DS8870 and NIST SP 800-131a security compliance
Bert_Dufrasne 1200009T35 Visits (5819)
I admit, it's not a very appealing title for a blog post. But it's serious matter that pertains to data security and national regulations.
The National Institute of Standards and Technology (NIST) SP 800-131A is a United States standard that defines which cryptographic algorithms are valid and which cryptographic algorithm parameter values are required to achieve a specific security strength in a specific time period.
Starting in 2014, a minimum security strength of 112 bits is required when new data is processed or created.
The DS8870 with firmware Release 7.2 (License Machine Code 7.7.20.xx) enables NIST SP 800-131a compliance with other entities in its network environment by supporting Transport Layer Security (TLS) v1.2 connections (112 bit security strength). Also digital certificates set by manufacturing for each Storage Facility now have 112 bit security strength; This is referred to as a Gen-2 certificate.
As shipped the DS8870 is not in NIST SP 800-131a compliant mode, and access to the DS8870 is little changed from previous releases. This is intentional and necessary to avoid breaking scripts that some clients may have developed for their environment.
The customer is responsible for enforcing NIST compliance on the various interfaces that access their DS8870. Enforcing NIST compliance on the DS8870 can be done incrementally (that is, one interface at a time), using various DSCLI controls. However, before activating controls on the DS8870 and disabling other protocols, make sure that all other external systems (hardware and software) communicating with the DS8870 in your environment can support the TLS 1.2 protocol. Otherwise, those systems will not be able to access the DS8870.
Examples of hardware and software for all external systems that directly or indirectly attach to the DS8870, include key management servers, DS Graphical User Interface (DS GUI) and DS Command Line Interface (DS CLI) clients, monitoring servers, such as Tivoli Productivity Center (TPC) or the Performance Analyzer Utility, Storage Management Initiative Specification (SMI-S) clients and listeners, the IP network and so on as depicted in the figure below.
For detailed information and configuration instructions, refer to the Redpaper, DS8870 and NIST SP 800-131a Compliance, REDP-5069