Network Computing is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Let's Bring Sanity to Disk Encryption

2:30 PM -- I think I've made it clear here and on the InformationWeek Backup and Business Continuity blog that I believe in encrypting tapes and other data-bearing media whenever it leaves the data center. However, when the professional paranoid types that run most corporate information security groups started issuing edicts that all disks be encrypted, even those that never leave the data center, I was to, say the least, skeptical.

I argued that it was unlikely that someone would break into the data center, through a series of doors with card access systems and video cameras, and then steal the disk drives out of a server or RAID array. If he were daring, and strong, enough to steal the whole server, the encryption wouldn't provide any greater security since the server would have to have the encryption keys to be able to run.

When they said "We have our reasons and have selected to use a Fibre Channel encryption appliance from Neoscale or Kasten-Chase", I made them work. When Neoscale and Kasten-Chase went belly up, I helped my clients to install Decru/NetApp replacements and migrate all their data from logical disks encrypted with the old solution to logical disks encrypted with the new one. I was, however, grateful that as a consultant I was being paid by the hour.

Lest I sound too cynical, I do recognize of course that there is one good reason for full disk encryption in the data center, preventing data on discarded, damaged, and disabled drives from falling into the wrong hands. While most organizations today have cabinets or closets full of disk drives awaiting secure disposal, they could toss encrypted drives in the trash or return them to the vendor for warranty replacement without worry.

Given the cost and complexity of today's solutions, I'm not sure solving the drive disposal problem is a good enough reason to invest in SAN encryptors. Now that the Trusted Computing Group has come out with standards for self-encrypting drives, with separate specs for laptop-orientated and enterprise drives, and all five drive manufacturers have endorsed them, a new and better solution should soon emerge.

  • 1