In this module, you learn about security and protecting your data with a Data Domain

system.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 1
 As data ages and becomes seldom used, EMC recommends moving this data to archive
storage where it can still be accessed, but no longer occupies valuable storage space.

Unlike backup data, which is a secondary copy of data for shorter-term recovery purposes,
archive data is a primary copy of data and is often retained for several years. In many
environments, corporate governance and/or compliance regulatory standards can mandate
that some or all of this data be retained “as-is.” In other words, the integrity of the archive
data must be maintained for specific time periods before it can be deleted.

The EMC Data Domain Retention Lock (DD Retention Lock) feature provides immutable file
locking and secure data retention capabilities to meet both governance and compliance
standards of secure data retention. DD Retention Lock ensures that archive data is retained
for the length of the policy with data integrity and security.

This lesson presents an overview of Data Domain Retention Lock, its configuration and use.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 2
 EMC Data Domain Retention Lock is an optional, licensed software feature that allows
storage administrators and compliance officers to meet data retention requirements for
archive data stored on an EMC Data Domain system. For files committed to be retained, DD
Retention Lock software works in conjunction with the application’s retention policy to
prevent these files from being modified or deleted during the application’s defined retention
period, for up to 70 years. It protects against data management accidents, user errors and
any malicious activity that might compromise the integrity of the retained data. The
retention period of a retention-locked file can be extended, but not reduced.

After the retention period expires, files can be deleted, but cannot be modified. Files that are
written to an EMC Data Domain system, but not committed to be retained, can be modified
or deleted at any time.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 3
 DD Retention Lock comes in two, separately licensed, editions:
• DD Retention Lock Governance edition maintains the integrity of the archive data
with the assumption that the system administrator is generally trusted, and thus any
actions taken by the system administrator are valid as far as the data integrity of the
archive data is concerned.
• DD Retention Lock Compliance edition is designed to meet strict regulatory
compliance standards such of those of the United States Securities and Exchange
Commission. When DD Retention Lock Compliance is installed and deployed on an
EMC Data Domain system, it requires additional authorization by a Security Officer for
system functions to safeguard against any actions that could compromise data
integrity.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 4
 The capabilities built into Data Domain Retention Lock are based on governance and
compliance archive data requirements.

Governance archive data requirements:

Governance standards are considered to be lenient in nature – allowing for flexible control of
retention policies, but not at the expense of maintaining the integrity of the data during the
retention period. These standards apply to environments where the system administrator is
trusted with his administrator actions.

The storage system has to securely retain archive data per corporate governance standards
and must meet the following requirements:
• Allow archive files to be committed for a specific period of time during which the
contents of the secured file cannot be deleted or modified.
• Allow for deletion of the retained data after the retention period expires.
• Allow for ease of integration with existing archiving application infrastructure through
CIFS and NFS.
• Provide flexible policies such as allow extending the retention period of a secured file,
revert of locked state of the archived file, etc.
• Ability to replicate both the retained archive files and retention period attribute to a
destination site to meet the disaster recovery (DR) needs for archived data.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 5
 Compliance archive data requirements:
Securities and Exchange Commission (“SEC”) rules define compliance standards for archive
storage to be retained on electronic storage media, which must meet certain conditions:
• Preserve the records exclusively in a non-writeable, non-erasable format.
• Verify automatically the quality and accuracy of the storage media recording process.
• Serialize the original, and any duplicate units of storage media, and the time-date for
the required retention period for information placed on the storage media.
• Store, separately from the original, a duplicate copy of the record on an SEC-approved
medium for the time required.

Data Domain Retention Lock Governance edition maintains the integrity of the archive data
with the assumption that the system administrator is trusted, and that any actions they take
are valid to maintain the integrity of the archive data.

Data Domain Retention Lock Compliance edition is designed to meet the regulatory
compliance standards such as those set by the SEC standards, for records (SEC 17a-4(f)).
Additional security authorization is required to manage the manipulation of retention
periods, as well as renaming MTrees designated for retention lock.

Note: DD Retention Lock software cannot be used with EMC Data Domain GDA models or
with the DD Boost protocol. Attempts to apply retention lock to MTrees containing files
created by DD Boost will fail.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 6
 As discussed in the Basic Administration module, a security privilege can be assigned to user
accounts:
• In the Enterprise Manager when user accounts are created.
• In the CLI when user accounts are added.
This security privilege is in addition to the user and admin privileges.

A user assigned the security privilege is called a security officer.

The security officer can run a command via the CLI called the runtime authorization policy.

Updating or extending retention periods, and renaming MTrees, requires the use of the
runtime authorization policy. When enabled, runtime authorization policy is invoked on the
system for the length of time the security officer is logged in to the current session.

Runtime authorization policy, when enabled, authorizes the security officer to provide
credentials, as part of a dual authorization with the admin role, to set-up and modify both
retention lock compliance features, and data encryption features as you will learn later in
this module.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 7
 • Enable DD Retention Lock Governance, Compliance, or both on the Data Domain
system. (You must have a valid license for DD Retention lock Governance and/or
Compliance.)
• Enable MTrees for governance or compliance retention locking using the System
Manger or CLI commands.
• Commit files to be retention locked on the Data Domain system using client-side
commands issued by an appropriately configured archiving or backup application,
manually, or using scripts.
• (Optional) Extend file retention times or delete files with expired retention periods
using client-side commands.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 8
 After an archive file has been migrated onto a Data Domain system, it is the responsibility of
the archiving application to set and communicate the retention period attribute to the Data
Domain system. The archiving application sends the retention period attribute over standard
industry protocols.

The retention period attribute used by the archiving application is the last access time--the
atime. DD Retention Lock software allows granular management of retention periods on a
file-by-file basis. As part of the configuration and administrative setup process of the DD
Retention Lock software, a minimum and maximum time-based retention period for each
MTree is established. This ensures that the atime retention expiration date for an archive file
is not set below the minimum, or above the maximum, retention period.

The archiving application must set the atime value, and DD Retention Lock must enforce it, to
avoid any modification or deletion of files under retention of the file on the Data Domain
system. For example, Symantec Enterprise Vault retains records for a user-specified amount
of time. When Enterprise Vault retention is in effect, these documents cannot be modified or
deleted on the Data Domain system. When that time expires, Enterprise Vault can be set to
automatically dispose of those records.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 9
 Locked files cannot be modified on the Data Domain system even after the retention period
for the file expires. Files can be copied to another system and then be modified. Archive data
retained on the Data Domain system after the retention period expires is not deleted
automatically. An archiving application must delete the remaining files, or they must be
removed manually.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 10
 You can configure DD Retention Lock Governance using the Enterprise Manager or by using
CLI commands. Enterprise Manager provides the capability to modify the minimum and
maximum retention period for selected MTrees. In the example above, the Modify dialog is
for the MTree /data/col1/IT.

To configure retention lock:

1. Select the system in the navigation pane.
2. Select Data Management > MTree.
3. Select the MTree you want to edit with DD Retention Lock.
4. Go to the Retention Lock pane at the bottom of the window.
5. Click Edit.
6. Check the box to enable retention lock.
7. Enter the retention period or select Default.
8. Click OK.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 11
 Related CLI commands:
# mtree retention-lock disable mtree
Disables the retention-lock feature for the specified MTree.

# mtree retention-lock enable mtree

Enables the retention-lock feature for the specified MTree.
Note: You cannot rename non-empty folders or directories within a retention-locked
MTree; however, you can rename empty folders or directories and create new ones.

# mtree retention-lock reset

Resets the minimum or maximum retention period for the specified MTree to its
default value.

# mtree retention-lock revert

Reverts the retention lock for all files on a specified path.

# mtree retention-lock set

Sets the minimum or maximum retention period for the specified MTree.

# mtree retention-lock show

Shows the minimum or maximum retention period for the specified MTree.

# mtree retention-lock status mtree

Shows the retention-lock status for the specified MTree. Possible values are enabled,
disabled, and previously enabled.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 12
 The DD Retention Lock Compliance edition meets the strict requirements of regulatory
standards for electronic records, such as SEC 17a-4(f), and other standards that are practiced
worldwide.

DD Retention Lock Compliance, when enabled on an MTree, ensures that all files locked by
an archiving application, for a time-based retention period, cannot be deleted or overwritten
under any circumstances until the retention period expires. This is archived using multiple
hardening procedures:
• Requiring dual sign-on for certain administrative actions. Before engaging DD
Retention Lock Compliance edition, the System Administrator must create a Security
Officer role. The System Administrator can create the first Security Officer, but only
the Security Officer can create other Security Officers on the system.
Some of the actions requiring dual sign-on are:
• Extending the retention periods for an MTree.
• Renaming the MTree.
• Deleting the Retention Lock Compliance license from the Data Domain system.
• Securing the system clock from illegal updates
If the system clock is skewed more than 15 minutes or more than 2 weeks in a year,
the file system will shut down and can be resumed only by providing Security Officer
credentials.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 13
 • Completely disallowing operations that could lead to a compromise in the state of
locked and retained archive data.
• Note: Retention lock is not currently supported with DD Boost and VTL Pool MTrees.

Removing retention lock compliance requires a fresh installation of the DD OS using a USB
key installation. Contact Data Domain Support for assistance in performing this operation as
it is not covered in this course.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 14
Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 15
 In this lesson, you learn the function of data sanitization and how to run a command from
the CLI to sanitize data on a Data Domain system.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 16
 Data sanitization is sometimes referred to as electronic shredding.

With the data sanitization function, deleted files are overwritten using a DoD/NIST-compliant
algorithm and procedures. No complex setup or system process disruption is required.
Current, existing data is available during the sanitization process, with limited disruption to
daily operations. Sanitization is the electronic equivalent of data shredding. Normal file
deletion provides residual data that allows recovery. Sanitization removes any trace of
deleted files with no residual remains.

Sanitization supports organizations (typically government organizations) that:

• Are required to delete data that is no longer needed.
• Need to resolve (remove and destroy) classified message incidents. Classified
message incident (CMI) is a government term that describes an event where data of a
certain classification is inadvertently copied into another system that is not certified
for data of that classification.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 17
 The system sanitize command erases content in the following locations:
• Segments of deleted files not used by other files
• Contaminated metadata
• All unused storage space in the file system
• All segments used by deleted files that cannot be globally erased, because some
segments might be used by other files

Sanitization can be run only by using the CLI.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 18
 When you issue the system sanitize start command, you are prompted to consider the length
of time required to perform this task. The system advises that it can take longer than the
time it takes to reclaim space holding expired data on the system (filesys clean). This can be
several hours or longer, if there is a high percentage of space to be sanitized.

During sanitization, the system runs through five phases: merge, analysis, enumeration, copy,
and zero.
• Merge: Performs an index merge to flush all index data to disk.
• Analysis: Reviews all data to be sanitized. This includes all stored data.
• Enumeration: Reviews all of the files in the logical space and remembers what data is
active.
• Copy: Copies live data forward and frees the space it used to occupy.
• Zero: Writes zeroes to the disks in the system.

You can view the progress of these five phases by running the system sanitize
watch command.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 19
 Related CLI commands:
# system sanitize abort
Aborts the sanitization process

# system sanitize start

Starts sanitization process immediately

# system sanitize status

Shows current sanitization status

# system sanitize watch

Monitors sanitization progress

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 20
Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 21
 In this lesson, you learn about the features, benefits, and function of the encryption of data
at rest feature.

You also learn about the purpose of other security features, such as file system locking, and
when and how to use this feature.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 22
 Data encryption protects user data if the Data Domain system is stolen, or if the physical
storage media is lost during transit, and eliminates accidental exposure of a failed drive if it is
replaced. In addition, if an intruder ever gains access to encrypted data, the data is
unreadable and unusable without the proper cryptographic keys.

Encryption of data at rest:

• Enables data on the Data Domain system to be encrypted, while being saved and
locked, before being moved to another location.
• Is also called inline data encryption.
• Protects data on a Data Domain system from unauthorized access or accidental
exposure.
• Requires an encryption software license.
• Encrypts all ingested data.
• Does not automatically encrypt data that was in the system before encryption was
enabled. Such data can be encrypted by enabling an option to encrypt existing data.

Furthermore, you can use all of the currently supported backup applications described in the
Backup Application Matrix on the Support Portal with the Encryption of Data at Rest feature.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 23
 There are two available key management options:
• Starting with DD OS 5.2, an optional external encryption key management capability
has been added, the RSA Data Protection Manager (DPM) Key Manager. The
preexisting local encryption key administration method is still in place. You can
choose either method to manage the Data Domain encryption key.
• The Local Key Manager provides a single encryption key per Data Domain system.

A single internal Data Domain encryption key is available on all Data Domain systems.

The first time Encryption of Data at Rest is enabled, the Data Domain system randomly
generates an internal system encryption key. After the key is generated, the system
encryption key cannot be changed and is not accessible to a user.

The encryption key is further protected by a passphrase, which is used to encrypt the
encryption key before it is stored in multiple locations on disk. The passphrase is user-
generated and requires both an administrator and a security officer to change it.

• The RSA DPM Key Manager enables the use of multiple, rotating keys on a Data
Domain system.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 24
 • The RSA DPM Key Manager consists of a centralized RSA DPM Key Manager Server
and the embedded DPM client on each Data Domain system.

• The RSA DPM Key Manager is in charge of the generation, distribution, and lifecycle
management of multiple encryption keys. Keys can be rotated on a regular basis,
depending on the policy. A maximum number of 254 keys is supported.

• If the RSA DPM Key Manager is configured and enabled, the Data Domain systems
uses keys provided by the RSA DPM Key Manager Server.

Note: Only one encryption key can be active on a Data Domain system. The DPM Key
Manager provides the active key. If the same DPM Key Manager manages multiple Data
Domain systems, all will have the same active key—if they are synced, and the Data Domain
file system has been restarted.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 25
 With the encryption software option licensed and enabled, all incoming data is encrypted
inline before it is written to disk. This is a software-based approach, and it requires no
additional hardware. It includes:
• Configurable 128-bit or 256-bit advanced encryption standard (AES) algorithm with
either:
 Confidentiality with cipher-block chaining (CBC) mode.
Or
 Both confidentiality and message authenticity with Galois/Counter (GCM) mode

• Encryption and decryption to and from the disk is transparent to all access protocols:
DD Boost, NFS, CIFS, NDMP tape server, and VTL (no administrative action is required
for decryption).

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 26
 When data is backed up, data enters via NFS, CIFS, VTL, DD Boost, and NDMP tape server
protocols. It is then:
• Segmented
• Fingerprinted
• Deduplicated (or globally compressed)
• Grouped
• Locally compressed
• Encrypted

Note: When enabled, the encryption at rest feature encrypts all data entering the Data
Domain system. You cannot enable encryption at a more granular level.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 27
 Procedures requiring authorization must be dual-authenticated by the security officer and
the user in the admin role.

For example, to set encryption, the admin enables the feature, and the security officer
enables runtime authorization.

A user in the administrator role interacts with the security officer to perform a command
that requires security officer sign off.

In a typical scenario, the admin issues the command, and the system displays a message that
security officer authorizations must be enabled. To proceed with the sign-off, the security
officer must enter his or her credentials on the same console at which the command option
was run. If the system recognizes the credentials, the procedure is authorized. If not, a
Security alert is generated. The authorization log records the details of each transaction.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 28
 With encryption active in the Data Domain system, the Encryption tab within the File System
section of the Data Domain Enterprise Manager shows the current status of system
encryption of data at rest.
The status indicates Enabled, Disabled, or Not configured. In the slide, the encryption status
is Not configured.

(continued on the next slide)

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 29
 To configure encryption:
1. Click Configure. You are prompted for a passphrase. The system generates an
encryption key and uses the passphrase to encrypt the key. One key is used to
encrypt all data written to the system. After encryption is enabled, the passphrase is
used by system administrators only when locking or unlocking the file system, or
when disabling encryption. The current passphrase size for DD OS 5.4 is 256
characters.
Caution: Unless you can reenter the correct passphrase, you cannot unlock the file system
and access the data. The data will be irretrievably lost.
2. Enter a passphrase and then click Next.
3. Choose the encryption algorithm:
 Configurable 128-bit or 256-bit Advanced Encryption Standard (AES) algorithm
with either:
 Confidentiality with Cipher Block Chaining (CBC) mode
 Both confidentiality and message authenticity with Galois/Counter (GCM)
mode
 In this configuration window, you can optionally apply encryption to data that
existed on the system before encryption was enabled.
4. Select whether you will obtain the encryption key from the Data Domain system or an
external RSA Key Manager.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 30
 5. Once configured, click Next.
6. Verify the settings in the Summary dialog, and restart the file system to enable
encryption. If you do not select to restart the file system at this time, you need to
disable and re-enable the file system before encryption will begin.
7. Click OK.
8. Click Close to finish the configuration.

Related CLI commands:

# filesys disable
Disables the file system

# filesys encryption enable

Enables encryption. Enter a passphrase when prompted

# filesys encryption algorithm set algorithm

Sets an alternative cryptographic algorithm (optional). Default algorithm is
aes_256_cbc. Other options are: aes_128_cbc, aes_128_gcm, or aes_256_gcm

# filesys enable
Enables the file system

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 31
 Only administrative users with security officer credentials can change the encryption
passphrase.

To change the existing encryption passphrase:

1. Disable the file system by clicking the disable button on the State line of the File
System section.
The slide shows the file system state as disabled and shut down after the disable
button clicked.
2. Click Change Passphrase.
3. Enter the security officer credentials to authorize the passphrase change.
4. Enter the current passphrase.
5. Enter the new passphrase twice.
6. Click Enable file system now if you want to reinstate services with the new
passphrase; otherwise the passphrase does not go into effect until the file system is
re-enabled.
7. Click OK to proceed with the passphrase change.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 32
 Only administrative users with security officer credentials can disable encryption.
To disable encryption on a Data Domain system:
1. Click Disable on the Encryption status line of the Encryption tab.
2. Enter the security officer credentials.
3. Click Restart file system now in order to stop any further encryption of data at rest.
Note: Restarting the file system will interrupt any processes currently running on the
Data Domain system.
4. Click OK to continue.

Related CLI commands:

# filesys encryption disable
Disables encryption. You are prompted for a security officer username and password
in order to disable encryption from the command line.

# filesys disable
Disables the file system.

# filesys enable
Enables the file system. The file system must be disabled and re-enabled to effect
encryption operations.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 33
 Use file system locking when an encryption-enabled Data Domain system and its external
storage devices (if any) are being transported. Without the encryption provided in file system
locking, user data could possibly be recovered by a thief with forensic tools (especially if local
compression is turned off). This action requires two-user authentication – a sysadmin and a
security officer – to confirm the lock-down action.

File system locking:

• Requires the user name and password of a security officer account to lock the file
system.
• Protects the Data Domain system from unauthorized data access.
• Is run only with the file system encryption feature enabled. File system locking
encrypts all user data, and the data cannot be decrypted without the key.
• A passphrase protects the encryption key, which is stored on disk, and is encrypted by
the passphrase. With the system locked, this passphrase cannot be retrieved.
• Allows only an admin, who knows the set passphrase, to unlock an encrypted file
system.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 34
 Before you can lock the file system, the file system must be stopped, disabled, and shut
down.

To lock the file system:

1. In the passphrase area, enter the current passphrase (if one existed before) followed
by a new passphrase that locks the file system for transport. Repeat the passphrase
in the Confirm New Passphrase field.
2. Click OK to continue.
After the new passphrase is entered, the system destroys the cached copy of the
current passphrase. Therefore, anyone who does not possess the new passphrase
cannot decrypt the data.
Caution: Be sure to take care of the passphrase. If the passphrase is lost, you will
never be able to unlock the file system and access the data. There is no backdoor
access to the file system. The data is irretrievably lost.
3. Shut down the system using the system poweroff command from the command line
interface (CLI).

Caution: Do not use the chassis power switch to power off the system. There is no
other method for shutting down the system to invoke file system locking.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 35
 To unlock the file system:
1. Power on the Data Domain system.
2. Return to the Encryption view in the Data Domain Enterprise Manager and click the
Unlock File System button.
3. Enter the current lock file system passphrase. The file system re-enables itself.

Related CLI commands:

# filesys encryption lock
Locks the system by creating a new passphrase and destroying the cached copy of the
current passphrase. Before you run this command, you must run filesys disable and
enter security officer credentials.

# filesys encryption passphrase change

Changes the passphrase for system encryption keys. Before running this command,
you must run filesys disable and enter security officer credentials.

# filesys encryption show

Checks the status of the encryption feature.

# filesys encryption unlock

Prepares the encrypted file system for use after it has arrived at its destination.

Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 36
Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 37
Copyright © 2014 EMC Corporation. All rights reserved Module 9: Data Security 38