Security and EMC

EMC Proven Professional Knowledge Sharing

September, 2007

Jenny Beazley
Senior Project Manager
EMC Corporation
Beazley_Jenny@emc.com

Page

1 of 9

Table of Contents

1 Security Concepts.................................................................................................................................................. 3
2 Current Security Initiatives..................................................................................................................................... 4
2.1 Certified Data Erasure ......................................................................................................................................... 4
2.2 EMC Secure Remote Support (ESRS) Gateway ................................................................................................ 4
2.2.1 Encryption......................................................................................................................................................... 5
2.2.2 Authentication ................................................................................................................................................... 5
2.2.3 Access .............................................................................................................................................................. 5
2.2.4 Audit.................................................................................................................................................................. 6
2.3 Symmetrix Service Credential, secured by RSA ................................................................................................. 6
2.3.1 Authentication ................................................................................................................................................... 7
2.3.2 Access .............................................................................................................................................................. 7
2.3.3 Audit.................................................................................................................................................................. 7
2.2.4 in addition: Certified Data Erasure ............................................................................................................... 7
3 Security Best Practices........................................................................................................................................... 7
3.1 Setting Secure Passwords .................................................................................................................................. 7
3.2 Access Control..................................................................................................................................................... 8
3.3 Encryption............................................................................................................................................................ 8
3.4 Confidential Information....................................................................................................................................... 8
3.5 Social Engineering............................................................................................................................................... 9
4 Where can I find out more? .................................................................................................................................... 9
5 Author Biography .................................................................................................................................................... 9

Disclaimer: The views, processes or methodologies published in this compilation are those of the author. They do
not necessarily reflect EMC Corporations views, processes, or methodologies.

Page

2 of 9

Security and EMC

A recent RSA survey revealed that EMCs customers fear auditors more than hackers. In the wake of
Enron, the Sarbanes Oxley law imposes severe penalties on publicly traded companies for exposure or
tainting of financial data. Companies must adhere to are a growing number of regulations and
standards, including the California Senate Bill 1386, Gramm-Leach-Bliley Act and the EUs Directive
95/46/EC.
Security compliance is now a market discriminator. In 2005, EMC conducted a product security
assessment and subsequently initiated several projects to enhance its offerings to meet customer
needs. These projects include introducing two-factor or two-pass authentication to storage arrays and
connectivity devices, removing static passwords from array management software and creating tamperproof audit trails.
With such a complex product range, changes will not occur overnight. However, all EMC employees
can and must take steps to promote storage management security for EMC and our customers. It is
the EMC Proven Professionals responsibility to blaze the trail and encourage their colleagues to follow
best practices to ensure a more secure environment for both EMC and its customers.

1 Security Concepts
Information Security revolves around a simple AAA concept:

Access Control: controlling entry and resource action;

Authentication: verifying users; and
Auditing: tracking users

The CIA concept is also important:

Confidentiality: information is not revealed to unauthorized users;
Integrity: data is intact and unmodified; and
Availability: data is accessible if access is allowed
These two concepts apply at both a product and user/process level. EMC has dedicated departments
and personnel to create awareness of all aspects of Information Security, from product engineering &
development, procedural, educational and customer perspectives.

Page

3 of 9

2 Current Security Initiatives

There are a number of ongoing security initiatives that combine to give EMC a competitive advantage in
the world of Information Security. Some highlights are listed below.

2.1 Certified Data Erasure

Organizations are facing growing demands to comply with regulations that either mandate the erasure
of, or provide guidelines for the protection of, information. The penalties for non-compliance range from
multi-million dollar fines to 10 years of incarceration!
EMC has a suite of Certified Data Erasure offerings to ensure that disks can be securely erased to a
variety of different standards varying from 1 to 35 overwrites. This enables the complete removal of
information and allows assets to be repurposed without compromising information security or regulation
compliance.

An audit log tracks successful erasures and a validation certificate can be printed to indicate the
overwrite procedure was completely properly.

2.2 EMC Secure Remote Support (ESRS) Gateway

The EMC Secure Remote Support Gateway enables fast, secure remote support. ESRS (1.0) was
generally available in January, 2006. Security features include encryption, authentication, and access
and audit, allowing customers to meet corporate and industry security compliance regulations.

Page

4 of 9

2.2.1 Encryption
All communication between the connected devices and EMC is sent securely in encrypted format (128bit Advanced Encryption Standard, or AES) over the IP-based infrastructure.

2.2.2 Authentication
Similar to the SymmIP Remote Connection Console, EMC personnel providing remote support to
customers over the ESRS Gateway must first be authenticated against EMCs internal network (either
directly or via the Virtual Private Network (VPN).

2.2.3 Access
The ESRS Gateway Policy Manager on the Gateway Server allows the customer device and
application level control of access to each installed EMC product. The customer is able to specify the
timeframes that remote connections are automatically allowed (e.g. during normal business hours from
Monday to Friday) or whether EMC support personnel must always ask before connecting.

Page

5 of 9

2.2.4 Audit
Audit logging provides a detailed record of remote access sessions, which will be maintained at the
customer site.

2.3 Symmetrix Service Credential, secured by RSA

The Symmetrix Service Credential (SSC), secured by RSA, is a simple, scaleable security approach
for EMCs Symmetrix DMX-3 product that meets our customers security policies. The solution includes
a suite of applications that work together to improve user authentication, authorization and auditing on
the platform.
This is achieved primarily by introducing RSA technology into the Symmetrix through new software
components on the Service Processor. These components will generate a customer-viewable audit log
and ensure authorized user access at both a Windows and SymmWin level. SSC is available with
Enginuity 5772 code, which became generally available in March, 2007.

Access Control

Audit Log

Service Processor
Symmetrix Service Credential,
secured by RSA

Disk Erasure

Page

6 of 9

2.3.1 Authentication
Enginuity 5772 prevents unauthorized service actions by authenticating valid identities on the Service
Processor. The level of authentication is strong, using industry-leading RSA technology. The
encrypted credential is coupled with a user password and varies by user, action, system and time.

2.3.2 Access
Actions are authorized via role-based access controls, meaning a Customer Engineer attending a site
to replace a disk does not have access to perform more complex procedures, such as upgrading. This
complements the Symmetrix Access Control authorization of server actions on devices.

2.3.3 Audit
Enginuity 5772 provides a tamper-proof view of management and support actions. It records all major
activities on the Symmetrix, including host-initiated actions, physical component changes, actions on
the Service Processor and attempts blocked by security controls. The log is secure and tamper-proof,
meaning event contents cannot be altered and only authorized users can access logs.

2.2.4 in addition: Certified Data Erasure

An optional software package in Enginuity 5772 provides compliance to Department of Defense
specifications to securely replace disks. This eliminates exposure and prevents data from leaving the
premises. An auditable record of the data erasure is provided, complying with key components of
Sarbanes-Oxley, PCI, HIPAA and other regulations.

3 Security Best Practices

While these initiatives detail some of the contributions EMC is making at a product level to help
customers comply with security, there are actions every individual can take to work to ensure a more
secure environment.

3.1 Setting Secure Passwords

Simple passwords can be guessed (e.g. default passwords, names relating to the user) or cracked with
simple scripts that test the username against a complete list of dictionary words.
Secure passwords should:
Be 8-13 characters for medium security; 14+ for high security
Include a mixture of upper & lower case characters
Contain numerical and other non-alphabetical characters

Page

7 of 9

Passwords should NOT:

Be dictionary words
Contain the username
Be written down and stored near the PC/laptop (e.g. post-it note under the keyboard!!)

The most secure passwords appear random. A good tip for generating a secure password is to
convert a sentence into a character string. For example, I love to work at EMC, Hopkinton,
Massachusetts could translate to the 10 character password: I<2w@EHMa (using the text-based
graphic heart-shape <3 to denote the word love).

3.2 Access Control

It is essential that users do NOT share logins to accounts. If something goes wrong, the administrator
or auditor will trace back through the log files to determine what happened. When multiple users share
a username, the owner of the username is ultimately liable.
In addition, when passwords staff members share passwords, they are rarely changed. An employee
moving to a different department may access the shared system, unaware that procedures around that
data access may have changed.
Access control can be as simple as locking your laptop/workstation if youre stepping away from your
desk, even for a few seconds.
3.3 Encryption
Physical security on laptops is impossible. If a laptop is stolen, Windows security is ineffective.
Everything is visible: e-mails, spreadsheets, documents, etc. Data encryption is the best defense!
3.4 Confidential Information
Security breaches are not necessarily malicious. Confidential information could be unwittingly leaked.
Forwarding e-mails is probably the most common example of a visible content security leak. An email forwarded externally could contain direct e-mail addresses or telephone numbers in a signature
that should not be shared with a customer. Historical information in a forwarded e-mail trail may
contain confidential information or offline discussions that were never intended to be seen by the
eventual recipient.
Sending additional, confidential information in documents is another example. You might e-mail a
spreadsheet as an attachment that contains additional or hidden worksheets that may be confidential.
Unless the hidden worksheets are (securely) password protected, this could result in a security breach,
especially in relation to financial or personal contact information. A document retaining tracked
changes could be undone to reveal the original information.

Page

8 of 9

There can also be a risk in customer log files. These can potentially contain IP addresses, host names
and other information that could cause problems for the customer if it fell into the wrong hands.

3.5 Social Engineering

Social Engineering is a collection of techniques used to manipulate people into performing actions or
divulging confidential information. It can be used to gain access to any system, irrespective of platform.
It is the hardest form of attack to defend against, because hardware and software alone cannot stop it.
Employees should be familiar with the concept of Social Engineering and ensure they verify the identity
of other employees, visitors and maintenance staff, whether in person, by telephone or electronically.

4 Where can I find out more?

This article has barely touched the tip of the information security iceberg. For EMC employees, there
are a number of Security classes listed in the Education Services and Development learning catalog.

5 Author Biography
Jenny Beazley joined EMC Australia in November 2003 as a CLARiiON Technical Support Engineer
and became the first CLARiiON SSE globally to achieve EMC Proven Professional status. Ms. Beazley
returned to her native UK in June 2006 as an EMC Senior Project Manager, specializing in Security.
Previous roles include Database Performance Tuning Engineer for the UniData and UniVerse database
suites at IBM and Technical Consultant/Programmer for one of IBMs customers. She is currently
studying for an MBA.

Page

9 of 9