technology into the Symmetrix through new software components on the Service Processor. These components will generate a customer-viewable audit log and ensure authorized user access at both a Windows and SymmWin level. SSC is available with Enginuity 5772 code, which became generally available in March, 2007.
Audit Log
Service Processor Symmetrix Service Credential, secured by RSA
Disk Erasure
Access Control
Page 6 of 9
-
Page 7 of 9
2.3.1 Authentication Enginuity 5772 prevents unauthorized service actions by authenticating valid identities on the Service Processor. The level of authentication is strong, using industry-leading RSA technology. The encrypted credential is coupled with a user password and varies by user, action, system and time.
2.3.2 Access Actions are authorized via role-based access controls, meaning a Customer Engineer attending a site to replace a disk does not have access to perform more complex procedures, such as upgrading. This complements the Symmetrix Access Control authorization of server actions on devices.
2.3.3 Audit Enginuity 5772 provides a tamper-proof view of management and support actions. It records all major activities on the Symmetrix, including host-initiated actions, physical component changes, actions on the Service Processor and attempts blocked by security controls. The log is secure and tamper-proof, meaning event contents cannot be altered and only authorized users can access logs.
2.2.4 in addition: Certified Data Erasure An optional software package in Enginuity 5772 provides compliance to Department of Defense specifications to securely replace disks. This eliminates exposure and prevents data from leaving the premises. An auditable record of the data erasure is provided, complying with key components of Sarbanes-Oxley, PCI, HIPAA and other regulations.
3 Security Best Practices While these initiatives detail some of the contributions EMC is making at a product level to help customers comply with security, there are actions every individual can take to work to ensure a more secure environment.
3.1 Setting Secure Passwords Simple passwords can be guessed (e.g. default passwords, names relating to the user) or cracked with simple scripts that test the username against a complete list of dictionary words.
Secure passwords should:
Be 8-13 characters for medium security; 14+ for high security Include a mixture of upper & lower case characters Contain numerical and other non-alphabetical characters
-
Page 8 of 9
Passwords should NOT:
Be dictionary words Contain the username Be written down and stored near the PC/laptop (e.g. post-it note under the keyboard!!)
The most secure passwords appear random. A good tip for generating a secure password is to convert a sentence into a character string. For example, I love to work at EMC, Hopkinton, Massachusetts could translate to the 10 character password: I
-
Page 9 of 9
There can also be a risk in customer log files. These can potentially contain IP addresses, host names and other information that could cause problems for the customer if it fell into the wrong hands.
3.5 Social Engineering Social Engineering is a collection of techniques used to manipulate people into performing actions or divulging confidential information. It can be used to gain access to any system, irrespective of platform. It is the hardest form of attack to defend against, because hardware and software alone cannot stop it. Employees should be familiar with the concept of Social Engineering and ensure they verify the identity of other employees, visitors and maintenance staff, whether in person, by telephone or electronically.
4 Where can I find out more? This article has barely touched the tip of the information security iceberg. For EMC employees, there are a number of Security classes listed in the Education Services and Development learning catalog.
5 Author Biography Jenny Beazley joined EMC Australia in November 2003 as a CLARiiON Technical Support Engineer and became the first CLARiiON SSE globally to achieve EMC Proven Professional status. Ms. Beazley returned to her native UK in June 2006 as an EMC Senior Project Manager, specializing in Security. Previous roles include Database Performance Tuning Engineer for the UniData and UniVerse database suites at IBM and Technical Consultant/Programmer for one of IBMs customers. She is currently studying for an MBA.
Disclaimer: The views, processes or methodologies published in this compilation are those of the author. They do not necessarily reflect EMC Corporations views, processes, or methodologies. Security and EMC1 Security Concepts 2 Current Security Initiatives2.1 Certified Data Erasure2.2 EMC Secure Remote Support (ESRS) Gateway 2.2.1 Encryption2.2.2 Authentication2.2.3 Access 2.2.4 Audit2.3 Symmetrix Service Credential, secured by RSA2.3.1 Authentication2.3.2 Access2.3.3 Audit2.2.4 in addition: Certified Data Erasure3 Security Best Practices3.1 Setting Secure Passwords3.2 Access Control3.3 Encryption3.4 Confidential Information3.5 Social Engineering4 Where can I find out more?5 Author Biography
Related Documents
