Risk
10/1/2008
06:45 PM
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

DON'T FORGET YOUR DISKS
Encrypting disk arrays and SAN storage seems at first like an unnecessary step. Aside from a few spectacular cases, theft of servers from data centers is still rare. What happens to disks as they are retired from the data center is a more frequent concern. Ideally, companies should have a strong program in place to ensure that disks are wiped or destroyed as they leave the premises. But this process is subject to human failings and relies on cooperation with vendors when drives under maintenance need to be replaced.

Ubiquitous disk encryption can delete these concerns.

As with tapes, there are choices and trade-offs in disk storage encryption. While not strictly limited to the data center, PGP's NetShare is an elegant option for companies that can easily wrap their arms around users with sensitive data--for instance, a research group or credit department. These users' computers can be equipped with NetShare, and any time content is written to an encrypted folder or by a specified application, the files are encrypted with the public keys of the authorized users.

This sounds similar to Microsoft's Encrypting File System, but it takes the concept further. Rather than only remaining encrypted while on the intended file system, NetShare-encrypted files can be copied to other folders, servers, or even portable media, and still retain their encryption. This is especially helpful for companies with a diverse server environment or where files are frequently transferred.

Another option is exemplified by SAN company EMC's PowerPath storage management software, which runs on servers and provides full access to the virtualization and redundancy capabilities of EMC's storage systems. By adding data encryption to PowerPath, EMC enables all SAN clients to encrypt data at the server level; encryption is limited to Windows, Solaris, and Linux, although other platform support is expected.

EMC's approach lets storage admins decide which virtual volumes to encrypt and, of course, it's integrated with its RSA division's Key Management Suite. Because encryption is incorporated directly into the storage management software, this method avoids conflicts with storage optimization techniques within the SAN.

Seagate recently introduced enterprise-grade disk drives with hardware encryption. By populating an array with these drives, a storage vendor can offer media encryption with no additional overhead. Key management is still an issue, but vendors such as IBM are integrating these devices into their key management software.

This approach requires the least changes to a company's server or storage architecture, because it occurs after all other storage optimization, such as RAID, virtualization, compression, and deduplication.

Finally, encrypting Ethernet link-layer traffic may seem like overkill, but that's exactly what the IEEE 802.1AE specification does (see story, p. 46). Cisco's TrustSec initiative uses 802.1AE as the basis for a sophisticated role-based access control system in which the network can tag data packets with user identity information that it can use to make access control decisions.

Know Your Encryption Options
  Software Appliance Storage Hardware
Cost Lowest (already included in most software) Highest In the middle
Upsides Quickest, cheapest route--already included in most drives, backup software, some disk software Maximum flexibility for heterogeneous environments Built into recent tape doesn't inhibit deduplication or compression
Downsides Simplistic key management could interfere with deduplication and compression Highest cost, additional hardware to manage New tape drives or disk arrays probably needed
Tape encryption products, vendors Symantec NetBackup and Backup Exec, Tivoli Storage Manager, Vormetric Backup Encryption Expert nCipher NeoScale CryptoStor, NetApp Decru DataFort, Cisco Storage Media Encryption, Hifn Sypher, Hifn Sypher, Bossanova's Q3 LTO4 Ultrium IBM TS1120/ 130, Sun StorageTek TS10000B
Disk encryption products, vendors EMC PowerPath, PGP NetShare, Vormetric File Encryption Expert NetApp Decru DataFort Hifn Swarm, upcoming arrays from IBM and LSI

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2015-1637
Published: 2015-03-06
Schannel (aka Secure Channel) in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 does not properly restrict TLS state transitions, which makes it easier for r...

CVE-2014-2130
Published: 2015-03-05
Cisco Secure Access Control Server (ACS) provides an unintentional administration web interface based on Apache Tomcat, which allows remote authenticated users to modify application files and configuration files, and consequently execute arbitrary code, by leveraging administrative privileges, aka B...

CVE-2014-9688
Published: 2015-03-05
Unspecified vulnerability in the Ninja Forms plugin before 2.8.10 for WordPress has unknown impact and remote attack vectors related to admin users.

CVE-2015-0598
Published: 2015-03-05
The RADIUS implementation in Cisco IOS and IOS XE allows remote attackers to cause a denial of service (device reload) via crafted IPv6 Attributes in Access-Accept packets, aka Bug IDs CSCur84322 and CSCur27693.

CVE-2015-0607
Published: 2015-03-05
The Authentication Proxy feature in Cisco IOS does not properly handle invalid AAA return codes from RADIUS and TACACS+ servers, which allows remote attackers to bypass authentication in opportunistic circumstances via a connection attempt that triggers an invalid code, as demonstrated by a connecti...

Dark Reading Radio
Archived Dark Reading Radio
How can security professionals better engage with their peers, both in person and online? In this Dark Reading Radio show, we will talk to leaders at some of the security industry’s professional organizations about how security pros can get more involved – with their colleagues in the same industry, with their peers in other industries, and with the IT security community as a whole.