Storage Encryption

Previous page
Table of content
Next page

As with message encryption in LANs, data encryption in storage is a straightforward method of ensuring that data is not subject to eavesdropping or to disclosure to unauthorized parties. The inherent problem with a key encryption scheme for storage encryption, however, is the number of nodes that are communicating at any given time.

How should encryption be provided so that it does not require user enrollment or inhibit I/O performance ”that is, how can it be provided transparently ? Asking this question results in a by now familiar set of responses.

  • Encrypt at the switch: One solution is to implement encryption (as well as management and virtualization) on switches. Presumably, grouping nodes into zones, then establishing a trusted system of zone communications ( essentially , which nodes are permitted to communicate) provides the basis for determining who sees unencrypted data. Switch vendors have begun to provide strong switch-to-switch authentication and there is some movement in the storage industry to support SAN node authentication (e.g., that a device connecting to the fabric is authentic and allowed). However, a switch-based approach does not protect the stored data while they are in transit or when they reach the subsystem or library. Implementing data encryption at the switch or even at the subsystem level will require additional performance, some sort of key exchange methodology, a measure of interoperability that vendors have yet to demonstrate and some sort of consolidated security management capability that has been the holy grail of security in the LAN space for many years .

  • Encrypt on the host: Some vendors seek to add I/O encrypt/decrypt functionality to applications, to the operating systems of server hosts, or to installed network interface cards/host bus adapters (NIC/HBA). Application-based encryption is an obvious location for introducing encryption, and some applications offer this function now in connection with sending documents as attachments across the Internet. Such functions do introduce performance hits on application hosts , however, and are likely to be used, as they are today, strictly on a one-off basis: when a user feels the delay is merited by the nature of the data. In short, application-level encryption may not be used even when it is available. And, if it is used, it is only as secure as the server hosting the application.

    Encryption as a function of host operating system software is a perpetuation of host-based management or virtualization architectures. It has the potential drawback of adding substantial processing cycles to the workloads of servers by adding another process to an already inefficient stack process.

    The NIC/HBA strategy has the potential merit of offloading encrypt/decrypt processing, but only if the industry can agree on a common NIC/HBA authentication protocol that would authorize only NIC/HBAs to decrypt traffic from certain nodes. Substantial work is being done in this area, by the way, and some report that the outlook is promising . [11]

  • Encrypt on the array controller: A few array vendors provide encryption functions on array controllers. Such a strategy is worthwhile, but only as a function of a larger system on node authentication and key exchange. One value of encrypting at the storage platform is only tangentially related to the broader issue of storage security and has more to do with warranty replacement of hard disks. In 1993, a healthcare service provider experienced failures in several array-based disk drives that were covered under a replacement warranty. However, he learned that the Health Insurance Portability and Accountability Act (HIPAA) of 1996 prohibited him from sending the drives to the vendor for replacement because they might contain private patient data. There was no way to disable the drives to guarantee that their data could not be read without physically destroying them, an action that would invalidate warranty replacement provisions. Any action short of physical destruction would need to be validated in terms of its success before the drives shipped (that is, the nonfunctioning drive would need to be operated to demonstrate that data erasure had occurred). This "Mobius Loop" in HIPAA regulations could be avoided if data was encrypted on the drive. The possibility of disclosure would have been a nonissue.

  • Encrypt via an in- band appliance: Newcomers, including Decru and NeoScale Systems, are pursuing an appliance-based approach to encrypt/decrypt. In their view, the implementation of an in-the-wire, on-the-fly , encryption capability obviates the problems in other schemes by providing a proprietary scheme for authentication and key exchange (between appliances) that can be easily deployed and operates in a totally transparent manner. In the NeoScale approach (see Figure 10-4), a storage security appliance operates in-line and can be transparent to the application, to the storage subsystem, and can even be transparent to the switch or router. An appliance can be deployed according to an organization's security requirements such as: (1) between application-attached storage servers and the fabric, (2) within the fabric, (3) before or after gateway connections, (4) in-front of storage subsystems and (5) in front of virtualization systems. [12] According to the vendor, once stored data reaches the appliance, the data payload can be encrypted and sent forward or through a secure tunnel (in which the appliance or another device is the terminating point). If tunneling functionality is employed, the appliance will require awareness of switches or routers.

    Figure 10-4. One deployment plan for NeoScale storage security appliances. ( Source: NeoScale Systems, Inc., 1500 McCandless Drive, Milpitas, CA 95035, www.neoscale.com .)

    graphics/10fig04.jpg

This flexible deployment can effectively complement security provisions such as port zoning. For example, the appliance can be associated with zoned ports that carry application-specific or sensitive storage data. Such a deployment can also adapt to current and evolving network storage topologies and business functions.

NeoScale argues that a storage security appliance has the advantage of high-performance, centralized, policy-based management and transparent operation. The appliance analyzes stored data traffic, dynamically applying appropriate encryption and forwarding the encrypted payload to the storage subsystem without impacting the surrounding storage operations. By placing the encryption functionality and processing in a built-for-purpose device, servers and application storage processing remain dedicated to the purposes for which they were intended.

Storage security appliance advocates speculate that data encryption within a storage appliance can be implemented in several ways. According to NeoScale, the first method is "broad application using a single or reduced key set." [13] In other words, a single set of encryption keys would be used to encrypt all data entering the appliance. This would minimize key management issues but will still require key escrow and some means to associate an encryption key to a block range, partition, tape, object, etc.

The vendor concedes that this approach "does not take into account unique applications or protecting different sensitive data with different keys." [14] Many companies would prefer to selectively encrypt sensitive stored data and leave nonconfidential unencrypted. Associating unique keys with unique data storage applications (e.g., by department, subsidiary, customer, data type, or application type) would effectively prevent any individual with access to a single key from having universal data access.

Another method is to provide dynamic and automated data storage encryption based on user-defined rules. This approach allows data encryption to be applied in response to different business requirements.

Rules would be created by the user and maintained by the appliance. Each rule would comprise data storage protection parameters based on selectable data elements (shades of the data naming scheme articulated in Chapter Eight) that would be available as part of the knowledge base of the storage security appliance. This approach has the merit of flexibility with respect to how organizations protect different application or functional data storage.

Appliance-based storage security simplify some of the burdens of key management and administration with respect to storage encryption, and it obviates some of the performance issues associated with other encryption techniques by offloading the function from servers, switches, and array controllers. Until (and if ever) new protocols and services are introduced that are optimized for storage I/O encryption, technologies like those offered by Decru and NeoScale Systems may be the best approach for keeping data secret.


Previous page
Table of content
Next page
The Holy Grail of Network Storage Management
The Holy Grail of Network Storage Management
ISBN: 0130284165
EAN: 2147483647
Year: 2003
Pages: 96
Authors: Jon William Toigo
BUY ON AMAZON
Strategies for Information Technology Governance
Microsoft Windows Server 2003(c) TCP/IP Protocols and Services (c) Technical Reference
Practical Intrusion Analysis: Prevention and Detection for the Twenty-First Century: Prevention and Detection for the Twenty-First Century
Service-Oriented Architecture (SOA): Concepts, Technology, and Design
Cisco ASA: All-in-One Firewall, IPS, and VPN Adaptive Security Appliance
Java Concurrency in Practice
flylib.com © 2008-2017.
If you may any questions please contact us: flylib@qtcs.net
Privacy policy