Risk
10/1/2008
06:45 PM
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

DON'T FORGET YOUR DISKS
Encrypting disk arrays and SAN storage seems at first like an unnecessary step. Aside from a few spectacular cases, theft of servers from data centers is still rare. What happens to disks as they are retired from the data center is a more frequent concern. Ideally, companies should have a strong program in place to ensure that disks are wiped or destroyed as they leave the premises. But this process is subject to human failings and relies on cooperation with vendors when drives under maintenance need to be replaced.

Ubiquitous disk encryption can delete these concerns.

As with tapes, there are choices and trade-offs in disk storage encryption. While not strictly limited to the data center, PGP's NetShare is an elegant option for companies that can easily wrap their arms around users with sensitive data--for instance, a research group or credit department. These users' computers can be equipped with NetShare, and any time content is written to an encrypted folder or by a specified application, the files are encrypted with the public keys of the authorized users.

This sounds similar to Microsoft's Encrypting File System, but it takes the concept further. Rather than only remaining encrypted while on the intended file system, NetShare-encrypted files can be copied to other folders, servers, or even portable media, and still retain their encryption. This is especially helpful for companies with a diverse server environment or where files are frequently transferred.

Another option is exemplified by SAN company EMC's PowerPath storage management software, which runs on servers and provides full access to the virtualization and redundancy capabilities of EMC's storage systems. By adding data encryption to PowerPath, EMC enables all SAN clients to encrypt data at the server level; encryption is limited to Windows, Solaris, and Linux, although other platform support is expected.

EMC's approach lets storage admins decide which virtual volumes to encrypt and, of course, it's integrated with its RSA division's Key Management Suite. Because encryption is incorporated directly into the storage management software, this method avoids conflicts with storage optimization techniques within the SAN.

Seagate recently introduced enterprise-grade disk drives with hardware encryption. By populating an array with these drives, a storage vendor can offer media encryption with no additional overhead. Key management is still an issue, but vendors such as IBM are integrating these devices into their key management software.

This approach requires the least changes to a company's server or storage architecture, because it occurs after all other storage optimization, such as RAID, virtualization, compression, and deduplication.

Finally, encrypting Ethernet link-layer traffic may seem like overkill, but that's exactly what the IEEE 802.1AE specification does (see story, p. 46). Cisco's TrustSec initiative uses 802.1AE as the basis for a sophisticated role-based access control system in which the network can tag data packets with user identity information that it can use to make access control decisions.

Know Your Encryption Options
  Software Appliance Storage Hardware
Cost Lowest (already included in most software) Highest In the middle
Upsides Quickest, cheapest route--already included in most drives, backup software, some disk software Maximum flexibility for heterogeneous environments Built into recent tape doesn't inhibit deduplication or compression
Downsides Simplistic key management could interfere with deduplication and compression Highest cost, additional hardware to manage New tape drives or disk arrays probably needed
Tape encryption products, vendors Symantec NetBackup and Backup Exec, Tivoli Storage Manager, Vormetric Backup Encryption Expert nCipher NeoScale CryptoStor, NetApp Decru DataFort, Cisco Storage Media Encryption, Hifn Sypher, Hifn Sypher, Bossanova's Q3 LTO4 Ultrium IBM TS1120/ 130, Sun StorageTek TS10000B
Disk encryption products, vendors EMC PowerPath, PGP NetShare, Vormetric File Encryption Expert NetApp Decru DataFort Hifn Swarm, upcoming arrays from IBM and LSI

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Dark Reading December Tech Digest
Experts weigh in on the pros and cons of end-user security training.
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2014-2382
Published: 2014-11-20
The DfDiskLo.sys driver in Faronics Deep Freeze Standard and Enterprise 8.10 and earlier allows local administrators to cause a denial of service (crash) and execute arbitrary code via a crafted IOCTL request that writes to arbitrary memory locations, related to the IofCallDriver function.

CVE-2014-3625
Published: 2014-11-20
Directory traversal vulnerability in Pivitol Spring Framework 3.0.4 through 3.2.x before 3.2.12, 4.0.x before 4.0.8, and 4.1.x before 4.1.2 allows remote attackers to read arbitrary files via unspecified vectors, related to static resource handling.

CVE-2014-7194
Published: 2014-11-20
TIBCO Managed File Transfer Internet Server before 7.2.4, Managed File Transfer Command Center before 7.2.4, Slingshot before 1.9.3, and Vault before 1.1.1 allow remote attackers to obtain sensitive information or modify data by leveraging agent access.

CVE-2014-7195
Published: 2014-11-20
Spotfire Web Player Engine in TIBCO Spotfire Web Player 6.0.x before 6.0.2 and 6.5.x before 6.5.2, Spotfire Deployment Kit 6.0.x before 6.0.2 and 6.5.x before 6.5.2, and Silver Fabric Enabler for Spotfire Web Player before 1.6.1 allows remote authenticated users to obtain sensitive information via u...

CVE-2014-8000
Published: 2014-11-20
Cisco Unified Communications Manager IM and Presence Service 9.1(1) produces different returned messages for URL requests depending on whether a username exists, which allows remote attackers to enumerate user accounts via a series of requests, aka Bug ID CSCur63497.

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Now that the holiday season is about to begin both online and in stores, will this be yet another season of nonstop gifting to cybercriminals?