HP StorageWorks Secure Key Manager

The HP StorageWorks Secure Key Manager reduces your risk of a costly data breach and reputation damage while improving regulatory compliance with a secure centralized encryption key management solution for HP LTO4 enterprise tape libraries. The Secure Key Manager automates key generation and management based on security policies for multiple libraries. This occurs transparent to ISV backup applications. The Secure Key Manager is a hardened server appliance delivering secure identity-based access, administration and logging with strong auditable security designed to meet the rigorous FIPS 140-2 security standards. Additionally, the Secure Key Manager provides reliable lifetime key archival with automatic multi-site key replication, high availability clustering and failover capabilities.

The HP StorageWorks Secure Key Manager provides centralized key management for HP StorageWorks Enterprise Storage Libraries (ESL) E-Series Tape Libraries and HP StorageWorks Enterprise Modular Library (EML) E-Series Tape Libraries. In addition to the clustering capability, the Secure Key Manager provides comprehensive backup and restore functionality for keys, as well as redundant device components and active alerts. The Secure Key Manager supports policy granularity ranging from a key per library partition to a key per tape cartridge while featuring an open extensible architecture for emerging standards and allowing additional client types in the future needing key management services. These clients may include other storage devices, switches, operating systems and applications. Keep your confidential data secure yet highly available with automated single point of management for your encryption keys using the HP Secure Key Manager, a member of the "HP Secure Advantage" portfolio.

• Enables effective privacy of data
  
• Reduced complexity and effort to manage encrypted data
  
• Verification for compliance and audit
  
• High availability of archived keys for long term rapid access

• Centralized encryption key management for HP LTO4 enterprise tape libraries
  
  • Automatic policy-based key generation and management supporting key/cartridge granularity
    
  • ISV transparent key archival and retrieval for multiple libraries
    
  • Extensible to emerging open standards
    
• Strong auditable security for encryption keys
  
  • Hardened server appliance
    
  • Secure identity-based access, administration and logging
    
  • Designed for FIPS 140-2 validation
    
• Reliable lifetime key archival
  
  • Automatic multi-site clustering, key replication and failover
    
  • Comprehensive backup and restore functionality for keys
    
  • Redundant device components and active alerts

Mitigate your risk of data exposure. Keep your tape encrypted data private and protect the company reputation with Secure Key Manager while improving regulatory compliance and avoiding financial consequences of a breach. Proactively avoid situations requiring disclosure of unauthorized access to unencrypted private information.

The Secure Key Manager reduces the complexity of managing encryption keys across a distributed infrastructure with a single point of management. Independent of tape drive count, Secure Key Manager supports multiple ESL/EML LTO4 tape libraries per node further boosting investment protection. Secure Key Manager cluster nodes and key management clients may be deployed at different geographic sites; only network connectivity is required.

The Secure Key Manager architecture and plans support future encryption clients beyond HP ESL and EML tape libraries. It is the platform HP is using to build infrastructure-wide centralized key management for information protection across the enterprise.

Minimize impact to existing backup and recovery processes. With Secure Key Manager, LTO-4 library key management and data encryption operations occur transparent to backup application. The data can be decrypted on any Secure Key Manager library client that has permission to access the key. Note that the LTO-4 drives require backup application ISV support. Check the EBS matrix and/or go-connect for support information for the LTO-4 drive.
http://www.hp.com/go/EBS
http://www.hp.com/go/connect

HP Care Pack Services offer upgraded service levels to extend and expand your standard product warranty with easy to buy, easy to use support packages that help you make the most of your hardware and software investments. They let you choose the support levels that meet your business requirements, from basic to mission-critical. They help you contain total cost of ownership.

HP Care Pack warranty extensions can be purchased along with HP products to cost-effectively upgrade or extend your warranty. For many products, post-warranty HP Care Pack Services are available when your original warranty has expired.

Why purchase an HP Care Pack service?

Your standard warranty protects against product defects. HP Care Pack Services help you guard against unplanned downtime, which can reduce your productivity and profitability. These convenient service packages:

• Protect your investment in HP products
  
• Provide consistent, predictable levels of support across your entire department or business
  
• Ease budget planning with fixed-cost support that includes parts and labor
  
• Give you direct access to proven technical and problem-solving expertise
  
• Offer a choice of response-time and repair-time commitments
  
• Deliver prompt, measurable results
  
• Are available whenever and wherever you do business
  

HP Care Pack availability may vary by country and product.

Supporting your Adaptive Enterprise journey

HP Services helps you make the Adaptive Enterprise real for your organization. The breadth, depth, and quality of HP hardware and software support services can help you improve the performance of your IT support processes and resolve the complex software and hardware problems that tax user productivity. HP Care Pack services help you increase IT environment stability, efficiency, and agility from the desktop to the data center, and improve the productivity of your employees.

In order to maximize ROI and product uptime, and minimize the cost of ownership, Hewlett Packard recommends:

3 years 24 x 7 Hardware Support

• Guards against downtime, which reduces productivity and profitability
  
• Eases budget planning with fixed-cost support that includes parts and labor
  Direct access to proven technical and problem-solving expertise

Care Pack

* 6hr CTR 'standalone' service is not offered in Latin or North America.
** Support Plus covers 4hr Hardware response (Software support is not applicable).
*** Both Proactive 24 & Critical Service only relate to 'reactive elements', work is ongoing to offer the 'proactive elements' in the near future (Software support is not applicable).

The HP Care Pack information quoted above relates to 3 year offerings only, 1yr, 4yr and 5yr packs are available for each offering (replace A3 with A1, A4, A5 respectively).

In order to maximize ROI and product uptime, and minimize the cost of ownership, Hewlett Packard recommends the 3-year, 24x7 service options. These offerings will ensure that any product issue can be tackled when they occur (most back up issues will occur outside standard business hours) and that the service coverage regarding period, covers the minimum expected life of the host system.

To find HP Care Pack Services available via HP authorized commercial resellers, visit http://h30125.www3.hp.com/csn/salesmktg/elfpack/elf_nonlkup_ctrylang.asp?code=ELNL

• Two HP StorageWorks Secure Key Manager nodes
  
• Pick-resistant dual-locking bezel
  
• Redundant power supplies per node
  
• 10 total client licenses
  
• HP Secure Key Manager Documentation CD
  

NOTE: This SKU is used to configure a 2 node cluster for high availability of the keys. The capacity is 100,000 keys.

• One HP StorageWorks Secure Key Manager node
  
• Pick-resistant dual-locking bezel
  
• Redundant power supplies
  
• 5 additional client licenses
  
• HP Secure Key Manager Documentation CD
  

NOTE: This SKU is used to expand a cluster with 5 more licenses. The maximum key count will not increase with additional expansion modules because the cluster nodes share the keys. This SKU can be used to expand a single-site cluster into a multi-site cluster.

By understanding the detailed event data that IT systems already produce, organizations can better manage, investigate, and protect these systems. HP CLW collects and analyzes data such as system and application log files, database event records, and operating system event logs. With powerful compliance reporting tools, it turns this data into actionable intelligence, providing rapid time-to-value at a fraction of the cost of traditional data warehousing and security solutions.

Visit http://www.hp.com/go/clw to verify log adaptor support options for HP Secure Key Manager

• Add additional HP StorgeWorks Enterprise Tape Library LTO4 clients that require key management
  
• See the Enterprise Tape Library QuickSpecs at http://h18006.www1.hp.com/storage/tapestorage/enterprise_class/index.html
  

NOTE: New or exiting tape library must be at the current supported level including the latest ETLA firmware, patches and software updates etc to support HP Secure Key Manager. Consult http://www.hp.com/go/ebs for the minimum revision numbers required
NOTE: Each ESL/EML E-Series Tape Library in the solution requires at least one LTO4 encrypting tape drive, LTO4 media and an ETLA Secure Manager License (343376-B21 or T3664A).

• Choose required Installation and Startup service. This Statement of Work service requires a FAN override for removal. (More information on SOW in service section.)
  
• Choose support uplift type. There are different service uplifts uplifting years of service, hours of availability and response time. HP recommends three year 24X7 support uplifts. (Details of specific part numbers in service section.)
  
• Consider Consulting and Integration enterprise security services http://www.hp.com/hps/security

Application Overview

• Define your security policies and the roles for those who will administer the devices. For example, the security policies on the Secure Key Manager may be administered by a Security Officer. This role might direct security policy across all your storage products, not just tape. It is not necessary that this role overlap with existing roles, such as the Tape Library Administrator. The Secure Key Manager and the ETLA libraries that use it, both support the separation of roles, with each having separate logins and credentials.
  
• Determine which tape libraries and drives will be used for encryption. You can configure keys to be shared among all libraries or restricted. Configure the key generation policies that best fit your business needs (key per cartridge or key per library/partition).
  
• Setup the Secure Key Manager cluster. The cluster can span multiple sites if necessary.
  
• Configure the ETLA tape libraries that will use the Secure Key Manager. The supported HP tape libraries are ESL and EML (confirm at http://www.hp.com/go/ebs). The configuration process is guided by a wizard in the tape library CommandView GUI. You can also use this wizard to modify the configuration later. NOTE: An Advanced Secure Manager license is required for each ETLA library that will use the Secure Key Manager.
  

• Each partition of each library may have a separate key generation policy. The library will automatically retrieve keys from the Secure Key Manager and transmit these keys to the HP LTO4 drives.
  
• These operations are transparent to the backup software and therefore do not affect your existing backup / restore processes.
  
• When a tape is written for the first time, the library obtains a key based on the key generation policy you established for it. The keys are assigned unique names, based on a media ID, the barcode value, and a timestamp.
  
• When a tape is read, the library retrieves the key from the Secure Key Manager. If the tape is moved to a different library before it is read, the two libraries must be part of the same security group so the key can be shared. Security groups are easily configured at the Secure Key Manager GUI.
  
• Keys are passed between the library and the Secure Key Manager via an SSL connection. This is more secure than using a backup application and the SAN where keys are passed in the clear.
  
• Encrypted media may be re-used using a different key.
  

• All the nodes of a Secure Key Manager cluster will continuously replicate, so all keys are stored on and available from each node. If a node fails, the other nodes continue to operate, and will serve keys to the tape libraries without interruption.
  
• You can also periodically backup all the keys, logs and node configurations on each node. These backups are typically stored on a server in your network. These backup files are encrypted and can only be restored to a Secure Key Manager.
  
• The Secure Key Manager will support multiple libraries. Each node in the cluster can support 5 HP ETLA tape libraries, so a 2-node cluster will support 10 ETLA libraries. The Secure Key Manager has capacity to support even the largest ETLA libraries (44 drives).
  

• The Secure Key Manager maintains an audit log of all key creation and usage. This can be used to support your auditing and security validation policies. This log is digitally signed, which provides non-repudiation.

• The Secure Key Manager supports manual key deletion, through the Secure Key Manager GUI. This operation can be used if a tape is lost or if the data on the tape is no longer needed. Key deletion is only possible as a manual process by an administrator with the proper authority. The tape library clients cannot delete keys.

© Copyright 2007 Hewlett-Packard Development Company, L.P.

The information contained herein is subject to change without notice.

The only warranties for HP products and services are set forth in the express warranty statements accompanying such products and services. Nothing herein should be construed as constituting an additional warranty. HP shall not be liable for technical or editorial errors or omissions contained herein.