DECRU

1
DECRU
Data At Rest Security Opportunity Chris Gale
Chris.gale_at_decru.com
2
Storage Insecurity

• Feb 2003 Visa, Amex, MasterCard
• Hacker breaches 8 million credit card accounts
  through a third-party processor
• Feb, May 2004 Microsoft and Cisco Source Code
  Stolen
• Sept 2004 Guilty plea in 50 million identity
  theft case
• Helpdesk employee stole tens of thousands of
  identities from credit databases
• Feb 2005 Bank of America
• 1.2 million user accounts, including U.S.
  Senators and Defense Department employees, are
  exposed when cleartext backup tape is lost

June, 2004 AOL software engineer arrested after
stealing 92 million names, selling to spammers
for 100,000
3
Compliance Drivers Visa CISPCardholder
Information Security Program

• CISP information security program applies to
  vendors, merchants, and service providers who
  handle confidential cardholder data
• Compliance is verified by third party auditors
  fines and other sanctions for non-compliance or
  for data breaches caused by poor security
• Sec. 3 of 12 Protect Stored Data
• Requirement to protect confidential cardholder
  data at rest
• Encryption highly recommended
• Need-to-know access controls
• Strong algorithms, strong key management

4
Perimeter Security is Insufficient

• Insider Threat
• 50-80 of electronic attacks
• originate inside the firewall
• 67 of companies reported internal
  breaches
• Average loss from breach of proprietary data was
  2.7 million
• Source FBI/Computer Security Institute

5
Storage TrendsStorage protocols have never
evolved from cleartext
Risk Multipliers
Consolidation
Replication
Outsourcing
6
Who has access to sensitive data?
CEO
Customer data
Storage
Earnings releases
CFO
Salaries and reviews
Litigation docs
General Counsel
7
Traditional Encryption Compromises

• Performance degradation
• Key management complexity security
• High availability issues
• Application changes and downtime
• Database changes required
• Changes to desktops, servers, workflow

The Decru solution addresses all of these
concerns.
8
About Decru

• Founded 2001 to solve emerging storage security
  problems
• Regulatory compliance
• Privacy
• Insider threat
• Well funded by top tier investors over 45m
• NEA, Benchmark, Greylock,
• In-Q-Tel (CIA-funded)
• Seasoned, proven management team
• DataFort platform is shipping and deployed, with
  customers on three continents

Top 10 Products of 2004
Nominated Best Enterprise Security Product
2003
12 Hot Startups
Top 10.
9
Partner Ecosystem
10
Decru DataFortStorage Security Appliances

• DataFort provides the first unified platform
  for securing data at rest across the entire
  enterprise.
• DataFort integrates transparently into NAS,
  DAS, SAN, iSCSI tape environments, and protects
  stored data with wire-speed encryption, access
  controls, authentication, and tamper-proof
  auditing.
• NAS/DAS DataFort E-Series (1Gbit)
• SAN/Tape DataFort FC-Series (2Gbit)
• Tape DataFort S-Series (2Gbit)
• Lifetime Key Management for automated, secure
• enterprise-wide key management

Rating Deploy Top 10 lab score 8.4/10 Security
10/10
Top 10 Products of 2004
11
Decru End-to-end storage security
Authentication Granular ACLs Secure logging

Storage
Network
DataFort
Clients/ Hosts
DataFort protect the data path for applications
and users, eliminating back doors and
simplifying security
12
Decru Tape Encryption
Unsecured Tape Backup
CUSTOMER SSN AMT John Magnus
544-89-3021 304.31 Susan Wong 522-35-1105
91.05 Ken Hernandez 670-32-1145
21.88 Alicia Sparr 435-98-0498 209.95 M.J.
Satyr 594-22-9038 76.55 Dan Spencer
543-09-3451 413.03 Mary Jones 495-38-8971
90.74 Jerome White 613-98-8932
247.11 Martin Ng 339-77-9201 20.89 Fay
Dunlap 784-29-6290 401.92 Takeshi Doi
544-09-3193 29.01 Sarah Fisher 432-92-7105
142.28 Ingrid Parker 595-29-7406 102.48
Cleartext
FC SWITCH
Cleartext
Secured Tape Backup
DYHYC_at__at__at_ltF2gt? zltB2gt0 NltE4gtqlt91gtltCDgtxlltCBgt
A_at__at__at_ \lt84gt1 lt92gtltF6gtCqlt89gtlt90gtltCFgtlt9Cgt ltD9gt1
ltF6gtlt8EgtltC1gtltCFgtlt86gtltDAgtBltEBgt ltF7gtA.\ltADgtltCFgtltF0gtlt
D2gt-ltCAgtltC3gtltDAgt lt8EgtltF1gtltB7gtCLltEEgtltE5gtlt9EgtltA4gtlt
9Egt _WltCEgtltADgtltBBgt2lt95gtltD3gtETllt8Dgt ltA7gtltCDgtlt93
gtltA6gt/ltF5gtltACgtltDFgtslt88gt lt87gt,ltF3gt"ltF2gtPltF3gtltB1gt
lt9Fgtlt82gt lt97gtQltBAgtltEDgtoltAFgtltC5gtltDFgtu"6,QD ltA7gtltB
9gtollt87gt\8ltD3gtltB6gtlt8Dgtklt9DgtltA8gt )9AQ)ltF0gtltFEgt-lt
C0gtltFBgtLIlt82gtltDBgt ltE0gtltC8gtltD9gtalt8EgtWltBBgtlt88gtqltCCgt
ltC0gt B\LltFAgtltDAgtltDDgtltE3gtltA5gtOOltD7gtT7lt9
Decru DataFort
Encrypted
FC SWITCH
Encrypted
13
Hardware-based security

• Hardware-based encryption provides crucial
  advantages over software-based solutions
• Wire-speed performance
• All encryption and key management are processed
  by specialized encryption hardware Decru
  Storage Encryption Processor (SEP)
• Multi-gigabit throughput, sub-100 microsecond
  latency
• Encryption and key management are maintained in
  secure hardware
• Software encryption stores keys in. Windows.
• DataFort provides military-grade hardened
  architecture (FIPS 140-2 Level 3 certified) with
  storage optimized AES-256
• Encryption keys never exposed in an open
  operating system (e.g. Windows, Linux)

14
High Availability for Encrypted Data

• DataFort cluster failover
• DataFort cloning
• Software recovery

15
Decru Lifetime Key ManagementAutomated, Secure,
Enterprise-Wide Key Management
1
1. Each DataFort appliance provides automated,
self- contained key management.
2
Secure Key DB
Secure
2. Keys are automatically and securely replicated
to additional cluster nodes.
LKM
3
3. All DataFort appliances across the enterprise
replicate keys to Decru Lifetime Key Management
(LKM) system, providing automated, secure
enterprise-wide key management. Recovery smart
cards enforce quorum approval for sensitive
operations.
16
Global Investment BankSecure Consolidation
Shared storage
DataFort E-Series
UNIX Development Environment
Developer A
Cryptainer A
Cryptainer B
Developer B
Cryptainer C
Developer C
Access Controls Authentication
AES-256 Encryption Cryptainer Vaults
17
Fortune 5 CompanyGLBA Compliance, Secure
Offshoring
Transaction Processing Servers
SAN Storage
DataFort FC-Series
Secure Replication to DR
FC switches
Port Locking SAN Host Authentication
AES-256 Encryption Cryptainer Vaults
18
UK National Health ServiceTape Encryption for
Patient Privacy
Backup Servers
Backup Tape Libraries
DataFort FC-Series
Fibre Channel
Fibre Channel
Encrypted
FC switches
Encrypted
Encrypted
Port Locking SAN Host Authentication
Data Compression AES-256 Encryption Cryptainer
Vaults
19
Secure DR Multiple Copies of Data
Headquarters
DR Site/Outsource
Server
Server
WAN
WAN
FC switch
FC switch
DataFort
Data Exposed
DataFort
Data Secured
Data Exposed
Data Secured
Clear text
Clear text
Data Exposed
Cipher Text
Cipher Text
Data Exposed
Data Secured
Data Secured
Clear
Cipher Text
Storage
Tape System
Storage
20
Questions ????