Risk

10/1/2008
06:45 PM
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

Why bring encryption into the glass house? To paraphrase bank robber Willie Sutton, because that's where the data is.

To date, most data center security efforts have been focused on protecting against Internet threats. However, IT can no longer ignore physical security: Thieves recently broke into the Chicago data center of managed Web hosting provider C I Host and stole server hardware--for the fourth time. Meanwhile, backup tapes are frequent targets for theft because they're often out of IT's direct possession. The Privacy Rights Clearinghouse Web site documents more than 40 cases of tape theft since 2005, and it's likely that far more were never reported. In our 2008 Strategic Security Survey, the theft of computers or storage systems was among the top five breaches seen as most likely to occur in the coming year.

Clearly, encrypting hard drives and tapes is vital to protect data. So why aren't organizations rushing to sign on? The complexity of managing keys is a top deterrent to ubiquitous encryption. After all, there are many ways to encrypt, but key management is where all these projects succeed or fail. And failure is most likely to occur several years out, after the hole has been dug quite deep. Some information must be kept for decades, after all, and storing the keys needed to access that data securely for 10 or 20 years is a challenge.

InformationWeek Reports

Fortunately, advances in managing keys as well as new options for encrypting data at each step within the backup process make it much less likely lost keys will come back to haunt you. Most of the vendors we spoke with understand the problem and are working to solve it. RSA's Key Management Suite, for example, works with encryption products from RSA partners to give IT a single management point for all encryption keys.

Encryption vendors also have started to build key management into their products or offer these capabilities as options for companies with modest requirements.

TALES OF THE TAPES
Security analysts love the idea of encrypting all data on the host before it's even sent to a backup server. This guarantees end-to-end privacy and minimizes the number of places where mistakes can be made. And plenty of products provide this capability. Symantec's NetBackup is a good example--just generate a key and click a box within the user interface to enable encryption of any data set. The backup server instructs the client to encrypt on the fly.

This approach has downsides, however. By encrypting data at the host, deduplication has to happen at the server. And encryption adds load to the server, lengthening the backup window and perhaps affecting performance. Moreover, encrypted data is supposed to be indistinguishable from random data, so it tends to render tape-drive compression completely ineffective. Since most tape drives claim a hardware compression rate of at least 2-to-1, server-side encryption can easily double your tape consumption.

But key management may well be the worst problem. Backup vendors are only now starting to add key management capabilities to their software; most still rely on the backup admin to handle management tasks. You'd think someone would take this off our hands.

AUTOMATION, ANYONE?
Moving encryption closer to tape drives are appliances that encrypt data as it heads to the tape library. These devices can be inserted into the Fibre Channel fabric of the SAN, the SCSI connections to the tape drives, or iSCSI networks, providing a tremendous amount of flexibility. Appliances take the processing load off servers and are popular choices in environments with a variety of backup software and hardware, or when speed of installation and ease of setup are priorities. NetApp's Decru division and nCipher's NeoScale CryptoStor Tape even perform compression on the box, and a separate key management appliance or software system provides the key archiving and security needed to trust the system over many years.

DIG DEEPER
SECURE THE PREMISES
Where does encryption fit into the plans for next-generation data centers?
As good as this sounds, do your due diligence before investing in an encryption appliance. Cisco released its Storage Media Encryption blade for its director-class Fibre Channel switches amid turmoil in the field. Customers of one vendor, Kasten Chase, were left holding encrypted tapes with no upgrade cycle or support. Similar woes faced some customers of NeoScale when nCipher bought its tape encryption business but left out the company's disk encryption customers.

Perhaps the most exciting innovation for tape encryption has been the addition of encryption capabilities to the drives themselves. Sun's StorageTek 10000B and LTO4 Ultrium drives from IBM, HP, and Quantum have encryption hardware built in. This adds minimal cost and should have very little impact on performance. Compression can be performed just before encryption, minimizing storage space, and most importantly, encrypted data can be read just after it's written, decrypted, and compared with the original to ensure that there are no errors.

IBM's tape encryption works with RSA's Key Management Suite, and IBM also ships its own simplified Enterprise Key Manager (EKM), which supports a novel twist useful to companies that must ship data to partners. IBM EKM uses public key cryptography to encrypt data on the tape to the partner's public key. The partner can then use its private key to read the data. In this way, no secret key exchange has to happen between the partners, but the tapes remain secure.

Impact Assessment chart: Data Center Encryption

(click image for larger view)

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Want Your Daughter to Succeed in Cyber? Call Her John
John De Santis, CEO, HyTrust,  5/16/2018
Don't Roll the Dice When Prioritizing Vulnerability Fixes
Ericka Chickowski, Contributing Writer, Dark Reading,  5/15/2018
New Mexico Man Sentenced on DDoS, Gun Charges
Dark Reading Staff 5/18/2018
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: "Security through obscurity"
Current Issue
Flash Poll
[Strategic Security Report] Navigating the Threat Intelligence Maze
[Strategic Security Report] Navigating the Threat Intelligence Maze
Most enterprises are using threat intel services, but many are still figuring out how to use the data they're collecting. In this Dark Reading survey we give you a look at what they're doing today - and where they hope to go.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2018-8142
PUBLISHED: 2018-05-21
A security feature bypass exists when Windows incorrectly validates kernel driver signatures, aka "Windows Security Feature Bypass Vulnerability." This affects Windows Server 2016, Windows 10, Windows 10 Servers. This CVE ID is unique from CVE-2018-1035.
CVE-2018-11311
PUBLISHED: 2018-05-20
A hardcoded FTP username of myscada and password of Vikuk63 in 'myscadagate.exe' in mySCADA myPRO 7 allows remote attackers to access the FTP server on port 2121, and upload files or list directories, by entering these credentials.
CVE-2018-11319
PUBLISHED: 2018-05-20
Syntastic (aka vim-syntastic) through 3.9.0 does not properly handle searches for configuration files (it searches the current directory up to potentially the root). This improper handling might be exploited for arbitrary code execution via a malicious gcc plugin, if an attacker has write access to ...
CVE-2018-11242
PUBLISHED: 2018-05-20
An issue was discovered in the MakeMyTrip application 7.2.4 for Android. The databases (locally stored) are not encrypted and have cleartext that might lead to sensitive information disclosure, as demonstrated by data/com.makemytrip/databases and data/com.makemytrip/Cache SQLite database files.
CVE-2018-11315
PUBLISHED: 2018-05-20
The Local HTTP API in Radio Thermostat CT50 and CT80 1.04.84 and below products allows unauthorized access via a DNS rebinding attack. This can result in remote device temperature control, as demonstrated by a tstat t_heat request that accesses a device purchased in the Spring of 2018, and sets a ho...