Saturday, May 7, 2011

Storage encryption technologies

Storage encryption technologies

All confidential data/information residing on Direct Attached Storage (DAS) devices, Network Attached Storage (NAS) devices, and Storage Area Network (SAN) devices, and all portable devices , shall be encrypted and compatible with communications and security protocols as identified in Statewide Standard P700-S710, Network Infrastructure and Statewide Standard P800-S830, Network Security. Encryption technologies shall also be compatible with state platform operating systems. All Budget Units shall determine its encryption requirements and deploy at least one or more encryption methods listed below for the protection of confidential data/information:

Full-Disk Encryption – encrypts all data on a hard drive for a client device. This includes the entire operating system, all applications, and all data/information. Full-disk encryption software contains components that are independent of the operating system and execute before the operating system is loaded as well as authentication. The system is rendered unintelligible and unusable in the event of a cyber crime or terrorism.

Full-Disk Encryption should have the following capabilities: Pre-boot authentication for laptops/table PC's; file and folder-based encryption capabilities built into the operating system; supports single Sign-On; remote install capability; supports multiple algorithms and has the ability to disable supported and unsupported algorithms in the event of conflict.

File (Folder) Encryption – provides encryption for specific files or folders. File-encryption solutions provide automatic security since each new file/folder encryption capability must be manually turned off/on.

File (Folder) Encryption should have the following capabilities: Must be able to support all state operating systems, all applications and related software programs in addition to productivity software for the state; ability to support a multitude of server(s) and file systems; provide simple recovery mechanisms for the recovery of lost keys of encrypted files/folders; integrate seamlessly with mobile email; supports security concepts and methods of separation of duties.

Back-up and Archive Media Encryption – provides benefits not only for protecting data in storage but also in the disposal of backup media. Many privacy regulations include disposal of back-up and archive media, while disclosure regulations generally dictate a retention period for back-up and archive data. Without encryption, media disposal is difficult; therefore, many entities keep back-up and archive media longer than needed or legally prudent. By deleting the encryption key, media is rendered unreadable. With a rotating key sequence, a regular pattern of retention and disposal can be automatically enforced.

Back-up and Archive Media Encryption should have the following capabilities: Integrates seamlessly into the backup process and devices; offers flexible options for data restoration and disaster recovery and supports various backup media types used by the state.

Mass Storage (SAN/NAS) Encryption – provides for encrypting large volumes of active data/information. Mass storage devices refer to storage area networks (SAN) and network-attached storage (NAS) data management solutions. Recently, the boundaries between NAS and SAN systems have overlapped with some products providing both file level protocols (NAS) and block level protocols (SAN).

Mass Storage (SAN/NAS) Encryption should have the following capabilities: Supports encryption throughout the lifecycle of all data/information whether in storage or in transit; encryption and decryption methods must have both logical and physical segmentations; provide efficient encryption/decryption across multiple mass storage device types including fiber channel disks within an IP based network environment.

Database Encryption – entails encrypting physical data within a database by encrypting the entire database, or calling functions, or stored procedures and database triggers, or natively using Database Management Systems (DBMS) encryption features to encrypt all or in part (column, row, or field level). Database encryption can be implemented at the application level.

Database Encryption should have the following capabilities: Supports symmetric and asymmetrical encryption; ability to perform column/row level encryption vs. full database encryption for greater flexibility; supports multiple database platforms and operating systems; ability to encrypt and decrypt at the application and/or field level; supports separation of duties for Database Administrator's (DBA's) and the KEY Administrator.

Encryption for Removable Storage Drives and Devices – provides encryption for smaller portable devices and existing data-sets. A USB flash drive comprises a memory card that plugs into a computer's USB port and functions as a portable hard-drive that does not contain moving parts. USB flash-drives are also known as a flash drive, thumb drive, pen drive, keychain drive, key drive, USB key, USB stick and memory key.

Encryption for Removable Storage Drives and Devices should have the following capabilities: USB flash-drives must have password/security capabilities built into the device. USB flash-drives and removable storage devices can be bought with encryption software installed on the device hardware, or file-encryption software can be purchased after-the-fact for installation.

Encryption Technologies
STATE of ARIZONA, May 7, 2008