White paper – QLogic 2500 Series Data-at-Rest Encryption Addresses SAN Security Requirements User Manual

hSG-WP08015

FC0032001-00 rev. B 05/12

2

White PaPer

Introduction

SaN security breaches are expensive, costing corporations over a million
dollars in recovery charges. in addition, information explosion and server
proliferation have caused new challenges for data centers, driving security
threats to critical levels. With regulations like Sarbanes-Oxley, Gramm-
Leach-Bliley act (GLBa), health insurance Portability and accountability
act (hiPaa), and the California Security Breach information act (SB-1386),
companies face increasing pressure to retain this information for longer
periods of time, while also ensuring its privacy. the cost of security
breaches, coupled with emerging business practices and regulatory
compliance, creates a new set of challenges for enterprise data centers.
a majority of US states now have data privacy laws stating that encrypted
data that is breached does not have to be reported. U.S. Congressional bills
have similar provisions.

Determining where to protect and encrypt digital assets in the enterprise
requires an understanding of the potential threats as well as where the
vulnerabilities reside. For the SaN, developing a security strategy requires
an understanding of the crucial vulnerabilities in the storage infrastructure
and the potential type of threats that arise. this paper segments security
threats and data as follows:

•

Users

–

Authorized

–

Non-authorized (hackers)

•

threats

–

Unintentional errors (caused by authorized users)

–

Intentional malicious attacks (carried out by hackers and rogue
users)

Figure 1 summarizes the techniques used in the SaN to address the
security threats posed by both types of users.

Figure 1. Security Techniques by Threat and User Types

authorized users such as employees, system administrators, and database
administrators may accidentally access sensitive data if the SaN is
not secured properly. a typical cause for SaN service interruptions is
unintentional errors caused by authorized users. these types of problems,
as shown in Figure 1, are resolved by leveraging common SaN techniques
such as zoning, LUN masking, virtual fabrics, role Based access Control
(rBaC), access Control Lists (aCLs), switch-to-switch authentication, and
implementing controlled it processes.

Over the years, Fibre Channel SaNs have become the backbone for
serving the information needs of enterprise data centers. SaNs have
been traditionally considered physically secure due to their closed and
physically isolated location in data centers. While physical network
isolation offers critical security, breaches through unauthorized hosts
or users still poses potential security risks.

adoption of server virtualization technologies, increasing the number
of physical or virtual servers in data centers, and data center growth
through mergers and acquisitions have resulted in increased security
concerns. accordingly, security has remained the top budget priority
over the last five or six years, with 60 percent of companies placing

it as the highest priority in a recent international Data Corporation

™

(iDC) survey.

this paper shows how data-at-rest encryption, when used with
physical SaN security and techniques such as zoning and LUN masking,
address all the major security risks that are faced by today’s it storage
administrators. this paper also shows how encrypting data closest to
the media addresses the SaN security risks. additionally, alternative
approaches are discussed, such as fabric encryption, which pose
implementation and interoperability challenges that negate pervasive
adoption in data centers of the future.

Executive Summary