06:45 PM

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

Why bring encryption into the glass house? To paraphrase bank robber Willie Sutton, because that's where the data is.

To date, most data center security efforts have been focused on protecting against Internet threats. However, IT can no longer ignore physical security: Thieves recently broke into the Chicago data center of managed Web hosting provider C I Host and stole server hardware--for the fourth time. Meanwhile, backup tapes are frequent targets for theft because they're often out of IT's direct possession. The Privacy Rights Clearinghouse Web site documents more than 40 cases of tape theft since 2005, and it's likely that far more were never reported. In our 2008 Strategic Security Survey, the theft of computers or storage systems was among the top five breaches seen as most likely to occur in the coming year.

Clearly, encrypting hard drives and tapes is vital to protect data. So why aren't organizations rushing to sign on? The complexity of managing keys is a top deterrent to ubiquitous encryption. After all, there are many ways to encrypt, but key management is where all these projects succeed or fail. And failure is most likely to occur several years out, after the hole has been dug quite deep. Some information must be kept for decades, after all, and storing the keys needed to access that data securely for 10 or 20 years is a challenge.

InformationWeek Reports

Fortunately, advances in managing keys as well as new options for encrypting data at each step within the backup process make it much less likely lost keys will come back to haunt you. Most of the vendors we spoke with understand the problem and are working to solve it. RSA's Key Management Suite, for example, works with encryption products from RSA partners to give IT a single management point for all encryption keys.

Encryption vendors also have started to build key management into their products or offer these capabilities as options for companies with modest requirements.

Security analysts love the idea of encrypting all data on the host before it's even sent to a backup server. This guarantees end-to-end privacy and minimizes the number of places where mistakes can be made. And plenty of products provide this capability. Symantec's NetBackup is a good example--just generate a key and click a box within the user interface to enable encryption of any data set. The backup server instructs the client to encrypt on the fly.

This approach has downsides, however. By encrypting data at the host, deduplication has to happen at the server. And encryption adds load to the server, lengthening the backup window and perhaps affecting performance. Moreover, encrypted data is supposed to be indistinguishable from random data, so it tends to render tape-drive compression completely ineffective. Since most tape drives claim a hardware compression rate of at least 2-to-1, server-side encryption can easily double your tape consumption.

But key management may well be the worst problem. Backup vendors are only now starting to add key management capabilities to their software; most still rely on the backup admin to handle management tasks. You'd think someone would take this off our hands.

Moving encryption closer to tape drives are appliances that encrypt data as it heads to the tape library. These devices can be inserted into the Fibre Channel fabric of the SAN, the SCSI connections to the tape drives, or iSCSI networks, providing a tremendous amount of flexibility. Appliances take the processing load off servers and are popular choices in environments with a variety of backup software and hardware, or when speed of installation and ease of setup are priorities. NetApp's Decru division and nCipher's NeoScale CryptoStor Tape even perform compression on the box, and a separate key management appliance or software system provides the key archiving and security needed to trust the system over many years.

Where does encryption fit into the plans for next-generation data centers?
As good as this sounds, do your due diligence before investing in an encryption appliance. Cisco released its Storage Media Encryption blade for its director-class Fibre Channel switches amid turmoil in the field. Customers of one vendor, Kasten Chase, were left holding encrypted tapes with no upgrade cycle or support. Similar woes faced some customers of NeoScale when nCipher bought its tape encryption business but left out the company's disk encryption customers.

Perhaps the most exciting innovation for tape encryption has been the addition of encryption capabilities to the drives themselves. Sun's StorageTek 10000B and LTO4 Ultrium drives from IBM, HP, and Quantum have encryption hardware built in. This adds minimal cost and should have very little impact on performance. Compression can be performed just before encryption, minimizing storage space, and most importantly, encrypted data can be read just after it's written, decrypted, and compared with the original to ensure that there are no errors.

IBM's tape encryption works with RSA's Key Management Suite, and IBM also ships its own simplified Enterprise Key Manager (EKM), which supports a novel twist useful to companies that must ship data to partners. IBM EKM uses public key cryptography to encrypt data on the tape to the partner's public key. The partner can then use its private key to read the data. In this way, no secret key exchange has to happen between the partners, but the tapes remain secure.

Impact Assessment chart: Data Center Encryption

(click image for larger view)

1 of 2
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Current Issue
Dark Reading Tech Digest September 7, 2015
Some security flaws go beyond simple app vulnerabilities. Have you checked for these?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2015-10-09
Simple Streams (simplestreams) does not properly verify the GPG signatures of disk image files, which allows remote mirror servers to spoof disk images and have unspecified other impact via a 403 (aka Forbidden) response.

Published: 2015-10-09
The Telephony component in Apple OS X before 10.11, when the Continuity feature is enabled, allows local users to bypass intended telephone-call restrictions via unspecified vectors.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly sanitize applet URLs, which allows remote attackers to inject applets into the .appletTrustSettings configuration file and bypass user approval to execute the applet via a crafted web page, possibly related to line breaks.

Published: 2015-10-09
IcedTea-Web before 1.5.3 and 1.6.x before 1.6.1 does not properly determine the origin of unsigned applets, which allows remote attackers to bypass the approval process or trick users into approving applet execution via a crafted web page.

Published: 2015-10-09
The Safari Extensions implementation in Apple Safari before 9 does not require user confirmation before replacing an installed extension, which has unspecified impact and attack vectors.

Dark Reading Radio
Archived Dark Reading Radio
What can the information security industry do to solve the IoT security problem? Learn more and join the conversation on the next episode of Dark Reading Radio.