.SAN design reference guide Vol. 1-5 785350-001

ManualsBrandsHP ManualsStorageHP B-Series Remote Replication Solutions

371

372

373

374

375

376

377

378

379

380

the use of dial-in modems). Access control is a set of controls: confidentiality, integrity, availability,

and limiting access to network resources. These depend on the successful prevention of unauthorized

access to services or information.

Important elements of access control include:

• Identification—Identifies an entity (user, process, or role associated with multiple users)

• Authorization—Determines the access rights of an entity (with a level of assurance)

• Authentication—Authenticates a user or process

• Enforcement—Applies access-control decisions, which provides protection

Data protection

Data protection is important for all data states: at-rest, in-transit, and in-use. Use encryption and

identity management in conjunction with other proactive techniques, such as security event

management and information management.

Data protection consists of the following:

• Confidentiality

• Data integrity

• Data availability

• Nonrepudiation

Confidentiality

Confidentiality prevents disclosure of all data, regardless of its state (at-rest, in-transit, or in-use).

Confidentiality needs vary depending on the amount and type of data, transit and storage locations,

and sensitivity of the end-user identity.

Important elements of confidentiality include:

• Data encryption—Invokes mechanisms that act in response to characteristics of the data, not

in response to a threat.

• Data separation—Provides separate paths for data or processing. The level of security for

data separation depends on the trust level associated with the system. Data separation ensures

confidentiality by preventing data from reaching unauthorized users.

• Traffic separation—Adds meaningless random information and hides network-layer addresses.

Traffic separation ensures confidentiality by making it difficult to determine data characteristics,

such as frequency and traffic-flow destinations.

Data integrity

Data integrity prevents unauthorized modification or destruction of data and ensures nonrepudiation

and authenticity. Recording all changes to data enables the detection and notification of

unauthorized modifications.

Data integrity has two types of data:

• Single-unit data—Applied to a single piece of data

• Data stream—Applied to all PDUs

Data availability

Data availability ensures reliable access to data and information services for authorized users in

the SAN. You must protect your data from attacks, unauthorized use, and routine failures.

HP security strategy 373