| Q1. |
How does the HP StorageWorks Secure Key Manager provide business value? |
| A1. |
The Secure Key Manager helps reduce risk of a costly data breach while improving privacy compliance. High-profile cases of lost laptops or tape cartridges are increasingly common especially in the financial, healthcare and retail industries. Many regulations require public disclosure if unencrypted private information is lost or stolen. Depending on the number of breached records, the cost can become millions of dollars especially when reputation damage and customer defection are factored in. Major corporations and government institutions need to abide by regulations wherever they operate and they want to reduce their breach vulnerability and financial liability. There is no doubt that tape encryption with effective key management will become a best practice. |
 |
| Q2. |
How can the HP StorageWorks Secure Key Manager minimize the effort of integrating and managing encrypted tapes? |
| A2. |
Keys are required to encrypt and decrypt information. HP StorageWorks LTO-4 tape drives and tape libraries now support embedded hardware encryption and decryption but require a method to manage the keys. The management complexity rises as the number of keys generated and number of encrypting devices increases. Secure Key Manager automates key generation and management based on security policies for multiple libraries transparent to ISV backup applications. The ongoing effort decreases with a centralized single point of management that Secure Key Manager provides. |
|
| Q3. |
Are keys on HP StorageWorks Secure Key Manager protected from unauthorized access? |
| A3. |
Yes, the Secure Key Manager is a hardened server appliance delivering secure identity-based access, administration and logging with strong auditable security designed to meet rigorous U.S. Federal Information Processing Standards (FIPS) 140-2 security. Secure Key Manager v1.0 has achieved FIPS 140-2 Level 2 validation and v1.1 is in process for re-validation. The Secure Key Manager in concert with security officers and strongly adhered to information security policies can protect keys from unauthorized access. |
|
| Q4. |
How long do keys need to be kept? |
| A4. |
Keys must be stored and maintained for the life of the data and depending on the regulations that could be for years or even decades. The key management requirement for data-at-rest is much more challenging than for data-in-flight keys, which are transitory. |
|
| Q5. |
What happens if keys are destroyed or lost? |
| A5. |
Without another copy of the encryption keys elsewhere then the actual data is also lost because data cannot be unencrypted without the key. The Secure Key Manager architecture provides multiple methods to keep keys highly available including reliable lifetime key archival with automatic multi-site key replication and failover. In addition to the clustering capability, the Secure Key Manager provides comprehensive backup and restore functionality for keys as well as redundant device components and active alerts. |
|
| Q6. |
How can the HP StorageWorks Secure Key Manager help with regulatory compliance and audits? |
| A6. |
Besides enabling protection and recovery of sensitive data, the Secure Key Manager provides a trusted infrastructure for enforcement of internal security policies and controls, and a trusted audit trail of insider, encryption and key management activities as evidence for compliance. Auditors look for this kind of proof of encrypting data and managing keys properly. For additional compliance reporting capability, consider the HP Compliance Log Warehouse (www.hp.com/go/clw) to transform security and compliance log event data into actionable information. The following are examples of regulations that address the responsibility of handling private information: SOX, HIPPA, CA SB1386, GLB, EU Data Protection Directive, Japan PIP Act and PCI. |
|
| Q7. |
How is the HP StorageWorks Secure Key Manager positioned with other HP storage key management solutions in the portfolio? |
| A7. |
Secure Key Manager is integrated with the HP ESL/EML LTO-4 library encryption and provides automation, tamper evidence and high key availability in addition to facilitating the separation of roles between a storage administrator and a security officer. HP Data Protector Software basic encryption and key management is a good fit when the scale is not extensive and manual operations via a command line interface are acceptable. HP MDS 9000 Storage Media Encryption (SME) Software FC switch encryption is an excellent choice for hardware encryption of legacy tape, non LTO-4 and HP StorageWorks Virtual Library Systems. |
|
| Q8. |
Why HP for key management? |
| A8. |
Secure Key Manager is an integral part of the HP Secure Advantage portfolio. Security is a key enabler for the HP Adaptive Infrastructure of the future whereby integrated security with end-to-end encryption, federated identity management and comprehensive key management proactively protect businesses against internal and external threats. HP is in a unique position to deliver the breadth of products and global services. With an architecture extensible to emerging open standards, the list of encrypting clients for Secure Key Manager can grow while keeping confidential data secure yet highly available with an automated single point of management. |
|
| Q9. |
Can I decrypt my data on a
non-HP library or drive after it has been encrypted by an ESL library using an HP StorageWorks Secure Key Manager generated key? What’s the cross-vendor interoperability? |
| A9. |
The LTO-4 specification provides for industry drive vendor read/write interchange of encrypted cartridges given the correct key is provided. That said, key management interchange standards are under development. Consequently, a custom tool would be needed on behalf of the non-HP library to query the Secure Key Manager for the key and then pass it to the non-client drive for decryption. Cross-vendor interoperability can expand quickly after key management standards coalesce and HP is actively working toward defining these standards. |
|
