Cisco Systems Inc. plans storage area network (SAN)-based encryption for tape libraries and virtual tape libraries (VTLs) in the second half of 2007, with support for heterogeneous disk arrays shortly thereafter. Cisco and EMC Corp. also announced that Cisco's encryption keys will be compatible with EMC's RSA Key Manager, though Cisco also plans to offer its own key management application.
According to Doug Anderson, product manager of Cisco's data center business unit, five-to-six beta test sites are currently being qualified, with testing of the Cisco Storage Media Encryption (SME) module beginning as soon as next month.
The encryption will come in two forms: as a blade for the MDS 9500 and MDS 9200 series chassis, or a switch module for new 9200 customers. Because the 9500 automatically load balances and clusters blades as they are added, adding encryption to the director would require no recabling or rewiring of the SAN, according to Cisco. Cost for adding the blade or module has not yet been determined.
Management of encryption for tape libraries and VLTs, which will be the first targets for the network-based encryption offering, will become part of Cisco Fabric Manager. "The vast majority of users looking to implement encryption are looking to implement it at rest on backup targets, particularly VTLs," Anderson said.
It will take more time for Cisco to qualify the encryption with disk arrays. The company declined to give a specific date for this availability.
In the meantime, SME will also allow users to be selective about which devices are to be encrypted, down to the LUN level when SAN array support is added, or to the tape drive and virtual tape cartridge level on backup targets, Anderson said.
Users: Interested, but a few questions before buying
"A fabric-based hardware encryption method is a necessity," wrote John Ciarlette, network engineer for Edward Hospital and Health Services, in an email to SearchStorage.com. "I questioned this very thing over a year ago when we were purchasing director-class SAN switches."
Ciarlette said fabric-based encryption appeals to him because data is encrypted before it is laid down on tape and disk, "which would help prevent data misuse." Having the encryption performed at the SAN switch fabric would be more efficient and centralized, he said, and in his view, "the management of such encryption will be practically none."
However, Cisco is being cagey when it comes to the performance impact of encryption on its networks, though it admits there will be "minimal" latency. "We're at the final engineering stages with this product and so don't know the specific numbers around that yet," Anderson said.
"My only concern may be how much latency the encrypting/decrypting process will add to the I/O stream," Ciarlette wrote. "I know it will be much less latency than a software solution, but there is still latency none the less."
Before purchasing, according to Toby Ford, chief technology office of USinternetworking Inc., a subsidiary of AT&T, "I would first need to understand the overhead encryption would place on top of Fibre Channel or iSCSI …Cisco sells notoriously underpowered equipment with regard to what is currently available. I'm skeptical in this regard and would have to validate any claims about performance overhead."
Ford added, "The cost of integrated Fibre Channel and Ethernet with encryption should be around what it would be if [I] were buying an appliance and a switch separately. I don't expect to be paying a significant premium for this integration."
According to Michael Thomas, storage architect for the Federal Reserve System, his shop, which uses Cisco directors, is currently evaluating encryption products and will be adding Cisco's to the list.
"It's appealing because you're not adding another separate appliance into the mix, which increases costs, rack space and management overhead," he said. However, Thomas said he remained concerned about how fabric-based encryption would affect replication between sites.
According to Anderson, data does not need to be decrypted and then re-encrypted for replication, but according to Thomas, "[If] data is replicated encrypted … the key management has to be shared between multiple fabrics. I would be interested in how they are doing that."
According to Cisco, the keys can be shared by either using a single Cisco key management center for both sites or by copying (export/import) to a second key management center at the remote site.
Meanwhile, not every Cisco user is interested. "I think it's a little early for us from my point of view -- storage networking is almost a completely manual process," said David Dulek, storage administration lead for Fastenal Company Purchasing, a subsidiary of Fastenal Co. "Encryption is nice for security purposes, but there could have been other innovations before it, especially around automation and virtualization."
Key management: EMC's RSA Key Manager vs. Cisco key management
According to Anderson, the addition of encryption to the 9000 series switches has been developed internally at Cisco and is not IP from EMC's RSA security subsidiary. However, Cisco's key management will be integrated via API with RSA Key Manager software, which allows for policy-based key lifecycle management and the management of keys from multiple heterogeneous key management systems.
Cisco's key management console will be part of Cisco Fabric Manager and will manage only Cisco's encryption. Key management through Cisco allows for the vaulting of keys, as well as the management of live keys, but does not offer automated policy-based scheduling like the RSA software does. Otherwise, the two key management programs have very similar capabilities, according to Anderson.
Users can manage live keys and encryption selections through either software, though key vaulting requires its own separate repository. Support for roles-based hierarchical management through Cisco's existing authentication products will also be included in SME, down to the V-SAN level.
Users can also require a quorum using smart cards to unlock the master key in the event of a total site loss. Finally, Cisco is working to get the chassis FIPS 140-2 Level 3 certified for physical security.
Anderson said he did not have much more detail as to whether the key management software and encryption option will be bundled with the EMC/RSA product. "There is no information in this announcement today about our distribution agreements."
Cisco also plans integration with other key management systems beyond EMC. "As a strategy, we look forward to open management no matter how a customer chooses to manage keys," Andreson said.
Cisco does have one predecessor into the fabric-based encryption space: CipherMax Inc., formerly Maxxan, which reinvented itself with a security focus last year. "Cisco's pending announcement to offer a fabric-based encryption solution for disk and tape endorses the need for an encryption within the SAN architecture," CipherMax officials wrote to SearchStorage in an email. "CipherMax offers a complete product line that enables a company to start inexpensively with a tactical deployment and scale as their requirements increase."
"The RSA/EMC partnership is a good start," said Jon Oltsik, analyst with the Enterprise Strategy Group (ESG). "There are a lot of bright people at RSA/EMC who understand the complexities around security and operational requirements. In this way, they are out ahead of the masses."