This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."
Download it now to read this article plus other related content.
Untangling the encryption chain
Encryption can protect your data, but it can also play havoc with other storage applications.
Encryption would seem to be a critical technology in today's world of embarrassing data losses, but studies reveal that it's rarely used. So why is data that should be encrypted left alone, even as numerous products target this exact problem? Simply put, encryption is a chain, not just a single link, and unless each point in the data path includes encryption and decryption, other desirable functions are lost. Users have opted to leave their data unencrypted, relying on access control to keep data safe. But recent industry moves may change that practice.
From the top down
The first decision point in investigating encryption technologies is where to encrypt. If we think of the stack from application through operating system, network and storage device, we can see that encrypting data near the top (at the application or OS level) will protect it all the way down to the storage device. We protect data in motion (across the storage network) as well as data at rest (once it's stored).
But if you encrypt it at the application, only data from that app is protected. And how many applications truly stand alone without any supporting infrastructure or outside data?
The same problem applies to server-side encryption, often using an encrypting file-system driver
Some vendors have begun supplying network-based encryption devices. These sit in-band in the Fibre Channel or IP network and encrypt all the packets they see. This eases management because everything flowing across the network is encrypted without having to install or configure software on a large number of servers. These devices are often deployed at the edge of a network where the perceived level of vulnerability increases.
If this type of device is located right next to the disk or tape, it becomes more of a tool to protect data at rest. This is especially useful when the storage media is tape cartridges, as they have a tendency to end up where they don't belong.
These appliances also relieve servers of encryption duties, often using specialized hardware such as custom chips designed to handle a particular encryption algorithm.
This was first published in October 2006