Network Data: Encryption the Right Way
Network Data: Encryption the Right
Way
From STORAGE Magazine
Vol 6, Issue 8 - October 2006
Greg Farris of MaXXan reviews the options for encrypting data as an additional
line of defence in the network, in the context of a new SAN based approach
Securing sensitive digital data - whether it contains customer data,
financial information, or intellectual property - has become a top concern for
companies. With a variety of threats facing organisations today, protecting the
perimeter of the network with firewalls and intrusion protection are no longer
adequate methods to secure data.
Data-at-rest encryption has become an essential data protection option
because, unlike perimeter controls, encryption can protect data even when
accessed in storage, or removed from a secure location. Encryption secures data
by making data unreadable to anyone except authorised users who have the digital
key used to decrypt and read the data.
A Variety of Encryption Options
There is no question that some type of encryption method should be employed to
protect enterprise sensitive data. The question that remains, however, is which
encryption tool should be used. Users are presented with a wide range of
encryption options that differ greatly on points such as how and where
encryption is deployed.
The following are a few of the more popular encryption options available
today:
In-Line Encryption Appliances
In-line encryption appliances reside in the Storage Area Network (SAN) between
the storage devices and servers requesting the encrypted data. The appliance
encrypts data as it passes through the device on its way to storage - protecting
the data while at rest - and decrypts data going back to the applications.
In-line appliances are easily installed point-to-point solutions, but they
cannot scale easily or affordably.
Database Level Encryption
Database level encryption enables the encryption of fields of data when they are
stored in a database. This type of deployment is also called column level
encryption, because it is performed at the column level in a database table.
Database level encryption is more economical for companies with sensitive
data located exclusively in one or possibly two database columns. However, the
process can cause an intolerable level of performance degradation across the
system.
File Level Encryption
File level encryption can take place on the host or in-line at the Network
Attached Storage (NAS) storage level. Depending on the implementation, this
encryption method can also cause performance issues, and it creates limitations
when performing data backup operations, particularly for databases.
File level encryption can cause considerable difficulties with key
management, adding an extra layer of administration to identify and correlate
relevant keys, based on file level directory locations. It can also introduce
challenges when using certain types of database backup applications such as
Oracle RMAN that do not use a file level approach to backup data.
Device Level Encryption
Device level encryption is an emerging encryption method that involves
encryption of data at rest on storage devices, including hard disk and tape.
While device-level encryption offers a high level of transparency to users and
applications, it provides very limited protection. Data is not encrypted during
transmission, it is only encrypted once it reaches the storage device, so device
level encryption only protects against theft of the physical storage media.
A New Encryption Approach
A new simplified and economical approach to storage security involves deploying
directly within the storage fabric via a Secure Storage Application Platform (SSAP).
An SSAP is a fabric-attached system with full switching functionality that
allows direct delivery of encryption services, as well as other data management
and data protection applications, within the SAN. An SSAP can provide
simultaneous support for multiple network protocols such as Fibre Channel (FC),
FCIP, and iSCSI, as well as support for SAN/NAS convergence.
Companies must consider carefully what type of encryption they should
implement. The following list of top encryption solution requirements can serve
as a guideline to compare encryption options, demonstrating the benefits that an
SSAP delivers in many storage environments.
Transparency to Infrastructure,
Applications and Users
A key requirement of encryption is transparency to the IT infrastructure,
applications and data users. Service interruptions, degraded performance or
intrusive processes are not acceptable to users, consequently eroding security.
An example of a storage security solution that avoids these potential
problems is MaXXan System's SSAP-based encryption, which operates transparently
to users and applications by attaching directly to the SAN fabric, as well as
allowing for a heterogeneous IT infrastructure.
Easy and Economical Scalability
The encryption solution must be scalable to meet future data protection needs as
the company grows and becomes even more geographically distributed.
Although in-line encryption appliances cannot scale without adding more
expensive hardware appliances, the SSAPs modular architecture offers easy
scalability simply by adding additional line cards to support as many as 256
ports. Eliminating the need for dozens of individual appliances, an SSAP saves
on equipment expenses, rack space, cooling costs, setup time and system
management.
Minimal Impact on System Performance
Performance degradation has been a traditional obstacle to the successful
implementation of encryption, especially database level encryption options.
SSAPs bypass this issue by running cryptographic functions on high
performance processors, reaching a level of throughput several times higher than
in-line encryption, not to mention database-level encryption. As a result, a
single line card will deliver the performance of multiple storage encryption
appliances. In addition, line card-based SSAPs will easily boost performance
with the addition of encryption accelerating line cards.
Flexible Configuration
An SSAP will support multiple media types including disk and tape, all from the
same device. The in-line encryption approach requires separate appliances to
protect data on disk vs. data on tape, further increasing the expense and
administration of this impractical option. The SSAP also allows designation of
security attributes to be defined by host, LUN or target, providing a high level
of flexibility and control over encryption.
Single Point of Management
The SSAP-based solution is unique due to its support for a single management
interface to control a large number of security policies applied to many storage
devices. Alternative encryption options are not able to offer this level of
integration, which allows rapid deployment and configuration, ease of use and
simplified maintenance of storage management and security applications.
Access to security functions can still be separated by administrative role
definition, enforcing separation of duties and enabling the use of third-party
service providers for storage management operations.
Global Key Management
An SSAP-based encryption solution provides centralised global key management,
supporting encryption across multiple media types across the data centre and
significantly mitigating the risk of supporting heterogeneous key management
applications.
Low Cost
SSAP-based encryption offers the lowest Total Cost of Ownership (TCO) of any
hardware-based encryption solution available, due to comparatively low initial
investment, deployment costs and management expenses, as well as the support of
additional storage services and applications on a single platform. The ability
to combine multiple services onto a single platform greatly reduces operating
expenses.
Conversely, in-line appliances require a high initial investment, which
increases with the need for multiple appliances. In-line encryption can also add
a high cost of deployment in man-hours and service disruption, and high TCO due
to management, rack space, power and cooling.
Conclusion
Encryption is a necessary cost of doing business today, so achieving a good
solution with minimal cost and maintaining a highly secure encryption solution
is the ideal approach.
Although all the encryption options outlined offer certain advantages, SSAP-based
encryption delivered directly to the SAN fabric, offers all the essential
advantages expected from an encryption solution, with minimal deployment cost
and operational impact. ST
|