HP StorageWorks Secure Key Manager

What would happen if your backup tapes and disposed disk drives were lost or stolen? When data at rest encryption keys are secure, the threats of financial loss and damage to your company's reputation are significantly lowered.

The HP StorageWorks Secure Key Manager reduces your risk of a costly data breach and reputation damage while improving regulatory compliance with a secure centralized encryption key management solution for HP LTO-4 enterprise tape libraries and Encryption SAN Switches. The Secure Key Manager automates key management based on security policies for multiple encryption clients. This occurs transparent to ISV backup applications. The Secure Key Manager is a hardened server appliance delivering secure identity-based access, administration and logging with strong auditable security meeting the rigorous FIPS 140-2 security standards. Additionally, the Secure Key Manager provides reliable lifetime key archival with automatic multi-site key replication, and high availability clustering. Encryption clients can access the cluster using flexible path and node failover capabilities.

The HP StorageWorks Secure Key Manager provides centralized key management for HP StorageWorks Enterprise Storage Libraries (ESL) E-series Tape Libraries, HP StorageWorks Enterprise Modular Library (EML) E-series Tape Libraries and the HP StorageWorks Encryption SAN Switch. In addition to the clustering capability, the Secure Key Manager provides comprehensive backup and restore functionality for keys, as well as redundant device components and active alerts. The Secure Key Manager supports policy granularity such as a key per library partition to a key per tape cartridge and allows for additional client types in the future needing key management services. Keep your confidential data secure yet highly available with automated management for your encryption keys using the HP Secure Key Manager, a member of the "HP Secure Advantage" portfolio.

• Solution integration with HP StorageWorks Encryption SAN Switch. The Secure Key Manager acts as a key repository and key manager for the Encryption SAN switch to deliver data at rest privacy in the SAN.

• Enables effective privacy of data
• Reduced complexity and effort to manage encryption keys
• Verification for compliance and audit
• High availability of archived keys for long term rapid access

• Centralized encryption key management
  • Automatic policy-based key generation and management supporting key/cartridge granularity for HP LTO-4 enterprise tape libraries
  • ISV transparent key archival and retrieval
  • Key repository and key manager for the Encryption SAN switch to deliver data at rest privacy in the SAN. Key/LUN, key/tape pool and key/tape granularity
  • Capacity of 2 million keys per cluster
• Strong auditable security for encryption keys
• Security hardened Linux-based server appliance with pick resistant locks
• Secure identity-based access, administration and logging
• FIPS 140-2 Level 2 validated, Certificate #1102
• Reliable lifetime key archival
• Automatic multi-site clustering and key replication
• Flexible path and node failover options (client configurable)
• Comprehensive backup and restore functionality for keys
• Redundant device components and active alerts

Mitigate your risk of data exposure. Keep your tape encrypted data private and protect the company reputation with Secure Key Manager while improving regulatory compliance and avoiding financial consequences of a breach. Proactively avoid situations requiring disclosure of unauthorized access to unencrypted private information.

The Secure Key Manager reduces the complexity of managing encryption keys across a distributed infrastructure with a single point of management. Independent of tape drive count in a library, Secure Key Manager supports multiple encryption clients per node further boosting investment protection. Secure Key Manager cluster nodes and key management clients may be deployed at different geographic sites; only network connectivity is required.

Reduce impact to existing backup and recovery processes. Secure Key Manager key management operations occur transparent to backup application. The data can be decrypted on any Secure Key Manager library client that has permission to access the key. Note that the LTO-4 Utrium 1840 drives require backup application ISV support. Check the Enterprise Backup Solutions (EBS) matrix and/or go-connect for support information for the LTO-4 drive.
http://www.hp.com/go/EBS
http://www.hp.com/go/connect

• One HP StorageWorks Secure Key Manager node or appliance
• One Client License Entitlement Certificate AN584A
• HP Secure Key Manager Documentation CD

NOTE: Requires quantity 2 of this SKU to configure a 2 node cluster for high availability of the keys. The capacity is 2,000,000 keys.
NOTE: This SKU includes one client license per node, however, it is possible to scale up to five client licenses per node. Additional licenses must be purchased to scale beyond one client per node. Each ESL or EML consumes only one license independent of number of drives. Each Encryption SAN Switch consumes only one license on the SKM.

• One Client License Entitlement Certificate

NOTE: This SKU entitles one encryption client for the AJ087B. Each ESL/EML only consumes one license independent of the number of drives. Each Encryption SAN Switch or Blade consumes only one license on the SKM.

By understanding the detailed event data that IT systems already produce, organizations can better manage, investigate, and protect these systems. HP CLW collects and analyzes data such as system and application log files, database event records, and operating system event logs. With powerful compliance reporting tools, it turns this data into actionable intelligence, providing rapid time-to-value at a fraction of the cost of traditional data warehousing and security solutions.

Visit: http://www.hp.com/go/clw to verify log adaptor support options for HP Secure Key Manager

• Add additional HP Enterprise Tape Library LTO-4 clients that require key management
• See the Enterprise Tape Library QuickSpecs at: http://h18006.www1.hp.com/storage/tapestorage/enterprise_class/index.html
• Add additional HP Encryption SAN Switch clients that require key management http://h18006.www1.hp.com/storage/networking/b_switches/index.html
  

NOTE: New or exiting tape library must be at the current supported level including the latest ETLA firmware, patches and software updates etc to support HP Secure Key Manager. Consult: http://www.hp.com/go/ebs for the minimum revision numbers required
NOTE: Each ESL/EML E-series Tape Library in the solution requires at least one LTO-4 encrypting tape drive, LTO-4 media and an ETLA Secure Manager License (343376-B21 or T3664A).

• Choose required Installation and Startup service. This service requires a FAN override approval for removal. (More information on Installation and startup Service in service section.)
• Choose support uplift type. There are different service uplifts uplifting years of service, hours of availability and response time. HP recommends the three year HP Support Plus 24 support uplift. (Details of specific part numbers in service section.)
• Consider Consulting and Integration enterprise security services: http://www.hp.com/hps/security

Application Overview (tape library encryption client example)

• Define your security policies and the roles for those who will administer the devices. For example, the security policies on the Secure Key Manager may be administered by a Security Officer. This role might direct security policy across all your storage products, not just tape. It is not necessary that this role overlap with existing roles, such as the Tape Library Administrator. The Secure Key Manager and the ETLA libraries that use it, both support the separation of roles, with each having separate logins and credentials.
• Determine which tape libraries and drives will be used for encryption. You can configure keys to be shared among all libraries or restrict keys to one library. Configure the key generation policies that best fit your business needs (key per cartridge or key per library/partition).
• Setup the Secure Key Manager cluster. The cluster can span multiple sites if necessary.
• Configure the ETLA tape libraries that will use the Secure Key Manager. The supported clients are HP ESL and EML E-series tape libraries (confirm at: http://www.hp.com/go/ebs). The configuration process is guided by a wizard in the tape library CommandView GUI. You can also use this wizard to modify the configuration later.
  NOTE: An Advanced Secure Manager license is required for each ETLA library that will use the Secure Key Manager.
  

• Each partition of each library may have a separate key generation policy. The library will automatically retrieve keys to the HP LTO-4 Ultrium 1840 Tape Drives.
• These operations are transparent to the backup software and therefore do not affect your existing backup/restore processes.
• When a tape is written for the first time, the library obtains a key based on the key generation policy you established for it. The keys are assigned unique names, based on a media ID, the barcode value, and a timestamp.
• When a tape is read, the library retrieves the key from the Secure Key Manager. If the tape is moved to a different library before it is read, the two libraries must be part of the same security group so the key can be shared. Security groups are easily configured at the Secure Key Manager GUI.
• Keys are passed between the library and the Secure Key Manager via an SSL connection. This is more secure than using a backup application and the SAN where keys are passed in the clear. The path is secure between the library and the Secure Key Manager.
• Encrypted media may be re-used or overwritten again at a later time using a different key. Tape cartridge re-cycling is common in backup applications.

• All the nodes of a Secure Key Manager cluster will continuously replicate, so all keys are stored on and available from each node. If a node fails, the other nodes continue to operate, and will serve keys to the tape libraries without interruption.
• You can also periodically backup all the keys, logs and node configurations on each node. These backups are typically stored on a server in your network. These backup files are encrypted and can only be restored to a Secure Key Manager.
• The Secure Key Manager will support multiple libraries. Each node in the cluster can support 5 HP ESL or EML tape libraries, so a 2-node cluster will support 10 libraries. The Secure Key Manager has capacity to support the largest ESL configuration (44 drives). Each library requires a valid license: AN584A - HP Secure Key Manager Storage License.

• The Secure Key Manager maintains an audit log of all key creation and usage. This can be used to support your auditing and security validation policies. This log is digitally signed, which facilitates non-repudiation.

• The Secure Key Manager supports manual key deletion, through the Secure Key Manager GUI. This operation can be used if a tape is lost or if the data on the tape is no longer needed. Key deletion is only possible as a manual process by an administrator with the proper authority. The tape library clients cannot delete keys.

© Copyright 2009 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.