IT program manager Steve Doherty (l.) and project architect Sean Ward test the log-in procedure controlling service access to a Symmetrix V-Max. Photograph by Monya Keane

A few years ago, EMC created a better way for people to obtain temporary service-access to a Symmetrix system. The tool, called the Secure Service Credential (SSC), Secured by RSA, prevents someone from performing any unauthorized actions on a Symmetrix system’s service processor.

By integrating RSA SecurID authentication technology with customization to control and track activity by EMC and partner technicians, SSC became another proof-point that Symmetrix is the most secure enterprise storage platform on the market.

At EMC, a server receiving those access requests generates a distinct credential per user, per hour, per unit, controlling which personnel can access which Symmetrix systems, for what duration, and for what operation.

Sharpening an edge

SSC was the outcome of the first collaboration between EMC IT and RSA Security, a company acquired by EMC during SSC’s development. It was an early manifestation of the desire to build product security in rather than “bolting it on.”

All Symmetrix systems built since 2007 boast SSC capability, and two to three credentials are issued every minute of every day.

SSC addresses customers’ data security concerns and helps them comply with regulatory requirements. SSC also gives EMC an edge over competitors who still rely on more rudimentary password-based access for their high-end arrays.

“SSC tells customers that we’re serious about security,” says Dan Reddy, product manager in the EMC Product Security Office. He adds that SSC has become a selling point in customers’ decisions to upgrade their Symmetrix systems. The technology can be adopted by platforms across EMC so they, too, can differentiate their products in this security-sensitive market.

Failure not an option

EMC organizations—including IT, Global Services, Symmetrix Engineering, Product Security, the Global Security Organization, and RSA—collaborated to develop SSC.

EMC was expanding its focus on helping customers secure their data, and in fact, EMC’s Product Security Office was responding to customers’ urgently communicated requests that EMC improve service-personnel authentication.

Previously, service professionals had used a uniform set of static passwords for access, and their subsequent actions were not restricted or tracked.

Kathie Lyons, VP, EMC Global Services Operations, led the 30-person team that created the secure system, as mandated by executives including EMC Chairman and CEO Joe Tucci.

The team had eight months to create SSC “starting from something akin to a napkin sketch,” recalls IT Program Manager Steve Doherty. SSC would launch with Enginuity operating system release 5772 for Symmetrix DMX-3 in Q107, so it had to be done on time.

“Our mantra was ‘failure is not an option,’” recalls team member Steve Thompson, program manager in Global Services Security. The project was even nicknamed FINAO by Brian Gallagher, SVP and GM of the Symmetrix Product Group.

Not only could SSC development problems have delayed the release of Enginuity 5772, but bugs could have meant disaster, too. “If SSC didn’t work,” says Doherty, “our guys would be standing in front of boxes, at customer sites, unable to get in. Nor would remote access work. We’d even be halting Manufacturing, Customer Service, and some parts of Engineering and QA.”

As the SSC team thought more and more about how the solution would benefit customers, Lyons says, “they really were energized.” Team members extensively analyzed business processes, says Matt MacNeil, Platform Security Support Manager in Global Services, calling the result “a fantastic example of user-centered design.”

Only EMC has it

Some installed Symmetrix units are deliberately not phone-home connected and thus would never be able to access a central system to confirm authorization, notes Arnie Adelman, security consultant for EMC’s Global Security Office. Therefore, SSC would have to operate separately. RSA technology enabled the team to develop this authentication system totally independent of any network.

“No one else in the market has this capability,” says Project Architect Sean Ward, an application development consultant in EMC IT. “Credentials are bound to the proper target at a specific point in time, for a specific task, with a password for a specific user.”

Users request a credential and then use it, plus their own SSC password, to log-in for service. Sixteen levels of access conform to various job descriptions. For example, a service partner who handles routine drive replacements is allowed to perform only that function, while a diagnostic engineer has more extensive access.

More than 100 employees were beta testers. Pre-release training also was extensive.

Everyone vividly recalls the go-live. “This was a big shift,” says Christopher Grondin, Global Services senior manager, Security Operations. “You can’t turn it off or work around it.”

SSC launched on time with just a handful of hiccups, including a very brief disruption due to the shift to Daylight Saving Time.

This technology addresses an important customer need beyond service-centric security. Many customers are legally required to track who accesses their storage systems. With thousands of EMCers and partners performing onsite and remote service, Adelman says, keeping such logs “can become a horrendous burden.” SSC lets customers automatically audit access. “In a way, we’ve offloaded a customer responsibility,” he says.

EMC is now integrating SSC into other products, extending its commitment to provide information-centric, not perimeter-centric, security to customers.