Untangling the encryption chain - Storage Technology Magazine - Page 1

Untangling the encryption chain

Encryption can protect your data, but it can also play havoc with other storage applications.


Encryption would seem to be a critical technology in today's world of embarrassing data losses, but studies reveal that it's rarely used. So why is data that should be encrypted left alone, even as numerous products target this exact problem? Simply put, encryption is a chain, not just a single link, and unless each point in the data path includes encryption and decryption, other desirable functions are lost. Users have opted to leave their data unencrypted, relying on access control to keep data safe. But recent industry moves may change that practice.

From the top down
The first decision point in investigating encryption technologies is where to encrypt. If we think of the stack from application through operating system, network and storage device, we can see that encrypting data near the top (at the application or OS level) will protect it all the way down to the storage device. We protect data in motion (across the storage network) as well as data at rest (once it's stored).

But if you encrypt it at the application, only data from that app is protected. And how many applications truly stand alone without any supporting infrastructure or outside data?

The same problem applies to server-side encryption, often using an encrypting file-system driver

    Requires Free Membership to View

    Login

    When you register for SearchStorage.com, you’ll also receive targeted emails from my team of award-winning editorial writers. Our goal is to keep you informed on the hottest topics, the latest news and the biggest challenges you face as a storage professional today.

    Rich Castagna, Editorial Director

    By submitting your registration information to SearchStorage.com you agree to receive email communications from TechTarget and TechTarget partners. We encourage you to read our Privacy Policy which contains important disclosures about how we collect and use your registration and other information. If you reside outside of the United States, by submitting this registration information you consent to having your personal data transferred to and processed in the United States. Your use of SearchStorage.com is governed by our Terms of Use. You may contact us at webmaster@TechTarget.com.

like the one included in Microsoft Windows. If we encrypt at that level, all data from the server is protected through the network and on disk, but this would have to be enabled on all of the file systems and servers to have complete coverage.

Some vendors have begun supplying network-based encryption devices. These sit in-band in the Fibre Channel or IP network and encrypt all the packets they see. This eases management because everything flowing across the network is encrypted without having to install or configure software on a large number of servers. These devices are often deployed at the edge of a network where the perceived level of vulnerability increases.

If this type of device is located right next to the disk or tape, it becomes more of a tool to protect data at rest. This is especially useful when the storage media is tape cartridges, as they have a tendency to end up where they don't belong.

These appliances also relieve servers of encryption duties, often using specialized hardware such as custom chips designed to handle a particular encryption algorithm.

This was first published in October 2006

Back to top