Data-at-rest security

Safe by cjc4454 (cc) (from flickr)
Safe by cjc4454 (cc) (from flickr)

Although we have discussed securing data in the cloud before but we have not discussed IT data security in general.  I count at least 6 different places one can secure IT data-at-rest today.  In most cases, one has some sort of system to provide encryption/decryption services and some way to get encryption keys, generated, stored, and securely retrieved by this system.  All these systems use symmetric key cryptography where the same key is used for encryption and decryption purposes.   Approaches to IT data-at-rest security include data encryption performed as follows:

  • Drive level
  • Subsystem-based
  • Network-based
  • Appliance-based
  • HBA-based
  • Host-based.

Drive level encryption

For tape transports drive level encryption has been around since LTO-4 and previously with other proprietary tape formats. For disk, data encryption capabilities have been around for a long time in the consumer space and lately has been introduced into enterprise storage as well.

Encryption key management is critical to securing any drive level encryption.  Key management can be supplied either externally by some sort of standalone key management software/appliance or internally from the tape library or disk subsystem controller itself.

The reasons for tape drive encryption are fairly substantial, tapes in transit can be lost or stolen. Similarly, disks can be replaced/stolen from enterprise storage subsystems and as such are subject to the same security concerns as tape volumes.  As drive encryption is typically performed by special purpose hardware,  it can operate with almost no overhead and thus, little impact to storage performance.

Disk subsystem-based encryption

Although there are only a few current implementations of this capability,  data encryption/decryption could easily be done entirely at the subsystem level with key management available external or internal to the subsystem.  Most likely this would be considered a software cryptographic solution but hardware could also be supplied to encrypt/decrypt data.  With a software implementation, the impact on storage performance (especially, read back) might be considerable.

A couple of years ago, EMC, HDS and others added “secure data erasure” for disks or subsystems going out of service.  However, this does nothing for operating data-at-rest security.

Network-based encryption

Both Cisco and Brocade offer data security services in the SAN or storage network facilities.  Such capabilities will encrypt and decrypt data going to or from LUNs and/or tape drives.  Key management can be supplied externally as well as internally to the networking equipment.  Both Cisco and Brocade SAN encryption servicesare hardware encryption solutions and as such, operate at line speed with high throughput.

Appliance-based encryption

In the past, a number of companies offered appliance or standalone hardware based encryption which places the data security appliance within the data path somewhere between the host and its storage devices.  Such solutions have been falling behind or recently been replaced by network based encryption solutions but still have a significant install base.   Key management can be supplied internal to the appliance or externally.  All appliance based encryption solutions support dedicated hardware for encryption/decryption of data.

HBA-based encryption

Last month EMC announced a new capability for their CLARiiON storage which operates in conjunction with Emulex HBAs to offer hardware HBA-based encryption for data.  This solution is an interesting in that it’s almost host based, hardware solution and should have little to no impact on storage performance.  Key management is supplied external to the HBA.

Host-based encryption

Host encryption has been available in the consumer and enterprise space for a number of years.  Such services have seen much success with laptop data.  Host based services are available from operating system vendors or special purpose applications.  In the consumer space products such as PGP (recently purchased by Symantec) have been available for over a decade, similar capabilities exist in the enterprise space via special purpose “secure” file systems and other applications.  Most host based cryptographic systems use software based algorithms.  Although hardware host-based services are available in the mainframe, System z environment via cryptographic co-processors and the latest versions of Intel’s advanced processors with their instruction set extensions for AES encryption support.

Other data-at-rest security considerations

From a performance perspective, hardware encryption can have the least impact but it’s very expensive.  In addition, drive level encryption is probably the most scaleable as the more drives you have, the more encryption throughput can be supported.  Next comes the appliance or network based encryption solutions which can be scaled by purchasing more appliances or encryption blades/switches.

In contrast, software based services perform the worst but are easiest to deploy.  Most consumer O/Ss support data encryption with a simple configuration change.  Software solutions are the least expensive as well because there is no hardware to purchase.  Software based solutions can also be scaled but only be adding more servers/subsystems.

In any event, key management cannot be overlooked for any data-at-rest security solution.  Given the strength of modern day encryption algorithms, the loss of a data key is equivalent to the loss of all data encrypted with that key.  So when considering key management, one should look for support of key archives, redundant key managers, key hierarchies and other advanced characteristics that make key access continuously available and disaster proof.

Data security is certainly feasible with any of these solutions. But performance, availability and ease of management must be understood before seriously considering any data-at-rest security regimin.