<B>Security: The importance of key management, part 2</B>

By Steve Norall

—Vendors have responded to the crushing need for securing data at rest with a plethora of products and approaches. Broadly speaking, these products can be divided into six categories:

  • Application level: Applications, such as backup, encrypt data streams before sending them over the wire to the storage device. These applications use software-based encryption algorithms.
  • Database level: Databases offer built-in features that allow the encryption of column data before the data is persisted to the disk subsystem. Databases typically use software-based encryption algorithms.
  • File system level: File system level filter drivers intercept calls to the host file system, interpret them, and encrypt the data payload. These systems typically use software-based encryption algorithms on the host to scramble clear text. Moreover, advanced implementations leverage a centralized secure appliance for key management and policy controls.
  • Purpose-built appliance (PBA): PBAs are in-band network devices that receive IP and Fibre Channel traffic, encrypt the payload, and forward the data to its destination: NAS, tape, or another storage device. These devices use silicon-based approaches to encrypt data at wire speed.
  • Intelligent switch: Intelligent switches use line cards with purpose-built silicon to encrypt data payloads as they are received and then switch traffic to their final destination. At present, these switches support only Fibre Channel traffic.
  • Storage device: Some tape and disk devices include purpose-built silicon chips on the controller that encrypt data written to the physical tape or disk.
As with any technology, different approaches lend themselves to different deployment scenarios. Storage security is no different. Small departmental or remote office deployments lend themselves to application-level solutions, where the number of tapes to be encrypted is small. Examples include EMC's NetWorker and Symantec's NetBackup.

File system level, PBA, and intelligent switch products are well-suited for midrange to large SAN and tape environments. Vormetric provides a solution that secures data in flight and at rest across laptops, tape devices, NAS, and disk environments. However, it requires host-level agents. PBAs, such as those from Decru and NeoScale, are transparent to the storage network and have become the primary approach to securing tape environments. However, the largest tape and disk deployments require multiple PBAs clustered together, which adds cost and complexity in terms of key administration.

For the largest enterprise-class SAN and tape deployments, intelligent switches offer the fastest encryption speeds and highest level of scalability. Maxxan combines wire-speed encryption with optional switching capabilities. Unlike PBAs, Maxxan's CipherMax intelligent switch enables a high degree of fabric configurations through its support of LUN masking, LUN mapping, and automatic zone detection.

Corporate IT is transitioning from a mindset of securing the data-center perimeter to understanding the new threats and realities posed by data mobility. Securing data at rest brings new challenges to the forefront and impacts traditional storage workflows, such as backup and recovery, disaster recovery, and storage management.

From the Taneja Group's perspective, as encryption and storage security devices proliferate in the infrastructure, centralized key management will become the crucial element controlling storage security devices and ensuring traditional storage processes function smoothly. The vendor community is just now responding to this new reality. However, end users need to understand key management and plan for an environment where keys and key management are part of their everyday storage routine.

Steve Norall is senior analyst and consultant at the Taneja Group consulting firm (www.tanejagroup.com).


Four questions to ask your storage security vendor

Most storage security vendors use the same encryption algorithms and follow similar best practices when it comes to securing data at rest. Therefore, the true differentiation in these offerings lies in the different architectural approaches to securing data, how they handle keys, and how the key management process can be adapted to a company's proprietary processes. Here are some questions that are worth discussing with your storage security vendors before making a purchasing decision:

What is the recovery process if the storage security system suffers a hardware failure or if there is a site outage?
End users must incorporate key management and key recovery into the calculus of their high-availability and disaster-recovery planning. Users need to understand how storage security devices recover from failures and what processes are required to initiate these procedures. Is key recovery automated on a device failure or site fail-over? Will an outage to the key management system result in encrypted data being offline? By implementing storage security, will storage administrators still be able to meet their availability SLAs?

How does the system scale to meet current and future encryption needs?
As with any capacity planning exercise, end users need to project what their encrypted storage capacity needs will be. How many new tape devices and LUNs will need encryption over the next three years? Ultimately, storage security systems need to be able to scale with the encrypted capacity of your storage environment. Given the fact that these systems must operate at wire speed, careful planning in terms of how to scale these systems so that they do not become a bottleneck is required. Users should have a good handle on how to scale the environment. Moreover, scalability and performance cannot come at the cost of management overhead or higher costs. Otherwise, many of the benefits of centralized storage will be undone.

How configurable is the key management system to a company's IT workflow?
One size does not fit all for key management. Adopting stringent military grade security and processes may not be the right approach for the majority of companies. How flexible is the key management system? Does it conform to a company's storage processes (e.g., backup and restore, disaster recovery, etc.) or does it force a company to change storage processes or impose undue management burdens? Will the key management system be able to handle the case where a division of your company spins out or you merge with another company? Careful planning in terms of possible future scenarios is required before you purchase a storage security solution.

How does the system ensure regulatory compliance?
Many users are deploying storage security systems to meet regulatory compliance mandates. However, it is important to understand how functions such as key logging and audit trails map onto existing compliance and security requirements. All storage security systems encrypt data, but several of them have much stronger logging and auditing capabilities.

This article was originally published on October 13, 2006