This article can also be found in the Premium Editorial Download "Storage magazine: What you need to know about data storage provisioning."
Download it now to read this article plus other related content.
Building the chain
How can we break up this logjam? Let's look at another arena where encryption is actively being pursued--digital television. Without endorsing encrypted television signals (which I'm opposed to), we can still learn a lesson about how to approach encryption. The "end-to-end" encryption of digital television would still permit decryption and re-encryption at authorized points to allow advanced functions. For example, a future TiVo would receive an encrypted stream, decrypt it, perhaps re-encode or process it, store it and re-encrypt it before sending it to the television.
Let's apply this to storage. If we developed a system that allowed a deduplication engine or storage router to decrypt the data coming in and re-encrypt it after processing, we could enable encryption everywhere in the network. We'd be building a chain of encrypted segments.
Every device in the chain would have to understand the encryption scheme used and share keys to make this work. This would require an advanced key management system and open API to allow different combinations of equipment to interoperate. This last bit sounds like a job for the Storage Networking Industry Association (SNIA), but I don't see it happening yet. Maybe a vendor-specific API like NeoScale's will be adopted as a de facto standard.
Of course, there's another possibility. A vendor could engineer its own end-to-end infrastructure with completely integrated encryption at every point.
When EMC bought RSA Security this past summer, many observers were left scratching their heads wondering where the fit was. Some suggested it was simply an opportunistic acquisition, others thought it was a defensive move to keep the company away from Symantec, while a few just threw up their hands and said EMC was crazy. I say the company was crazy like a fox! If anyone could pull off an end-to-end, single-vendor encrypted infrastructure like the one I just described, it would be the combination of EMC and RSA. Maybe encryption will happen after all.
This was first published in October 2006