Networking

10:00 AM
Howard Marks
Howard Marks
Commentary
Connect Directly
Twitter
RSS
E-Mail
50%
50%

Encrypt SAN Data At The Host? Emulex Says Yes

Whether it's fear of losing valuable or embarrassing data or just playing it safe, the security folks in your organization are probably encouraging you to encrypt as much of your data as possible both in flight and at rest. Emulex's newest encrypting Fibre Channel HBAs (Host Bus Adapters) adds another arrow to storage admin's quiver for encrypting your data and tracking the all important keys.

Whether it's fear of losing valuable or embarrassing data or just playing it safe, the security folks in your organization are probably encouraging you to encrypt as much of your data as possible both in flight and at rest.  Emulex's newest encrypting Fibre Channel HBAs (Host Bus Adapters) adds another arrow to storage admin's quiver for encrypting your data and tracking the all important keys.

A few years ago the college I worked at  received a directive from the state CIO strongly encouraging the use of full disk encryption on all servers.  We took a look at the available options and decided that we'd encrypt our tape data. The data at rest on server drives in a secure data center was at much bigger risk from network hacking than from someone breaking into the data center and stealing the disk drives. If someone stole the drives, they would also have to steal the keys that are stored on the servers to access the data.

Encrypting your data at rest has the added benefit of eliminating the risk of data breaches at disposal time.  If the data on a disk or array is encrypted, and the keys are stored separately, you can return failed drives to Seagate, or EMC, or even get a small percentage of your investment in that CX-500 or DL380 back by selling it on eBay complete with disk drives.  

Without encryption you're limited to more time consuming options like degaussing, shredding or my personal favorite melting into a pool of liquid metal with thermite.  The problem with all these methods is you have to keep track of "retired" drives and their ultimate disposition.  In a big company there's always the risk of some junior IT guy selling drives on eBay he listed as destroyed.

In the past I've been somewhat more skeptical of the need to encrypt SAN traffic in flight.  In general encrypting data in flight is a protection against snooping attacks where someone intercepts the data stream and reads it. When Fibre Channel SANs were contained in the data center the proverbial attacker would need to be in my data center to get access to the data.  Since an un-trusted person in the data center is by itself a problem I wasn't worried about that un-trusted person plugging into the SAN.

Howard Marks is founder and chief scientist at Deepstorage LLC, a storage consultancy and independent test lab based in Santa Fe, N.M. and concentrating on storage and data center networking. In more than 25 years of consulting, Marks has designed and implemented storage ... View Full Bio
Previous
1 of 2
Next
Comment  | 
Print  | 
More Insights
Cartoon
Hot Topics
7
VMware NSX Banks On Security
Marcia Savage, Managing Editor, Network Computing,  8/28/2014
4
Real-World SDN, Lesson 2: Conquer The Enemy Within
Symon Perriman, Senior Technical Evangelist, Microsoft,  8/25/2014
3
How To Survive In Networking
Susan Fogarty, Editor in Chief,  8/28/2014
White Papers
Register for Network Computing Newsletters
Current Issue
2014 Private Cloud Survey
2014 Private Cloud Survey
Respondents are on a roll: 53% brought their private clouds from concept to production in less than one year, and 60% ­extend their clouds across multiple datacenters. But expertise is scarce, with 51% saying acquiring skilled employees is a roadblock.
Video
Slideshows
Twitter Feed