Risk
10/1/2008
06:45 PM
Connect Directly
RSS
E-Mail
50%
50%

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

DON'T FORGET YOUR DISKS
Encrypting disk arrays and SAN storage seems at first like an unnecessary step. Aside from a few spectacular cases, theft of servers from data centers is still rare. What happens to disks as they are retired from the data center is a more frequent concern. Ideally, companies should have a strong program in place to ensure that disks are wiped or destroyed as they leave the premises. But this process is subject to human failings and relies on cooperation with vendors when drives under maintenance need to be replaced.

Ubiquitous disk encryption can delete these concerns.

As with tapes, there are choices and trade-offs in disk storage encryption. While not strictly limited to the data center, PGP's NetShare is an elegant option for companies that can easily wrap their arms around users with sensitive data--for instance, a research group or credit department. These users' computers can be equipped with NetShare, and any time content is written to an encrypted folder or by a specified application, the files are encrypted with the public keys of the authorized users.

This sounds similar to Microsoft's Encrypting File System, but it takes the concept further. Rather than only remaining encrypted while on the intended file system, NetShare-encrypted files can be copied to other folders, servers, or even portable media, and still retain their encryption. This is especially helpful for companies with a diverse server environment or where files are frequently transferred.

Another option is exemplified by SAN company EMC's PowerPath storage management software, which runs on servers and provides full access to the virtualization and redundancy capabilities of EMC's storage systems. By adding data encryption to PowerPath, EMC enables all SAN clients to encrypt data at the server level; encryption is limited to Windows, Solaris, and Linux, although other platform support is expected.

EMC's approach lets storage admins decide which virtual volumes to encrypt and, of course, it's integrated with its RSA division's Key Management Suite. Because encryption is incorporated directly into the storage management software, this method avoids conflicts with storage optimization techniques within the SAN.

Seagate recently introduced enterprise-grade disk drives with hardware encryption. By populating an array with these drives, a storage vendor can offer media encryption with no additional overhead. Key management is still an issue, but vendors such as IBM are integrating these devices into their key management software.

This approach requires the least changes to a company's server or storage architecture, because it occurs after all other storage optimization, such as RAID, virtualization, compression, and deduplication.

Finally, encrypting Ethernet link-layer traffic may seem like overkill, but that's exactly what the IEEE 802.1AE specification does (see story, p. 46). Cisco's TrustSec initiative uses 802.1AE as the basis for a sophisticated role-based access control system in which the network can tag data packets with user identity information that it can use to make access control decisions.

Know Your Encryption Options
  Software Appliance Storage Hardware
Cost Lowest (already included in most software) Highest In the middle
Upsides Quickest, cheapest route--already included in most drives, backup software, some disk software Maximum flexibility for heterogeneous environments Built into recent tape doesn't inhibit deduplication or compression
Downsides Simplistic key management could interfere with deduplication and compression Highest cost, additional hardware to manage New tape drives or disk arrays probably needed
Tape encryption products, vendors Symantec NetBackup and Backup Exec, Tivoli Storage Manager, Vormetric Backup Encryption Expert nCipher NeoScale CryptoStor, NetApp Decru DataFort, Cisco Storage Media Encryption, Hifn Sypher, Hifn Sypher, Bossanova's Q3 LTO4 Ultrium IBM TS1120/ 130, Sun StorageTek TS10000B
Disk encryption products, vendors EMC PowerPath, PGP NetShare, Vormetric File Encryption Expert NetApp Decru DataFort Hifn Swarm, upcoming arrays from IBM and LSI

Previous
2 of 2
Next
Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Flash Poll
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-2595
Published: 2014-08-31
The device-initialization functionality in the MSM camera driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, enables MSM_CAM_IOCTL_SET_MEM_MAP_INFO ioctl calls for an unrestricted mmap interface, which all...

CVE-2013-2597
Published: 2014-08-31
Stack-based buffer overflow in the acdb_ioctl function in audio_acdb.c in the acdb audio driver for the Linux kernel 2.6.x and 3.x, as used in Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to gain privileges via an application that lever...

CVE-2013-2598
Published: 2014-08-31
app/aboot/aboot.c in the Little Kernel (LK) bootloader, as distributed with Qualcomm Innovation Center (QuIC) Android contributions for MSM devices and other products, allows attackers to overwrite signature-verification code via crafted boot-image load-destination header values that specify memory ...

CVE-2013-2599
Published: 2014-08-31
A certain Qualcomm Innovation Center (QuIC) patch to the NativeDaemonConnector class in services/java/com/android/server/NativeDaemonConnector.java in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.3.x enables debug logging, which allows attackers to obtain sensitive disk-encryption pas...

CVE-2013-6124
Published: 2014-08-31
The Qualcomm Innovation Center (QuIC) init scripts in Code Aurora Forum (CAF) releases of Android 4.1.x through 4.4.x allow local users to modify file metadata via a symlink attack on a file accessed by a (1) chown or (2) chmod command, as demonstrated by changing the permissions of an arbitrary fil...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
This episode of Dark Reading Radio looks at infosec security from the big enterprise POV with interviews featuring Ron Plesco, Cyber Investigations, Intelligence & Analytics at KPMG; and Chris Inglis & Chris Bell of Securonix.