Can Your Storage Be Trusted?
Let's face it; do you really know what your storage is up to once you walk out the building at 5 p.m. each day? When you are provisioning storage in one array, how do you know what is going on in the other arrays? And with backups now being staged to disk to reduce the length of backup windows, how can you be sure that your storage isn't out partying all weekend?
Those may seem like some of the issues being confronted by the Trusted Computing Group (TCG) via its Trusted Storage initiative. But in fact, the challenges the group faces are much more critical to everyday operations.
"Trusted Storage is crucial, as storage devices are where the data and programs reside," says Robert Thibadeau, chief technologist at Seagate Technology and chair of the Trusted Computing Group's Storage Work Group. "They constitute a last bastion of defense against identity theft, stolen corporate secrets, stolen laptops and misplaced enterprise disks, and many other all too common problems in today's society."
He makes the point that no trusted computing platform can possibly exist without trusted storage. Thus the trust boundary must be extended to all the peripheral devices that are connected within any environment. Just like a chain is no stronger than its weakest link, so any storage network is as secure as the individual drives.
The Storage Work Group is building upon existing TCG technologies, focusing on standards for security services on dedicated storage systems. One objective is to develop standards and practices for defining the same security services across dedicated storage controller interfaces. This includes ATA, SATA, SCSI, Fibre Channel, USB Storage, IEEE 1394, NAS (TCP/IP), and iSCSI.
The organization is also acting as TCG liaison to other storage industry standards groups that have jurisdiction over interface standards. Interestingly, TSG member companies include all major storage industry vendors working to create an industry specification for trusted storage that protects data at rest.
A total of 39 of the 115 TCG member companies are participating in the development of the storage specifications. These vendors run the gamut: As well as flash storage and major hard drive manufactures, there are storage management players and storage integration specialists. A complete list of members is online at the Trusted Computing Group website.
A Spec Is On Its Way
Why not just leave it up to the individual vendors to sort out their own security issues?
"We are operating to develop a specification precisely to allow all vendors who want to have a voice to have a voice," says Thibadeau. "Since trusted storage means changes to the hardware and firmware in disk drives and other storage devices, a standards group is the appropriate place to let everyone sort out the details."
The spec itself, according to Thibadeau, is scheduled to appear in the spring, and is said to be relatively complete. The Trusted Storage Group lays out three areas where the spec will have broad applicability: the trusted attachment of storage devices to their hosts; more general policy-driven secure control over features of storage devices such as storage locations and storage encryption; and secure, session-oriented messaging of such controls to storage devices.
One example of the value of the spec is when storage devices get repurposed at end-of-life. Ideally, any and all data on the device would be protected against the possibility of it ending up in the wrong hands. But that isn't always the case. There are plenty of scandals around about the exposure of health records, social security numbers and other confidential data. That's why the Storage Workgroup has focused on access controls.
A major feature, for instance, will be full disk encrypting drives.
"Its main feature is the ability to lock a particular disk drive to a particular platform in a fashion that if someone steals or otherwise moves the drive in an unauthorized way, the drive literally becomes unusable without proper authorization," says Thibadeau. "It will not read or write data as everything is fully encrypted. This encryption function allows an authorized user to effectively erase and repurpose a drive in a matter of milliseconds, not hours as it is today."
But putting out a spec is one thing, and seeing the benefits in the real world quite another. So how long before the spec finds its way into actual products? Thibadeau says the advantages will be apparent as soon as drive makers introduce encrypting drives.
"Seagate has announced a family of such drives already," he says. "Hitachi, Fujitsu and Toshiba have also indicated similar plans."
Article courtesy of Enterprise IT Planet