Risk
10/1/2008
06:45 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

Why bring encryption into the glass house? To paraphrase bank robber Willie Sutton, because that's where the data is.

To date, most data center security efforts have been focused on protecting against Internet threats. However, IT can no longer ignore physical security: Thieves recently broke into the Chicago data center of managed Web hosting provider C I Host and stole server hardware--for the fourth time. Meanwhile, backup tapes are frequent targets for theft because they're often out of IT's direct possession. The Privacy Rights Clearinghouse Web site documents more than 40 cases of tape theft since 2005, and it's likely that far more were never reported. In our 2008 Strategic Security Survey, the theft of computers or storage systems was among the top five breaches seen as most likely to occur in the coming year.

Clearly, encrypting hard drives and tapes is vital to protect data. So why aren't organizations rushing to sign on? The complexity of managing keys is a top deterrent to ubiquitous encryption. After all, there are many ways to encrypt, but key management is where all these projects succeed or fail. And failure is most likely to occur several years out, after the hole has been dug quite deep. Some information must be kept for decades, after all, and storing the keys needed to access that data securely for 10 or 20 years is a challenge.

InformationWeek Reports

Fortunately, advances in managing keys as well as new options for encrypting data at each step within the backup process make it much less likely lost keys will come back to haunt you. Most of the vendors we spoke with understand the problem and are working to solve it. RSA's Key Management Suite, for example, works with encryption products from RSA partners to give IT a single management point for all encryption keys.

Encryption vendors also have started to build key management into their products or offer these capabilities as options for companies with modest requirements.

TALES OF THE TAPES
Security analysts love the idea of encrypting all data on the host before it's even sent to a backup server. This guarantees end-to-end privacy and minimizes the number of places where mistakes can be made. And plenty of products provide this capability. Symantec's NetBackup is a good example--just generate a key and click a box within the user interface to enable encryption of any data set. The backup server instructs the client to encrypt on the fly.

This approach has downsides, however. By encrypting data at the host, deduplication has to happen at the server. And encryption adds load to the server, lengthening the backup window and perhaps affecting performance. Moreover, encrypted data is supposed to be indistinguishable from random data, so it tends to render tape-drive compression completely ineffective. Since most tape drives claim a hardware compression rate of at least 2-to-1, server-side encryption can easily double your tape consumption.

But key management may well be the worst problem. Backup vendors are only now starting to add key management capabilities to their software; most still rely on the backup admin to handle management tasks. You'd think someone would take this off our hands.

AUTOMATION, ANYONE?
Moving encryption closer to tape drives are appliances that encrypt data as it heads to the tape library. These devices can be inserted into the Fibre Channel fabric of the SAN, the SCSI connections to the tape drives, or iSCSI networks, providing a tremendous amount of flexibility. Appliances take the processing load off servers and are popular choices in environments with a variety of backup software and hardware, or when speed of installation and ease of setup are priorities. NetApp's Decru division and nCipher's NeoScale CryptoStor Tape even perform compression on the box, and a separate key management appliance or software system provides the key archiving and security needed to trust the system over many years.

DIG DEEPER
SECURE THE PREMISES
Where does encryption fit into the plans for next-generation data centers?
As good as this sounds, do your due diligence before investing in an encryption appliance. Cisco released its Storage Media Encryption blade for its director-class Fibre Channel switches amid turmoil in the field. Customers of one vendor, Kasten Chase, were left holding encrypted tapes with no upgrade cycle or support. Similar woes faced some customers of NeoScale when nCipher bought its tape encryption business but left out the company's disk encryption customers.

Perhaps the most exciting innovation for tape encryption has been the addition of encryption capabilities to the drives themselves. Sun's StorageTek 10000B and LTO4 Ultrium drives from IBM, HP, and Quantum have encryption hardware built in. This adds minimal cost and should have very little impact on performance. Compression can be performed just before encryption, minimizing storage space, and most importantly, encrypted data can be read just after it's written, decrypted, and compared with the original to ensure that there are no errors.

IBM's tape encryption works with RSA's Key Management Suite, and IBM also ships its own simplified Enterprise Key Manager (EKM), which supports a novel twist useful to companies that must ship data to partners. IBM EKM uses public key cryptography to encrypt data on the tape to the partner's public key. The partner can then use its private key to read the data. In this way, no secret key exchange has to happen between the partners, but the tapes remain secure.

Impact Assessment chart: Data Center Encryption

(click image for larger view)

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Flash Poll
Current Issue
Cartoon
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-3341
Published: 2014-08-19
The SNMP module in Cisco NX-OS 7.0(3)N1(1) and earlier on Nexus 5000 and 6000 devices provides different error messages for invalid requests depending on whether the VLAN ID exists, which allows remote attackers to enumerate VLANs via a series of requests, aka Bug ID CSCup85616.

CVE-2014-3464
Published: 2014-08-19
The EJB invocation handler implementation in Red Hat JBossWS, as used in JBoss Enterprise Application Platform (EAP) 6.2.0 and 6.3.0, does not properly enforce the method level restrictions for outbound messages, which allows remote authenticated users to access otherwise restricted JAX-WS handlers ...

CVE-2014-3472
Published: 2014-08-19
The isCallerInRole function in SimpleSecurityManager in JBoss Application Server (AS) 7, as used in Red Hat JBoss Enterprise Application Platform (JBEAP) 6.3.0, does not properly check caller roles, which allows remote authenticated users to bypass access restrictions via unspecified vectors.

CVE-2014-3490
Published: 2014-08-19
RESTEasy 2.3.1 before 2.3.8.SP2 and 3.x before 3.0.9, as used in Red Hat JBoss Enterprise Application Platform (EAP) 6.3.0, does not disable external entities when the resteasy.document.expand.entity.references parameter is set to false, which allows remote attackers to read arbitrary files and have...

CVE-2014-3504
Published: 2014-08-19
The (1) serf_ssl_cert_issuer, (2) serf_ssl_cert_subject, and (3) serf_ssl_cert_certificate functions in Serf 0.2.0 through 1.3.x before 1.3.7 does not properly handle a NUL byte in a domain name in the subject's Common Name (CN) field of an X.509 certificate, which allows man-in-the-middle attackers...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Dark Reading continuing coverage of the Black Hat 2014 conference brings interviews and commentary to Dark Reading listeners.