• 04/02/2013
    12:29 PM
  • Rating: 
    0 votes
    Vote up!
    Vote down!

Encrypting Backups Requires Key Planning

Some enterprises are adopting an "encrypt everything" policy to address the confidentiality and security of data, including on backups. A new backup product from Sepaton separates encryption from key management.

Interoperability with existing key managers is important. Technically, Sepaton could have developed its own key manager, but that would be only one among many minor players. That is not acceptable to IT or the enterprise. Basically, the encryption key manager is the tail that wags all of the encryption dogs that perform one or another of the encryption pieces of the IT infrastructure puzzle.

Let's see how that works. The Sepaton S2100 is a certified partner of RSA and Thales e-Security, and it will work with other products as well in the future. Authorized personnel interface with the RSA DPM (Data Protection Management), a server-based centralized key management solution, through the RSA DPM console, not the S2100 directly. The S2100 system itself never stores encryption keys on disk so no one could decrypt the data without the proper authentication with the RSA DPM. Naturally, there are a lot of things going on, including OASIS KMIP and a trust certificate that is authenticated against the RSA DPM when the Sepaton S2100 connects to it.

The Sepaton S2100 encryption of data at rest feature uses NIST-approved AES-256 encryption. That renders any drive removed from a disk array unreadable without the encryption key, which (as stated) is not on any disk. That is important because, during the expected life of a Sepaton S2100 appliance, its drives may be removed from the system due to decommissioning, theft, and possibly failure. Given modern disk forensics tools, it is likely that even a failed disk could be read if it weren't encrypted.

Do Not Impact Performance

One of the long-standing objections to encryption is that the process is CPU intensive and that, in inline solutions, the performance impact is unacceptable. The Sepaton encryption approach combines software and hardware. From a hardware perspective, it leverages the Express DX 1800 Series acceleration cards to do encryption, in addition to compression, thus offloading computationally-intensive tasks. This eliminates the performance penalty faced by other solutions.

But isn't this simply throwing hardware at a problem? Well, yes, but so what? The Express DX 1800 Series cards are necessary anyway, and encryption is simply an option that can be turned on. The problem is solved. And Sepaton claims that it charges a reasonable price for the encryption option when it is turned on.

The encryption option costs about 4% of the network appliance price for one node. Sepaton claims that it is priced less than competing solutions, but the point is that encryption provides additional benefits that are worth the additional cost

Mesabi Musings

The movement to encrypt everything as the path of least resistance continues to move forward. But how can this best be accomplished?

The newly unveiled Sepaton S2100-E3 Series 2925 illustrates one possible direction. Sepaton provides the technology that does the actual encryption and decryption, but leaves the enterprise key management process to someone else. That requires a standards process (addressed by the OASIS KMIP standard) that will enable IT to connect the S2100 to an enterprise key manager of its choice.

Sepaton is a client of David Hill and the Mesabi Group.

We welcome your comments on this topic on our social media channels, or [contact us directly] with questions about the site.

Log in or Register to post comments