Nist Sp 800-131A Security Conformance - IBM DS8900F Introduction And Planning Manual

Before installation of the storage system, your IBM service representative consults with you about the
types of remote service access available. IBM recommends Assist On-site (AOS) as a secure remote
service method. AOS provides a mechanism to establish a secure network connection to IBM over the
internet with SSL encryption. It can be configured so that the service administrator must approve
remote service access and can monitor remote service activity.
Planning for NIST SP 800-131A security conformance
The National Institute of Standards and Technology (NIST) SP 800-131A is a United States standard that
provides guidance for protecting data by using cryptographic algorithms that have key strengths of 112
bits.
NIST SP 800-131A defines which cryptographic algorithms are valid and which cryptographic algorithm
parameter values are required to achieve a specific security strength in a specific time period. Starting in
2014, a minimum security strength of 112 bits is required when new data is processed or created.
Existing data processed with a security strength of 80 bits should remain secure until around 2031,
subject to additional NIST standards with guidelines for managing secure data.
In general, storage systems allow the use of 112-bit security strengths if the other unit that is attached to
the network connection supports 112-bit security strength. If security levels are set to conform with NIST
SP 800-131A guidelines, the storage system requires 112-bit security strength on all SSL/TLS
connections, other than remote support network connections.
On network connections that use SSL/TLS protocols, 112-bit security has the following requirements:
• The client and server must negotiate the use of TLS 1.2.
• The client and server must negotiate an approved cipher suite that uses cryptographic algorithms with
at least 112-bit security strength.
• The client or server must limit hash and signature algorithms to provide at least 112-bit security
strength; for example, the client must prevent the use of SHA-1 hashes.
• Certificates that are used by the client or server must have public keys and digital signatures with at
least 112-bit security strength, such as RSA-2048 keys with SHA-256 digital signatures.
• Deterministic random bit generators (DRBGs) must use approved algorithms with a least 112-bit
security strength and must be provided with entropy sources that have at least 112 bits of entropy.
To enable NIST SP 800-131A security conformance in your environment, update the following entities. It
might not be feasible to update all of these entities at the same time because of various dependencies.
Therefore, you can upgrade them for NIST SP 800-131A security conformance independently of each
other.
• Encryption key servers
• Remote authentication servers
• DS Network Interface clients
• DS Network Interface server
• DS8000 Storage Management GUI and DS Service GUI servers
• SMI-S agents
Attention: Before you disable earlier SSL/TLS protocols on the storage systems, you must ensure
that all external system networks connected to the storage systems are enabled for TLS 1.2 and
are NIST SP 800-131A compliant. Otherwise, network connection to these systems will be
prohibited.
For information about configuring your environment for NIST SP 800-131A conformance, see security
best practices in the IBM DS8000 series online product documentation ( http://www.ibm.com/support/
knowledgecenter/ST5GLJ_8.1.0/com.ibm.storage.ssic.help.doc/f2c_securitybp.html).
118 IBM DS8900F: DS8900F Introduction and Planning Guide