|
 |
|
General Information
|
Add To My Personal Library |
July 17, 2009
• Vol.31 Issue 19
Page(s) 10 in print issue
|
Storage Encryption Strategies
Encrypting Your Enterprise’s Data Is Crucial To Preventing Costly Data Breaches
|
| Key Points
• Storage encryption is a must for data leaving the data center.
• Stored data leaves the data center in three ways: via users, when transported offsite for disaster recovery or archival, and when drive arrays are decommissioned. All three must be addressed.
• Authorized access is done by keys; managing those keys is critical to maintaining access and security. | | When it comes to storage encryption, the primary concern is protecting data as it leaves the trusted environment of your data center. There are three primary cases when this occurs; users taking data out of the environment on USB memory sticks, external hard drives, and laptops; data being moved offsite for long-term storage or protection from disaster; and when storage systems are decommissioned. There is also the case of storage being encrypted as an extra level of security within the trusted environment. In all cases, encryption needs to be applied in a way that is effective yet unobtrusive to business operations.
 User Storage
 Today’s workforce is becoming more and more mobile, with employees working from home or on the road via laptops and USB drives. Given the risk of the devices being lost or stolen, there must be safeguards put in place to make sure that the data can’t be read.
“At the device level, companies and government agencies are requiring that users utilize portable storage devices that utilize encryption,” says Gary Streuter, vice president of marketing at CMS Products (www.cmsproducts.com). “These devices basically work by setting a password for the device so that when it is plugged in to a USB port, the user is prompted for the password, [and] after so many—typically five—failed attempts, access to the device is denied, and in some cases it will erase itself.”
For laptops, there is the typical security of logging in to the system, but Streuter advises that may not be enough. “Often users will either have their systems set for auto-login or create very simple passwords that are easy to defeat,” he says. For laptops, shared computers at home, and even shared drives on a corporate file server, Streuter recommends the use of a software application that can encrypt the data on laptop drives or in folders on shared systems to provide a second challenge for access.
These systems can also be set for a time-out value that will require reauthentication after a period of inactivity, putting the system to sleep or shutting it down. Such software protects highly sensitive data from an internal breach as well as a user walking away from a machine and forgetting to log out.
Data Center Storage
The primary focus for encrypting data center storage should be as it leaves the trusted environment either for long-term storage or when it is decommissioned. Encryption often is not effective against internal threats such as those from internal IT staff or external maintenance providers because they have been authorized and placed in the trusted environment.
Jose Carreon, product marketing manager for security technologies at Brocade (www.brocade.com), suggests that primary storage should be the critical focal point for storage managers. "Primary storage is always the most important to encrypt [because] it is the storage layer where most of the dynamic sensitive data resides," he says. "For example, assume credit card information that gets accessed and processed every second of the IT working day . . . has to be protected while in transit and at rest.”
According to Kevin Bocek, director of product marketing for Thales Information Systems Security (iss.thalesgroup.com), there are four primary ways that users can encrypt data center storage in transit or at rest: application-based encryption, which encrypts data as the application writes it to storage; host bus adapter-based encryption via a storage card, which encrypts data as it leaves the host on its way to storage; SAN-based encryption, which encrypts data as it enters the storage fabric; and encryption at the array or drive level.
“Each of these methods has its advantages,” says Bocek. “Encrypting at the application level makes sure that data is encrypted as it is written to the storage system, but applications need to be rewritten to take advantage of that; additionally, it is sometimes difficult to determine what data should and should not be encrypted. In similar fashion, HBA-based encryption is ideal if just a few applications on a few servers need encryption, but in today’s environment, with server virtualization, it may be hard to isolate the application. Additionally, the cost of replacing cards could be expensive if many servers need encryption. Encrypting in the storage fabric provides [broader] encryption without having to change the application or the HBA cards. Finally, storage again can encrypt everything broadly, but it requires replacing the current tape or storage solution.”
Bocek believes that for many customers, encrypting at the fabric through either a specific appliance or switch provides the right balance of broad encryption without disruption or replacement of key components in the environment.
Brocade’s Carreon agrees that fabric-based encryption may be the most suitable location for most customers. “Encryption technologies typically have a serious impact on systems when deployed in software. When encryption is implemented in hardware, the scenario is very different in that you deploy dedicated and highly optimized encryption devices that can deliver from 48 up to 96Gbps of encryption processing, enabling customers to choose to encrypt all data if they desire to do so.”
Archive Storage
Another key area for encryption strategy is archiving data that needs to be maintained for adherence to specific industry regulations or for disaster recovery purposes. According to Jered Floyd, CTO of Permabit Technologies (www.permabit.com), this creates an unusual dichotomy. “On one hand, the data has to be retained for years and be readily accessible. On the other, it is often data that needs to be encrypted in case of loss.” Floyd suggests that the encryption in this case needs to be handled exclusively by the device because it potentially will outlive any primary storage encryption strategy put in place.
Decommissioning of older storage is another situation where data leaves the building, which can be of concern if the data is replicated to a untrusted environment. “Most disk archive customers will replicate their archive storage to another facility, [but] some of those customers may put that into a hosting facility that is outside of the organization’s trusted environment.”
In either case, Floyd suggests the strategy of having the encryption intelligence stay with the archive. A storage shelf pulled from the archive is no longer able to see the encryption keys, and as a result, data cannot be read. In the situation where replication is to an untrusted remote site, there should be the option to not replicate the keys, and as a result, data cannot be read by the hosting company’s staff.
What To Encrypt?
Beyond protecting data that is leaving the environment, the key decision that most customers need to make is what data to encrypt. According to Brocade’s Carreon, “The simplest approach may be to encrypt all the data. Otherwise, any company with requirements for compliance to federal and industry mandates needs an assessment of their data that is typically accomplished through a data classification exercise.”
He continues, “Once you identify sensitive data, where it lives, and who owns it, you have to then define the relevant policies for enforcing the encryption and data center security requirements. Products that enable customers to have the flexibility and choice to encrypt all data without any impact to the day-to-day operational environment may be a safer and a simpler approach.” 
by George Crump
Top Tip: Manage Encryption Keys Wisely
Access to encrypted data is done through software keys. These keys must be managed and protected separately from the overall data protection process. Sending a storage array or set of tape media with these keys is the equivalent of locking the doors to your house but leaving the key in the lock.
According to Kevin Bocek, director of product marketing for Thales Information Systems Security (iss.thalesgroup.com), encryption management includes managing the keys used for encryption and using logging and reporting for compliance. “Key management will ensure that data is recoverable and useable today, next month, next year, or seven years from now,” he says. “Key management also ensures that your backup data centers are always ready.”
With key management standards such as the IEEE 1619.3 standard, storage managers will have the opportunity to select their encryption and key management independently and reuse key management across storage systems. All of this means storage teams will save time and money. |
|
|
