Risk
10/1/2008
06:45 PM
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

Why bring encryption into the glass house? To paraphrase bank robber Willie Sutton, because that's where the data is.

To date, most data center security efforts have been focused on protecting against Internet threats. However, IT can no longer ignore physical security: Thieves recently broke into the Chicago data center of managed Web hosting provider C I Host and stole server hardware--for the fourth time. Meanwhile, backup tapes are frequent targets for theft because they're often out of IT's direct possession. The Privacy Rights Clearinghouse Web site documents more than 40 cases of tape theft since 2005, and it's likely that far more were never reported. In our 2008 Strategic Security Survey, the theft of computers or storage systems was among the top five breaches seen as most likely to occur in the coming year.

Clearly, encrypting hard drives and tapes is vital to protect data. So why aren't organizations rushing to sign on? The complexity of managing keys is a top deterrent to ubiquitous encryption. After all, there are many ways to encrypt, but key management is where all these projects succeed or fail. And failure is most likely to occur several years out, after the hole has been dug quite deep. Some information must be kept for decades, after all, and storing the keys needed to access that data securely for 10 or 20 years is a challenge.

InformationWeek Reports

Fortunately, advances in managing keys as well as new options for encrypting data at each step within the backup process make it much less likely lost keys will come back to haunt you. Most of the vendors we spoke with understand the problem and are working to solve it. RSA's Key Management Suite, for example, works with encryption products from RSA partners to give IT a single management point for all encryption keys.

Encryption vendors also have started to build key management into their products or offer these capabilities as options for companies with modest requirements.

TALES OF THE TAPES
Security analysts love the idea of encrypting all data on the host before it's even sent to a backup server. This guarantees end-to-end privacy and minimizes the number of places where mistakes can be made. And plenty of products provide this capability. Symantec's NetBackup is a good example--just generate a key and click a box within the user interface to enable encryption of any data set. The backup server instructs the client to encrypt on the fly.

This approach has downsides, however. By encrypting data at the host, deduplication has to happen at the server. And encryption adds load to the server, lengthening the backup window and perhaps affecting performance. Moreover, encrypted data is supposed to be indistinguishable from random data, so it tends to render tape-drive compression completely ineffective. Since most tape drives claim a hardware compression rate of at least 2-to-1, server-side encryption can easily double your tape consumption.

But key management may well be the worst problem. Backup vendors are only now starting to add key management capabilities to their software; most still rely on the backup admin to handle management tasks. You'd think someone would take this off our hands.

AUTOMATION, ANYONE?
Moving encryption closer to tape drives are appliances that encrypt data as it heads to the tape library. These devices can be inserted into the Fibre Channel fabric of the SAN, the SCSI connections to the tape drives, or iSCSI networks, providing a tremendous amount of flexibility. Appliances take the processing load off servers and are popular choices in environments with a variety of backup software and hardware, or when speed of installation and ease of setup are priorities. NetApp's Decru division and nCipher's NeoScale CryptoStor Tape even perform compression on the box, and a separate key management appliance or software system provides the key archiving and security needed to trust the system over many years.

DIG DEEPER
SECURE THE PREMISES
Where does encryption fit into the plans for next-generation data centers?
As good as this sounds, do your due diligence before investing in an encryption appliance. Cisco released its Storage Media Encryption blade for its director-class Fibre Channel switches amid turmoil in the field. Customers of one vendor, Kasten Chase, were left holding encrypted tapes with no upgrade cycle or support. Similar woes faced some customers of NeoScale when nCipher bought its tape encryption business but left out the company's disk encryption customers.

Perhaps the most exciting innovation for tape encryption has been the addition of encryption capabilities to the drives themselves. Sun's StorageTek 10000B and LTO4 Ultrium drives from IBM, HP, and Quantum have encryption hardware built in. This adds minimal cost and should have very little impact on performance. Compression can be performed just before encryption, minimizing storage space, and most importantly, encrypted data can be read just after it's written, decrypted, and compared with the original to ensure that there are no errors.

IBM's tape encryption works with RSA's Key Management Suite, and IBM also ships its own simplified Enterprise Key Manager (EKM), which supports a novel twist useful to companies that must ship data to partners. IBM EKM uses public key cryptography to encrypt data on the tape to the partner's public key. The partner can then use its private key to read the data. In this way, no secret key exchange has to happen between the partners, but the tapes remain secure.

Impact Assessment chart: Data Center Encryption

(click image for larger view)

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-4807
Published: 2014-11-22
Sterling Order Management in IBM Sterling Selling and Fulfillment Suite 9.3.0 before FP8 allows remote authenticated users to cause a denial of service (CPU consumption) via a '\0' character.

CVE-2014-6183
Published: 2014-11-22
IBM Security Network Protection 5.1 before 5.1.0.0 FP13, 5.1.1 before 5.1.1.0 FP8, 5.1.2 before 5.1.2.0 FP9, 5.1.2.1 before FP5, 5.2 before 5.2.0.0 FP5, and 5.3 before 5.3.0.0 FP1 on XGS devices allows remote authenticated users to execute arbitrary commands via unspecified vectors.

CVE-2014-8626
Published: 2014-11-22
Stack-based buffer overflow in the date_from_ISO8601 function in ext/xmlrpc/libxmlrpc/xmlrpc.c in PHP before 5.2.7 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code by including a timezone field in a date, leading to improper XML-RPC encoding...

CVE-2014-8710
Published: 2014-11-22
The decompress_sigcomp_message function in epan/sigcomp-udvm.c in the SigComp UDVM dissector in Wireshark 1.10.x before 1.10.11 allows remote attackers to cause a denial of service (buffer over-read and application crash) via a crafted packet.

CVE-2014-8711
Published: 2014-11-22
Multiple integer overflows in epan/dissectors/packet-amqp.c in the AMQP dissector in Wireshark 1.10.x before 1.10.11 and 1.12.x before 1.12.2 allow remote attackers to cause a denial of service (application crash) via a crafted amqp_0_10 PDU in a packet.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?