Risk
10/1/2008
06:45 PM
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

DON'T FORGET YOUR DISKS
Encrypting disk arrays and SAN storage seems at first like an unnecessary step. Aside from a few spectacular cases, theft of servers from data centers is still rare. What happens to disks as they are retired from the data center is a more frequent concern. Ideally, companies should have a strong program in place to ensure that disks are wiped or destroyed as they leave the premises. But this process is subject to human failings and relies on cooperation with vendors when drives under maintenance need to be replaced.

Ubiquitous disk encryption can delete these concerns.

As with tapes, there are choices and trade-offs in disk storage encryption. While not strictly limited to the data center, PGP's NetShare is an elegant option for companies that can easily wrap their arms around users with sensitive data--for instance, a research group or credit department. These users' computers can be equipped with NetShare, and any time content is written to an encrypted folder or by a specified application, the files are encrypted with the public keys of the authorized users.

This sounds similar to Microsoft's Encrypting File System, but it takes the concept further. Rather than only remaining encrypted while on the intended file system, NetShare-encrypted files can be copied to other folders, servers, or even portable media, and still retain their encryption. This is especially helpful for companies with a diverse server environment or where files are frequently transferred.

Another option is exemplified by SAN company EMC's PowerPath storage management software, which runs on servers and provides full access to the virtualization and redundancy capabilities of EMC's storage systems. By adding data encryption to PowerPath, EMC enables all SAN clients to encrypt data at the server level; encryption is limited to Windows, Solaris, and Linux, although other platform support is expected.

EMC's approach lets storage admins decide which virtual volumes to encrypt and, of course, it's integrated with its RSA division's Key Management Suite. Because encryption is incorporated directly into the storage management software, this method avoids conflicts with storage optimization techniques within the SAN.

Seagate recently introduced enterprise-grade disk drives with hardware encryption. By populating an array with these drives, a storage vendor can offer media encryption with no additional overhead. Key management is still an issue, but vendors such as IBM are integrating these devices into their key management software.

This approach requires the least changes to a company's server or storage architecture, because it occurs after all other storage optimization, such as RAID, virtualization, compression, and deduplication.

Finally, encrypting Ethernet link-layer traffic may seem like overkill, but that's exactly what the IEEE 802.1AE specification does (see story, p. 46). Cisco's TrustSec initiative uses 802.1AE as the basis for a sophisticated role-based access control system in which the network can tag data packets with user identity information that it can use to make access control decisions.

Know Your Encryption Options
  Software Appliance Storage Hardware
Cost Lowest (already included in most software) Highest In the middle
Upsides Quickest, cheapest route--already included in most drives, backup software, some disk software Maximum flexibility for heterogeneous environments Built into recent tape doesn't inhibit deduplication or compression
Downsides Simplistic key management could interfere with deduplication and compression Highest cost, additional hardware to manage New tape drives or disk arrays probably needed
Tape encryption products, vendors Symantec NetBackup and Backup Exec, Tivoli Storage Manager, Vormetric Backup Encryption Expert nCipher NeoScale CryptoStor, NetApp Decru DataFort, Cisco Storage Media Encryption, Hifn Sypher, Hifn Sypher, Bossanova's Q3 LTO4 Ultrium IBM TS1120/ 130, Sun StorageTek TS10000B
Disk encryption products, vendors EMC PowerPath, PGP NetShare, Vormetric File Encryption Expert NetApp Decru DataFort Hifn Swarm, upcoming arrays from IBM and LSI

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading, January 2015
To find and fix exploits aimed directly at your business, stop waiting for alerts and become a proactive hunter.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-7402
Published: 2014-12-17
Multiple unspecified vulnerabilities in request.c in c-icap 0.2.x allow remote attackers to cause a denial of service (crash) via a crafted ICAP request.

CVE-2014-5437
Published: 2014-12-17
Multiple cross-site request forgery (CSRF) vulnerabilities in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allow remote attackers to hijack the authentication of administrators for requests that (1) enable remote management via a request to remote_management.php,...

CVE-2014-5438
Published: 2014-12-17
Cross-site scripting (XSS) vulnerability in ARRIS Touchstone TG862G/CT Telephony Gateway with firmware 7.6.59S.CT and earlier allows remote authenticated users to inject arbitrary web script or HTML via the computer_name parameter to connected_devices_computers_edit.php.

CVE-2014-7170
Published: 2014-12-17
Race condition in Puppet Server 0.2.0 allows local users to obtain sensitive information by accessing it in between package installation or upgrade and the start of the service.

CVE-2014-7285
Published: 2014-12-17
The management console on the Symantec Web Gateway (SWG) appliance before 5.2.2 allows remote authenticated users to execute arbitrary OS commands by injecting command strings into unspecified PHP scripts.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Join us Wednesday, Dec. 17 at 1 p.m. Eastern Time to hear what employers are really looking for in a chief information security officer -- it may not be what you think.