Encrypting Backups Requires Key Planning

Confidentiality is a key objective of data protection. Encryption is the most commonly accepted technology for ensuring the confidentiality and security of data. Yet, even though enterprises recognize the need for and importance of encryption, the rate of adoption has been uneven to say the least. Concerns about proper key management, potential performance impacts, and cost are grains of sand in the gears of progress.

Yet progress is being made in different pieces of the IT information infrastructure puzzle. As part of the recent introduction of Sepaton's S2100-ES3 Series 2925, the latest member of its data protection appliance family, the company announced encryption of data at rest as an option. This will serve as a concrete illustration of the general approach that needs to be taken not only within the disk-to-disk backup piece of the information infrastructure puzzle, but should have applicability to other pieces as well.

Encrypt Everything?

The importance of maintaining the confidentiality and security of data is growing across the enterprise. Failure can result not only in public embarrassment, but also in serious financial costs.

While all that is true, why encrypt backups? An information thief would have a hard time gaining access to backup data and making sense of it, especially in a deduplicated format. However, what about disk drives that are removed from an array containing backup information for maintenance purposes? What about insiders who may be able to access the data from behind the firewall?

To prevent the possibility of both outsider and insider breaches, many enterprises are moving to an "encrypt everything" strategy. That means encrypting both sensitive and non-sensitive data.

Why protect information for which exposure would create no harm? One reason is that separating sensitive and non-sensitive data is time consuming. Plans to encrypt some data, but not all, could create compliance, process, and management headaches. Because governmental entities often mandate encryption for certain data types, and because what needs to be protected may change over time, encrypting everything enables an organization to increase the likelihood of meeting future compliance requirements.

Still, enterprises are moving carefully for cost and planning reasons. One of the main planning issues is ensuring that all the components in the chain can play nicely together.

Use Standards-Based Tools

Encryption is not only a task (write this set of data to disk in an encrypted manner), but also a process (make sure that the keys to decrypt the data are always available, even in the case of a disaster). A critical decision for an enterprise is to settle on an enterprise key manager that provides a single point of management for all keys. No one wants to have to worry about having to manage more than one set of key tools in an "encrypt everything" environment that spans all storage platforms. And that key manager has to work with a common protocol that enables communication between the encryption process itself and the key management tool.

Sepaton's S2100 encryption enables integration with enterprise key managers that are compliant with the Organization for the Advancement of Structured Information Standards Key Management Interoperability Protocol (OASIS KMIP) 1.0/1.1 specification. OASIS is an international, not-for-profit consortium for the development, convergence, and adoption for the global information technology world, and includes IT "household" names, such as EMC (RSA), HP, IBM, and NetApp.

Next page: Interoperability RulesInteroperability with existing key managers is important. Technically, Sepaton could have developed its own key manager, but that would be only one among many minor players. That is not acceptable to IT or the enterprise. Basically, the encryption key manager is the tail that wags all of the encryption dogs that perform one or another of the encryption pieces of the IT infrastructure puzzle.

Let's see how that works. The Sepaton S2100 is a certified partner of RSA and Thales e-Security, and it will work with other products as well in the future. Authorized personnel interface with the RSA DPM (Data Protection Management), a server-based centralized key management solution, through the RSA DPM console, not the S2100 directly. The S2100 system itself never stores encryption keys on disk so no one could decrypt the data without the proper authentication with the RSA DPM. Naturally, there are a lot of things going on, including OASIS KMIP and a trust certificate that is authenticated against the RSA DPM when the Sepaton S2100 connects to it.

The Sepaton S2100 encryption of data at rest feature uses NIST-approved AES-256 encryption. That renders any drive removed from a disk array unreadable without the encryption key, which (as stated) is not on any disk. That is important because, during the expected life of a Sepaton S2100 appliance, its drives may be removed from the system due to decommissioning, theft, and possibly failure. Given modern disk forensics tools, it is likely that even a failed disk could be read if it weren't encrypted.

Do Not Impact Performance

One of the long-standing objections to encryption is that the process is CPU intensive and that, in inline solutions, the performance impact is unacceptable. The Sepaton encryption approach combines software and hardware. From a hardware perspective, it leverages the Express DX 1800 Series acceleration cards to do encryption, in addition to compression, thus offloading computationally-intensive tasks. This eliminates the performance penalty faced by other solutions.

But isn't this simply throwing hardware at a problem? Well, yes, but so what? The Express DX 1800 Series cards are necessary anyway, and encryption is simply an option that can be turned on. The problem is solved. And Sepaton claims that it charges a reasonable price for the encryption option when it is turned on.

The encryption option costs about 4% of the network appliance price for one node. Sepaton claims that it is priced less than competing solutions, but the point is that encryption provides additional benefits that are worth the additional cost

Mesabi Musings

The movement to encrypt everything as the path of least resistance continues to move forward. But how can this best be accomplished?

The newly unveiled Sepaton S2100-E3 Series 2925 illustrates one possible direction. Sepaton provides the technology that does the actual encryption and decryption, but leaves the enterprise key management process to someone else. That requires a standards process (addressed by the OASIS KMIP standard) that will enable IT to connect the S2100 to an enterprise key manager of its choice.

Sepaton is a client of David Hill and the Mesabi Group.