Best Practices OpenManage Secure Enterprise Key ManagerBest Practices Guide This whitepaper outlines some recommended best practice guidelines for the use of Secure Enterprise Key Manager in Dell EMC PowerEdge servers.
Revisions Revisions Date Description March 2019 Initial release Acknowledgements This paper was produced by the following: Author: Caroline Covington, Lisa Scheuplein and Michael Linane The information in this publication is provided “as is.” Dell Inc. makes no representations or warranties of any kind with respect to the information in this publication, and specifically disclaims implied warranties of merchantability or fitness for a particular purpose.
Table of contents Table of contents Revisions.............................................................................................................................................................................2 Acknowledgements .............................................................................................................................................................2 Table of contents .................................................................................................
Executive summary Executive summary The purpose of this document is to provide information about Dell PowerEdge Data At Rest Encryption offerings and guidance on the Best Practices for using Secure Enterprise Key Manager.
Overview 1 Overview The Dell Technologies whitepaper “Cyber Resilient Security in 14th generation of Dell EMC PowerEdge servers” describes the numerous threats and the Dell Technologies design and tools that are used to address them. Table 1 describes how Dell Technologies addresses common threat vectors.
Overview Server Environment Layers Security layer Data Threat vector Data breach Counterfeit components Dell Technologies Solution SED (Self-Encrypting Drives) – FIPS or Opal/TCG ISE-only (Instant Secure Erase) drives Secure Key Management Secure User Authentication ISO9001 certification for all global server manufacturing sites Supply Chain Integrity Malware Threats Security measures implemented as part of Secure Development Lifecycle (SDL) process Physical security in Manufacturing s
Reference Architecture 2 Reference Architecture Secure Enterprise Key Manager 2.
Reference Architecture 8 HDD – Hard Disk Drive SSD – Solid State Drive HA – High Availability (cluster) OpenManage Secure Enterprise Key Manager- Best Practices Guide | Document ID
Dell PowerEdge D@RE Offerings 3 Dell PowerEdge D@RE Offerings Keys to lock and unlock drives must be managed. PowerEdge provides two optional mechanisms for this: 3.
Dell PowerEdge D@RE Offerings 3.2 Compliance Compliance and governance requirements, whether they be government mandated, industry standards, or corporate policy, contain multiple requirements regarding encrypting data at rest and protection of the corresponding cryptographic keys. Evaluation of compliance requirements should always be done to determine if LKM is sufficient or if the features (high assurance key protection, centralize audit and reporting, robust access control, etc.
Components of Secure Enterprise Key Manager 4 Components of Secure Enterprise Key Manager 4.1 Secure Enterprise Key Manager Server The Secure Enterprise Key Manager server acts as the key store and resides on the management network. Initial release of Secure Enterprise Key Manager was validated with Gemalto and SafeNet AT KeySecure.
Components of Secure Enterprise Key Manager 4.4 Storage devices (HDD/SSD) Dell Technologies supports industry-standard storage devices in PowerEdge Data At Rest applications. – Storage Devices Supported by Secure Enterprise Key Manager Storage Device Type Supported by Secure Enterprise Key Manager Supported by LKM ISE No Yes SED Yes Yes FIPS Yes Yes ISE All Dell drives are ISE enabled and have an encryption engine. All data is automatically encrypted on write and decrypted on read.
Components of Secure Enterprise Key Manager 13 OpenManage Secure Enterprise Key Manager- Best Practices Guide | Document ID
Best Practices for Secure Enterprise Key Manager Implementation 5 Best Practices for Secure Enterprise Key Manager Implementation 5.1 Protect and Ensure your Key Availability Without associated lock/unlock key(s), data is protected and will not be accessible. Therefore, use of a highavailability, redundant KMIP server configuration is strongly recommended.
Best Practices for Secure Enterprise Key Manager Implementation Key rotation is initiated by iDRAC. Scripting can be also used to schedule the rotation. 5.2.3 Secure Enterprise Key Manager to iDRAC Authentication iDRAC and Gemalto/SafeNet AT KeySecure. Secure Enterprise Key Manager servers support varying levels of authentication for communication. None User ID PW Certificates IP The more authentication that is utilized, the more trustworthy the communication and resistance to spoofing. 5.2.
Other References 6 Other References 6.1.1 NIST Guidelines for Media Sanitization (Cryptographic Erase) https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf 6.1.2 SafeNet Best Practices for Cryptographic Key Management white paper www.safenetat.