Cisco Systems Inc. plans storage area network (SAN)-based
encryption for tape libraries and virtual
tape libraries (VTLs) in the second half of 2007, with support
for heterogeneous disk arrays shortly thereafter. Cisco and EMC
Corp. also announced that Cisco's encryption keys will be
compatible with EMC's RSA Key Manager, though Cisco also plans
to offer its own key management application.
According to Doug Anderson, product manager of Cisco's data
center business unit, five-to-six beta test sites are currently
being qualified, with testing of the Cisco Storage Media Encryption
(SME) module beginning as soon as next month.
The encryption will come in two forms: as a blade for the MDS
9500 and MDS 9200 series chassis, or a switch module for new 9200
customers. Because the 9500 automatically load balances and
clusters blades as they are added, adding encryption to the
director would require no recabling or rewiring of the SAN,
according to Cisco. Cost for adding the blade or module has not yet
been determined.
Management of encryption for tape libraries and VLTs, which will be
the first targets for the network-based encryption offering, will
become part of Cisco Fabric Manager. "The vast majority of users
looking to implement encryption are looking to implement it at rest
on backup targets, particularly VTLs," Anderson said.
It will take more time for Cisco to qualify the encryption with
disk arrays. The company declined to give a specific date for this
availability.
In the meantime, SME will also allow users to be selective about
which devices are to be encrypted, down to the LUN level when SAN
array support is added, or to the tape drive and virtual tape
cartridge level on backup targets, Anderson said.
Users: Interested, but a few questions before buying
"A fabric-based hardware encryption method is a necessity,"
wrote John Ciarlette, network engineer for Edward Hospital and
Health Services, in an email to SearchStorage.com. "I questioned
this very thing over a year ago when we were purchasing
director-class SAN switches."
Ciarlette said fabric-based encryption appeals to him because
data is encrypted before it is laid down on tape and disk, "which
would help prevent data misuse." Having the encryption performed at
the SAN switch fabric would be more efficient and centralized, he
said, and in his view, "the management of such encryption will be
practically none."
However, Cisco is being cagey when it comes to the performance
impact of encryption on its networks, though it admits there will
be "minimal" latency. "We're at the final engineering stages with
this product and so don't know the specific numbers around that
yet," Anderson said.
"My only concern may be how much latency the
encrypting/decrypting process will add to the I/O stream,"
Ciarlette wrote. "I know it will be much less latency than a
software solution, but there is still latency none the less."
Before purchasing, according to Toby Ford, chief technology
office of USinternetworking Inc., a subsidiary of AT&T, "I
would first need to understand the overhead encryption would place
on top of Fibre Channel or iSCSI …Cisco sells notoriously
underpowered equipment with regard to what is currently available.
I'm skeptical in this regard and would have to validate any claims
about performance overhead."
Ford added, "The cost of integrated Fibre Channel and Ethernet
with encryption should be around what it would be if [I] were
buying an appliance and a switch separately. I don't expect to be
paying a significant premium for this integration."
According to Michael Thomas, storage architect for the Federal
Reserve System, his shop, which uses Cisco directors, is currently
evaluating encryption products and will be adding Cisco's to the
list.
"It's appealing because you're not adding another separate
appliance into the mix, which increases costs, rack space and
management overhead," he said. However, Thomas said he remained
concerned about how fabric-based encryption would affect
replication between sites.
According to Anderson, data does not need to be decrypted and
then re-encrypted for replication, but according to Thomas, "[If]
data is replicated encrypted … the key management has to be shared
between multiple fabrics. I would be interested in how they are
doing that."
According to Cisco, the keys can be shared by either using a
single Cisco key management center for both sites or by copying
(export/import) to a second key management center at the remote
site.
Meanwhile, not every Cisco user is interested. "I think it's a
little early for us from my point of view -- storage networking is
almost a completely manual process," said David Dulek, storage
administration lead for Fastenal Company Purchasing, a subsidiary
of Fastenal Co. "Encryption is nice for security purposes, but
there could have been other innovations before it, especially
around automation and virtualization."
Key management: EMC's RSA Key Manager vs. Cisco key
management
According to Anderson, the addition of encryption to the 9000
series switches has been developed internally at Cisco and is not
IP from EMC's RSA security subsidiary. However, Cisco's key
management will be integrated via API with RSA Key Manager
software, which allows for policy-based key lifecycle management
and the management of keys from multiple heterogeneous key
management systems.
Cisco's key management console will be part of Cisco Fabric
Manager and will manage only Cisco's encryption. Key management
through Cisco allows for the vaulting of keys, as well as the
management of live keys, but does not offer automated policy-based
scheduling like the RSA software does. Otherwise, the two key
management programs have very similar capabilities, according to
Anderson.
Users can manage live keys and encryption selections through
either software, though key vaulting requires its own separate
repository. Support for roles-based hierarchical management through
Cisco's existing authentication products will also be included in
SME, down to the V-SAN level.
Users can also require a quorum using smart cards to unlock the
master key in the event of a total site loss. Finally, Cisco is
working to get the chassis FIPS 140-2 Level 3 certified for
physical security.
Anderson said he did not have much more detail as to whether the
key management software and encryption option will be bundled with
the EMC/RSA product. "There is no information in this announcement
today about our distribution agreements."
Cisco also plans integration with other key management systems
beyond EMC. "As a strategy, we look forward to open management no
matter how a customer chooses to manage keys," Andreson said.
Cisco does have one predecessor into the
fabric-based encryption space: CipherMax
Inc., formerly Maxxan, which reinvented itself with a security
focus last year. "Cisco's pending announcement to offer a
fabric-based encryption solution for disk and tape endorses the
need for an encryption within the SAN architecture," CipherMax
officials wrote to SearchStorage in an email. "CipherMax offers
a complete product line that enables a company to start
inexpensively with a tactical deployment and scale as their
requirements increase."
"The RSA/EMC partnership is a good start," said Jon Oltsik,
analyst with the Enterprise Strategy Group (ESG). "There are a lot
of bright people at RSA/EMC who understand the complexities around
security and operational requirements. In this way, they are out
ahead of the masses."