| Q1. |
What is encryption? |
| A1. |
Encryption is the process of obscuring information to make it unreadable without special knowledge. Modern encryption methods use a cipher, a method of encrypting data that uses a standard algorithm for performing encryption/decryption processes. |
|
| Q2. |
Why is there a need to encrypt data-at-rest? |
| A2. |
An increased awareness of vulnerabilities to network-accessible data and a skyrocketing rate of identity theft (stemming from the unlawful use of non-public personal information) have resulted in an emerging market for security products that distinctly address the need to protect stored data, or “data-at-rest.” The cost to an organization that experiences a loss of personal data—in terms of penalties, notification costs, damage to reputation, and lost customers—averages in the millions of dollars. Moreover, the theft of intellectual property can be devastating to a company’s ability to compete. |
|
| Q3. |
What type of data needs to be encrypted? |
| A3. |
Organizations typically undertake a data classification project to identify the most sensitive data requiring the additional layer of security provided by encryption. This often involves regulated data such as personal information, financial documentation, entrusted partner information, intellectual property, vendor data, customer lists, and personnel data. Increasingly, organizations are encrypting all sensitive company information, particularly if it is expected to ever leave the control of their facilities. |
|
| Q4. |
How do you measure the return on investment from storage security? |
| A4. |
Like a form of insurance, typical ROI arguments for security products use estimates of potential asset losses that would likely occur in the event of a security breach. Increasingly, users of storage security gain other financial benefits that can be more easily identified, such as increased business gained (or lost business avoided) by providing customers with data security assurance, an enhanced ability to demonstrate compliance with confidentiality regulations, and avoidance of penalties assessed for a failure to comply with regulations and industry standards for personal data protection. |
|
| Q5. |
What industry mandates and regulations are relevant to data encryption? |
| A5. |
California SB1386 and other security breach disclosure legislation provide an exception for data that was obtained while in “ciphertext” form. The California Office of Privacy Protection recommends in its Recommended Practices on Notification of Security Breach Involving Personal Information the use of data encryption, wherever feasible, to protect higher-risk personal information.
- California AB 1950 specifies that holders of personal information about a California resident implement and maintain reasonable security procedures and practices to prevent unauthorized access, destruction, use, modification, or disclosure, when held in unencrypted form.
- The Gramm-Leach-Bliley Act of 1999 requires financial institutions to have a security plan to protect the confidentiality and integrity of Non-Public Personal Information (NPI). The Interagency Guidelines Establishing Standards for Safeguarding Customer Information published by GLBA’s enforcing government agencies provides guidelines and standards for safeguarding customer information. Under the section “Manage and Control Risk,” recommended procedures include “encryption of electronic customer/member information, including while in transit or in storage on networks or systems to which unauthorized individuals may have access.”
- The Payment Card Industry Data Security Standard (PCI DSS) adopted by leading credit and debit card vendors requires under Section 3.4 that merchants store account numbers (in databases, logs, files, and backup media) securely by means of encryption or truncation. Large merchants must additionally submit to an annual onsite PCI data security assessment that is validated by a Qualified Data Security Company or Internal Audit if signed by an Officer of the company.
|
|
| Q6. |
What is the difference between encryption algorithms? |
| A6. |
Encryption algorithms are not generally considered to be well vetted until the security community has had several years to test them and discover any hidden vulnerabilities. For this reason, new and proprietary algorithms are generally not accepted for critical applications. Algorithms that have been extensively tested and that utilize long key lengths (suggested as greater than 128-bits for symmetric keys) are considered “strong” and trusted for use.
The AES describes the algorithm approved by the Federal Information Processing Standard (FIPS) for use by U.S. government organizations to protect sensitive, unclassified information. The AES is available in 128-, 192-, and 256-bit key lengths. Assuming that one could build a machine that could recover a DES key in a second (for example, attempt 255 keys per second), it would take that machine approximately 149 trillion years to crack a 128-bit AES key.
|
|
| Q7. |
What are the key hardware characteristics of the HP Encryption SAN Switch? |
| A7. |
The HP Encryption SAN Switch is a full-feature 32-port 8 Gbit/sec Fibre Channel switch that supports up to 96 Gbit/sec of encryption. |
|
| Q8. |
What security features are available on the HP encryption products? |
| A8. |
In addition to line-speed encryption, the HP encryption products provide storage access control and administrative audit logging. In addition, the systems provide secure management connections and Smart Card support for quorum-based authorization of sensitive operations. Both products are FIPS 140-2 Level 3-compliant. |
|
| Q9. |
Can the HP encryption products be clustered and, if so, how? |
| A9. |
HP encryption products can be clustered into pairs. Two redundant Gigabit Ethernet ports enable clustering and synchronization of I/O activity during re-keying operations to ensure data integrity and recoverability. |
|
| Q10. |
How do keys get archived and synchronized? |
| A10. |
After their creation, keys are archived and synchronized automatically to the HP Secure Key Manager. Best practices dictate the use of two or more clustered HP Secure Key Manager devices for high availability. |
|
| Q11. |
How will the HP Encryption SAN Switch integrate with B-Series SAN? |
| A11. |
The HP Encryption SAN Switch integrates fabric-based security services into an existing core switch fabric. Whether used as an edge fabric switch, an attached service to the core switch, or a standalone switch with integrated services, the HP Encryption SAN Switch provides comprehensive security capabilities for enterprise data center storage. |
|
| Q12. |
What is key management? |
| A12. |
In cryptography, digital “keys” (pieces of information that control the operation of a cryptographic algorithm) are required for encryption and decryption of secured data. Key management describes the process of creating, distributing, authenticating, and storing encryption keys to ensure proper use. Because these procedures provide no security when the keys are handled incorrectly, the ability to obtain keys without permission must be considered the equivalent to obtaining “cleartext” data. Integration with HP's Secure Key Manager enable the enforcement of rigorous key management policies, including restricting key creation to authenticated security administrators; providing secure key distribution among clustered HP Encryption SAN switches; and exporting keys only in “ciphertext” form. |
|
| Q13. |
How is the HP Encryption SAN Switch managed? |
| A13. |
The HP Encryption SAN Switch can be managed via the FOS command line interface or the HP Data Center Fabric Manager (DCFM) application software. |
|
| Q14. |
What advantages does HP offer compared to other inline encryption appliances? |
| A14. |
HP Encryption SAN Switch provide multiple advantages over other inline encryption appliances:
- HP cryptographic functions run on multiple dedicated hardware engines, providing a level of performance many times that of inline encryption appliances.
- By integrating into a scalable encryption module-based platform, HP products enable performance scaling.
- HP encryption products provide a central point of management that simplifies deployment and configuration changes.
- HP supports seamless deployment using Frame Redirection technology.
- The multipurpose switching functionality provides flexible deployment options, enabling the installation of 16 or 32-ports, universal (F/FL/E/EX/M) auto-sensing, and programmable 1, 2, 4, and 8 Gbit/sec speeds.
- HP encryption products provide the lowest Total Cost of Ownership (TCO) of any currently available enterprise-class solution based on initial investment, deployment costs, management costs, environmental costs, and the opportunity to support additional applications.
|
