Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

Data Center Encryption Is Key To Security

And key management is crucial for your encryption plan to succeed.

Why bring encryption into the glass house? To paraphrase bank robber Willie Sutton, because that's where the data is.

To date, most data center security efforts have been focused on protecting against Internet threats. However, IT can no longer ignore physical security: Thieves recently broke into the Chicago data center of managed Web hosting provider C I Host and stole server hardware--for the fourth time. Meanwhile, backup tapes are frequent targets for theft because they're often out of IT's direct possession. The Privacy Rights Clearinghouse Web site documents more than 40 cases of tape theft since 2005, and it's likely that far more were never reported. In our 2008 Strategic Security Survey, the theft of computers or storage systems was among the top five breaches seen as most likely to occur in the coming year.

Clearly, encrypting hard drives and tapes is vital to protect data. So why aren't organizations rushing to sign on? The complexity of managing keys is a top deterrent to ubiquitous encryption. After all, there are many ways to encrypt, but key management is where all these projects succeed or fail. And failure is most likely to occur several years out, after the hole has been dug quite deep. Some information must be kept for decades, after all, and storing the keys needed to access that data securely for 10 or 20 years is a challenge.

InformationWeek Reports

Fortunately, advances in managing keys as well as new options for encrypting data at each step within the backup process make it much less likely lost keys will come back to haunt you. Most of the vendors we spoke with understand the problem and are working to solve it. RSA's Key Management Suite, for example, works with encryption products from RSA partners to give IT a single management point for all encryption keys.

Encryption vendors also have started to build key management into their products or offer these capabilities as options for companies with modest requirements.

TALES OF THE TAPES
Security analysts love the idea of encrypting all data on the host before it's even sent to a backup server. This guarantees end-to-end privacy and minimizes the number of places where mistakes can be made. And plenty of products provide this capability. Symantec's NetBackup is a good example--just generate a key and click a box within the user interface to enable encryption of any data set. The backup server instructs the client to encrypt on the fly.

This approach has downsides, however. By encrypting data at the host, deduplication has to happen at the server. And encryption adds load to the server, lengthening the backup window and perhaps affecting performance. Moreover, encrypted data is supposed to be indistinguishable from random data, so it tends to render tape-drive compression completely ineffective. Since most tape drives claim a hardware compression rate of at least 2-to-1, server-side encryption can easily double your tape consumption.

But key management may well be the worst problem. Backup vendors are only now starting to add key management capabilities to their software; most still rely on the backup admin to handle management tasks. You'd think someone would take this off our hands.

AUTOMATION, ANYONE?
Moving encryption closer to tape drives are appliances that encrypt data as it heads to the tape library. These devices can be inserted into the Fibre Channel fabric of the SAN, the SCSI connections to the tape drives, or iSCSI networks, providing a tremendous amount of flexibility. Appliances take the processing load off servers and are popular choices in environments with a variety of backup software and hardware, or when speed of installation and ease of setup are priorities. NetApp's Decru division and nCipher's NeoScale CryptoStor Tape even perform compression on the box, and a separate key management appliance or software system provides the key archiving and security needed to trust the system over many years.

DIG DEEPER
SECURE THE PREMISES
Where does encryption fit into the plans for next-generation data centers?
As good as this sounds, do your due diligence before investing in an encryption appliance. Cisco released its Storage Media Encryption blade for its director-class Fibre Channel switches amid turmoil in the field. Customers of one vendor, Kasten Chase, were left holding encrypted tapes with no upgrade cycle or support. Similar woes faced some customers of NeoScale when nCipher bought its tape encryption business but left out the company's disk encryption customers.

Perhaps the most exciting innovation for tape encryption has been the addition of encryption capabilities to the drives themselves. Sun's StorageTek 10000B and LTO4 Ultrium drives from IBM, HP, and Quantum have encryption hardware built in. This adds minimal cost and should have very little impact on performance. Compression can be performed just before encryption, minimizing storage space, and most importantly, encrypted data can be read just after it's written, decrypted, and compared with the original to ensure that there are no errors.

IBM's tape encryption works with RSA's Key Management Suite, and IBM also ships its own simplified Enterprise Key Manager (EKM), which supports a novel twist useful to companies that must ship data to partners. IBM EKM uses public key cryptography to encrypt data on the tape to the partner's public key. The partner can then use its private key to read the data. In this way, no secret key exchange has to happen between the partners, but the tapes remain secure.

Impact Assessment chart: Data Center Encryption

(click image for larger view)

 

Recommended Reading:

Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
COVID-19: Latest Security News & Commentary
Dark Reading Staff 8/14/2020
Researcher Finds New Office Macro Attacks for MacOS
Curtis Franklin Jr., Senior Editor at Dark Reading,  8/7/2020
Lock-Pickers Face an Uncertain Future Online
Seth Rosenblatt, Contributing Writer,  8/10/2020
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
Special Report: Computing's New Normal, a Dark Reading Perspective
This special report examines how IT security organizations have adapted to the "new normal" of computing and what the long-term effects will be. Read it and get a unique set of perspectives on issues ranging from new threats & vulnerabilities as a result of remote working to how enterprise security strategy will be affected long term.
Flash Poll
The Changing Face of Threat Intelligence
The Changing Face of Threat Intelligence
This special report takes a look at how enterprises are using threat intelligence, as well as emerging best practices for integrating threat intel into security operations and incident response. Download it today!
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2020-4662
PUBLISHED: 2020-08-14
IBM Event Streams 10.0.0 could allow an authenticated user to perform tasks to a schema due to improper authentication validation. IBM X-Force ID: 186233.
CVE-2019-20383
PUBLISHED: 2020-08-13
ABBYY network license server in ABBYY FineReader 15 before Release 4 (aka 15.0.112.2130) allows escalation of privileges by local users via manipulations involving files and using symbolic links.
CVE-2020-24348
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, has an out-of-bounds read in njs_json_stringify_iterator in njs_json.c.
CVE-2020-24349
PUBLISHED: 2020-08-13
njs through 0.4.3, used in NGINX, allows control-flow hijack in njs_value_property in njs_value.c. NOTE: the vendor considers the issue to be "fluff" in the NGINX use case because there is no remote attack surface.
CVE-2020-7360
PUBLISHED: 2020-08-13
An Uncontrolled Search Path Element (CWE-427) vulnerability in SmartControl version 4.3.15 and versions released before April 15, 2020 may allow an authenticated user to escalate privileges by placing a specially crafted DLL file in the search path. This issue was fixed in version 1.0.7, which was r...