Storage encryption technology options for UK storage managers

Due to a series of high-profile data loss scandals, storage encryption technologies and practices are gaining a lot of attention from UK storage managers.

Due to a series of high-profile data loss scandals in the UK, storage encryption technologies and practices are gaining a lot of recent attention from UK storage managers. The UK government, for example, mandates the encryption of all removable media such as laptop hard drives and USB sticks to ensure data can't be read without an encryption key.

At the same time, organizations, particularly those in highly regulated sectors, find themselves subject to increasing amounts of pressure from auditors, regulators and customers to safeguard data storage from loss, theft and inappropriate access. The Payment Card Industry (PCI) Data Security Standard, which requires all payment card information to be encrypted, is one example of such regulation.

I can see the argument for encryption on portable devices and tape backups, but I'm not convinced of the need to encrypt the entire array.
Dylan Mathias
Unix and storage managerBritannia Building Society
Currently, storage encryption is most widely employed in government, financial services and those sectors especially concerned with intellectual property, such as pharmaceuticals. According to last year's purchasing intentions survey, 29.9% of organisations have implemented some form of storage encryption technology. Another 9.6% of those questioned planned to deploy it in the future, 8.3% were evaluating it actively and another 21% planned to do so soon.

When considering encryption, remember that it can be applied to data in-flight or data at-rest. Data in-flight refers to information encrypted when in transit from one point to another, for example over the local-area network (LAN) or wide-area network (WAN). Encryption of data at-rest occurs when information is stored on media such as disk or tape. Storage encryption is concerned with data at-rest rather than encryption of data in-flight, which is provided at the network layer and comes embedded in hardware from vendors such as Brocade and Cisco Systems.

There are several ways to enable storage encryption:

  1. Through encryption technology embedded in backup software
  2. Via encryption appliances that plug into storage networks
  3. Through ASICs located at the drive level
  4. In encryption software applied to devices and removable media

Here's a quick overview of the pros and cons of each of these options.

Encryption technology embedded in backup software

The functionality required to encrypt data backups is incorporated into most backup software products. The advantage of undertaking encryption in this way is that it's possible to switch on encryption functionality without the need to change device drivers or drive settings, which makes it a cost-effective option for retrofitting to existing infrastructures.

But there are disadvantages. Encryption software can generate throughput bottlenecks because data encrypted as it passes between the LAN and the storage infrastructure will incur a processing overhead.

Encryption appliances that plug into storage networks

Encryption appliances provide a relatively quick and easy means of retrofitting encryption capabilities onto existing systems because they plug directly into the fabric/network. They're best suited to large shared storage environments with bulk data encryption requirements because deploying multiple devices across the organisation can become an expensive proposition. These devices generate low performance overheads on the storage infrastructure.

But research firm Gartner expects appliances to be superseded over the next three to five years as encryption functionality is increasingly included natively in storage systems.

It's also worth bearing in mind that the reality of installing encryption appliances may not be quite as simple as vendors promise and can require third-party help. Key vendors in this space include CipherMax, CipherOptics, Crossroads Systems, Digital Security International, Exar's Hifn Technology, NetApp, SafeNet's Ingrian and Vormetric.

Encryption using ASICs located at the drive level

ASIC chips for encryption purposes are embedded into everything from external hard drives and tape drives to storage arrays. All of the key primary storage and tape library vendors have gone down this route. The advantage of this approach is that the host system doesn't suffer any performance overhead when encryption and decryption activity take place. This is because software code is baked into the silicon of the chip.

The downside is the cost involved if organisations want to retrofit or replace existing kit with the new technology, not least because it comes at a premium.

Encryption software applied to devices, removable media

The most common use case for encryption is to protect removable media such as laptops and portable drives, although encryption of backup tapes is becoming increasingly common. The focus on removable media is due to obvious concerns over safeguarding data when it leaves the enterprise as more people ship backup tapes offsite and use mobile equipment.

The Britannia Building Society in Stoke-on-Trent is encrypting removable media and also performing some native database encryption.

Laptop hard drives are encrypted and users are prompted for a password at power on. Without a password, the disk is unreadable, even if the hard drive is installed on another machine. USB ports are locked down by a piece of software on all PCs, which means there's no way to transfer data out of the company via USB devices that are unauthorised or insecure. If an encrypted USB stick is lost, the data is still safe. LTO-4 tapes have encryption capabilities that could be used if Britannia Building Society wanted to send them offsite.

Dylan Mathias, Unix and storage manager at Britannia Building Society, declined to name the specific products used at his firm but said, "All these technologies are designed to prevent the data from being read if the device involved falls into the wrong hands. You have to assume sooner or later you will lose one of these things. The hardware can easily be replaced; the loss of data cannot."

Encryption key management challenges: Organisations have generally shied away from the adoption of storage encryption technology because of the overhead associated with encryption key management. Learn more about overcoming the challenges associated with encryption key management in your data storage infrastructure.

Inhibitors to storage encryption technology

Some of the major reasons why encryption technology isn't universally applied at the moment include the upfront purchasing costs often associated with encryption, and user concerns that encrypting and decrypting data can slow data throughput.

Deploying encryption technology at the storage subsystem is only "just beyond early adoption" and is unlikely to move into the mainstream for another three to five years, according to Rene Millman, a senior research analyst at Gartner. One reason for this lack of uptake is that organisations often believe data held within the walls of the enterprise to be less vulnerable.

For example, Britannia Building Society's Mathias isn't convinced about the need to encrypt at the array level.

"The theory behind it is that someone might steal an entire array, but you'd need a JCB to do that and it would be quite an achievement," he said. "I can see the argument for encryption on portable devices and tape backups, but I'm not convinced of the need to encrypt the entire array."

But Andrew Reichman, a senior analyst at Forrester Research, believes such technology can play a role in securing data should hardware need to be returned to vendors or when it reaches end of life. Without an encryption key, third parties can't read sensitive corporate data. As a result, organisations can destroy the encryption key rather than pay for data destruction services.

"It's not an area that has been focused on much, but people are starting to see the value of addressing this issue in a more systematic way," Reichman said.

Read more on Data protection, backup and archiving