Encrypting disk arrays and SAN storage seems at first like an unnecessary step. Aside from a few spectacular cases, theft of servers from data centers is still rare. What happens to disks as they are retired from the data center is a more frequent concern. Ideally, companies should have a strong program in place to ensure that disks are wiped or destroyed as they leave the premises. But this process is subject to human failings and relies on cooperation with vendors when drives under maintenance need to be replaced.
Ubiquitous disk encryption can delete these concerns.
As with tapes, there are choices and trade-offs in disk storage encryption. While not strictly limited to the data center, PGP's NetShare is an elegant option for companies that can easily wrap their arms around users with sensitive data--for instance, a research group or credit department. These users' computers can be equipped with NetShare, and any time content is written to an encrypted folder or by a specified application, the files are encrypted with the public keys of the authorized users.
This sounds similar to Microsoft's Encrypting File System, but it takes the concept further. Rather than only remaining encrypted while on the intended file system, NetShare-encrypted files can be copied to other folders, servers, or even portable media, and still retain their encryption. This is especially helpful for companies with a diverse server environment or where files are frequently transferred.
Another option is exemplified by SAN company EMC's PowerPath storage management software, which runs on servers and provides full access to the virtualization and redundancy capabilities of EMC's storage systems. By adding data encryption to PowerPath, EMC enables all SAN clients to encrypt data at the server level; encryption is limited to Windows, Solaris, and Linux, although other platform support is expected.
EMC's approach lets storage admins decide which virtual volumes to encrypt and, of course, it's integrated with its RSA division's Key Management Suite. Because encryption is incorporated directly into the storage management software, this method avoids conflicts with storage optimization techniques within the SAN.
Seagate recently introduced enterprise-grade disk drives with hardware encryption. By populating an array with these drives, a storage vendor can offer media encryption with no additional overhead. Key management is still an issue, but vendors such as IBM are integrating these devices into their key management software.
This approach requires the least changes to a company's server or storage architecture, because it occurs after all other storage optimization, such as RAID, virtualization, compression, and deduplication.
Finally, encrypting Ethernet link-layer traffic may seem like overkill, but that's exactly what the IEEE 802.1AE specification does (see story, p. 46). Cisco's TrustSec initiative uses 802.1AE as the basis for a sophisticated role-based access control system in which the network can tag data packets with user identity information that it can use to make access control decisions.
|Know Your Encryption Options|
|Cost||Lowest (already included in most software)||Highest||In the middle|
|Upsides||Quickest, cheapest route--already included in most drives, backup software, some disk software||Maximum flexibility for heterogeneous environments||Built into recent tape doesn't inhibit deduplication or compression|
|Downsides||Simplistic key management could interfere with deduplication and compression||Highest cost, additional hardware to manage||New tape drives or disk arrays probably needed|
|Tape encryption products, vendors||Symantec NetBackup and Backup Exec, Tivoli Storage Manager, Vormetric Backup Encryption Expert||nCipher NeoScale CryptoStor, NetApp Decru DataFort, Cisco Storage Media Encryption, Hifn Sypher, Hifn Sypher, Bossanova's Q3||LTO4 Ultrium IBM TS1120/ 130, Sun StorageTek TS10000B|
|Disk encryption products, vendors||EMC PowerPath, PGP NetShare, Vormetric File Encryption Expert||NetApp Decru DataFort||Hifn Swarm, upcoming arrays from IBM and LSI|