Untangling the encryption chain


This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."

Download it now to read this article plus other related content.

Untangling the encryption chain

Encryption can protect your data, but it can also play havoc with other storage applications.

Encryption would seem to be a critical technology in today's world of embarrassing data losses, but studies reveal that it's rarely used. So why is data that should be encrypted left alone, even as numerous products target this exact problem? Simply put, encryption is a chain, not just a single link, and unless each point in the data path includes encryption and decryption, other desirable functions are lost. Users have opted to leave their data unencrypted, relying on access control to keep data safe. But recent industry moves may change that practice.

From the top down
The first decision point in investigating encryption technologies is where to encrypt. If we think of the stack from application through operating system, network and storage device, we can see that encrypting data near the top (at the application or OS level) will protect it all the way down to the storage device. We protect data in motion (across the storage network) as well as data at rest (once it's stored).

But if you encrypt it at the application, only data from that app is protected. And how many applications truly stand alone without any supporting infrastructure or outside data?

The same problem applies to server-side encryption, often using an encrypting file-system driver

Requires Free Membership to View

like the one included in Microsoft Windows. If we encrypt at that level, all data from the server is protected through the network and on disk, but this would have to be enabled on all of the file systems and servers to have complete coverage.

Some vendors have begun supplying network-based encryption devices. These sit in-band in the Fibre Channel or IP network and encrypt all the packets they see. This eases management because everything flowing across the network is encrypted without having to install or configure software on a large number of servers. These devices are often deployed at the edge of a network where the perceived level of vulnerability increases.

If this type of device is located right next to the disk or tape, it becomes more of a tool to protect data at rest. This is especially useful when the storage media is tape cartridges, as they have a tendency to end up where they don't belong.

These appliances also relieve servers of encryption duties, often using specialized hardware such as custom chips designed to handle a particular encryption algorithm.

This was first published in October 2006

There are Comments. Add yours.

TIP: Want to include a code block in your comment? Use <pre> or <code> tags around the desired text. Ex: <code>insert code</code>

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy
Sort by: OldestNewest

Forgot Password?

No problem! Submit your e-mail address below. We'll send you an email containing your password.

Your password has been sent to: