Untangling the encryption chain

By  Stephen Foskett

10 Oct 2006 | SearchStorage.com

Untangling the encryption chain

Encryption can protect your data, but it can also play havoc with other storage applications.

Encryption would seem to be a critical technology in today's world of embarrassing data losses, but studies reveal that it's rarely used. So why is data that should be encrypted left alone, even as numerous products target this exact problem? Simply put, encryption is a chain, not just a single link, and unless each point in the data path includes encryption and decryption, other desirable functions are lost. Users have opted to leave their data unencrypted, relying on access control to keep data safe. But recent industry moves may change that practice.

From the top down
The first decision point in investigating encryption technologies is where to encrypt. If we think of the stack from application through operating system, network and storage device, we can see that encrypting data near the top (at the application or OS level) will protect it all the way down to the storage device. We protect data in motion (across the storage network) as well as data at rest (once it's stored).

But if you encrypt it at the application, only data from that app is protected. And how many applications truly stand alone without any supporting infrastructure or outside data?

The same problem applies to server-side encryption, often using an encrypting file-system driver like the one included in Microsoft Windows. If we encrypt at that level, all data from the server is protected through the network and on disk, but this would have to be enabled on all of the file systems and servers to have complete coverage.

Some vendors have begun supplying network-based encryption devices. These sit in-band in the Fibre Channel or IP network and encrypt all the packets they see. This eases management because everything flowing across the network is encrypted without having to install or configure software on a large number of servers. These devices are often deployed at the edge of a network where the perceived level of vulnerability increases.

If this type of device is located right next to the disk or tape, it becomes more of a tool to protect data at rest. This is especially useful when the storage media is tape cartridges, as they have a tendency to end up where they don't belong.

These appliances also relieve servers of encryption duties, often using specialized hardware such as custom chips designed to handle a particular encryption algorithm.