Data storage security covers a wide landscape, including legal compliance, e-discovery, user access control and the physical security of data storage media. In this article we will focus on hardware-based encryption techniques in the storage infrastructure and look at some technologies and products available in the marketplace that enable data to be secured at rest or in flight against a range of risks.
Let’s talk first about why data storage encryption is important. Over the past few years there have been many high-profile data breaches, including customer records lost on tape, unauthorised access to databases and, most recently, the exposure and loss of data from RSA, a company that provides data security technology. These issues can result in financial penalties, for example, where fines are imposed for failing to meet industry compliance rules. Data loss also affects companies through reputational damage. There are many ways to access an organisation’s data, and measures to prevent it start at the firewall. The backstop in terms of security, however, is to apply encryption techniques to data in the storage infrastructure.
There are two main areas in which security needs to be applied in the storage infrastructure: to data at rest and data in flight. “Data at rest” refers to information stored on permanent media, such as tapes and disk drives. “Data in flight” refers to information passing through a computer network, and in the storage world this means data travelling across Fibre Channel- or IP-based networks.
Securing data at rest
Data at rest may reside on any type of permanent storage media, such as disk or tape. The media is secured using encryption techniques, which prevent reading or writing of data without the correct decryption key. Algorithms used in encryption ensure that reading data without the right key is practically impossible. At-rest solutions secure the media either directly or using the storage array or an appliance.
Tape encryption. With tape, information on the media itself is encrypted. There are two approaches to implementing encryption on tape hardware: using encrypting tape drives or an encryption appliance connected to standard tape drives. You can also encrypt backup data before it gets to tape using backup software, but that’s beyond the scope of this article.
Since the fourth generation of the linear tape open format, LTO-4, encryption has been available within the tape drive, which encrypts data as it is written to tape and decrypts it as it is read. IBM’s TS1120/1130 and the Oracle T10000 products are examples of encrypting tape drives.
Any drive that needs to access a tape must have access to the original keys used to encrypt the data. There are many products on the market to perform key management; loss of encryption keys effectively means loss of data on the encrypted tape. HP offers the HP Secure Key Manager, for example, which is an appliance that can manage encryption keys for LTO-4 and LTO-5 tape drives.
The second option in tape encryption techniques is to use an appliance that connects to all the drives and provides encryption and key management functions to them. DISUK offers the Paranoia3 appliance, for example, which is capable of supporting as many as four Fibre Channel- or SCSI-connected tape drives.
Disk encryption. For disk, there are two options to implement encryption on the hardware itself: Data can be protected by the drive or within the storage array. (And, you can also encrypt before data gets to the disk/array using backup software or host-based encryption, but that’s also outside the scope of this article.)
All the major disk drive manufacturers now support self-encrypting drives (SEDs). With SEDs, encryption techniques are built into the drive controller, which ensures data written to physical drive media is in encrypted format.
Encryption keys are maintained by the drive, so no key management is required. When an SED is powered up, user authentication is required to access data. This provides protection in the event a hard drive is removed from a storage array upon failure or during replacement of the array.
In many cases, a “failed” hard drive is still accessible because many manufacturers “soft fail” hard drives before a physical failure occurs. This makes data rebuilds easier. In such an event, SEDs provide an option called cryptographic disk erasure (CDE), which deletes the encryption key on the drive. This has the effect of instantly erasing all disk contents. As a security measure, CDE can be performed on drives prior to removal from an array.
IBM’s DS5020 Express storage array supports self-encrypting drives, but many storage array vendors have been slow to do so. EMC and Hitachi both offer an alternative to drive self-encryption: using the back-end array director to encrypt. With EMC’s VMAX and Hitachi’s VSP, the back-end disk controller encrypts data as it is written to disk and decrypts it as it is read from disk. Both platforms use a custom ASIC to perform this function, with no apparent loss of performance.
Array-based encryption provides the same benefits as SEDs, in that the drive shows no readable data once it is removed from the array. That means drives don’t need to be physically destroyed when they are removed, which brings cost, security and environmental benefits.
Securing data in flight
Data-in-flight security addresses data access across storage networks; there are two places in which in-flight protection can be implemented: at the host or in the storage network.
Host-based solutions rely on encryption of data as it leaves the host and enters the storage network. Emulex, for example, recently released its OneSecure architecture. This encrypts data within the host bus adapter (HBA) as it is written to disk, ensuring that data in flight and at rest on disk is securely protected. EMC offers encryption as part of its PowerPath multipath host software, in which data is encrypted by host agents as it leaves the server.
The alternative to host-based security is to encrypt data in the SAN fabric. The major SAN switch vendors have products that do this. Brocade, for example, offers two solutions—the Brocade Encryption Switch, a dedicated SAN appliance, and the FS8-18 Encryption Blade—both of which encrypt data in flight across a fabric.
Cisco, for its part, offers a number of products, including TrustSec Fibre Channel Link Encryption. This encrypts data between two switches on a Fibre Channel SAN. Link encryption is important for securing connections between data centres, where the fibre isn’t owned and managed directly by the customer.
Recent innovations in SAN security have introduced products that protect data at rest on encrypted media, as well as in flight using encryption within the SAN or at the host. Implementation of these solutions requires that consideration be given to key management to ensure ongoing access to data. As with all security solutions, there is a tradeoff between the complexity and cost of implementation versus the need to ensure data access is securely managed.