White paper – QLogic 2500 Series Data-at-Rest Encryption Addresses SAN Security Requirements User Manual

hSG-WP08015

FC0032001-00 rev. B 05/12

4

White PaPer

encryption Upstream and above the adapter and File System

encryption at the application, database, Operating System (OS), or file
system are all techniques that cover threats for data-in-transit within
the different software layers of the host server, addressing potential
vulnerabilities that may reside in those layers. hackers might be able to
exploit these vulnerabilities and access sensitive data.

Database vendors provide encryption services in their software that allow
selectively securing certain fields of a database. For example, a database
may encrypt only credit card numbers and social security numbers; the
remaining content of the data base is unencrypted.

Due to significant performance degradation, as well as non-scalable
changes required to the application, database, OS, or file system, only a
limited portion of data is encrypted. administrators address this issue
by encrypting only the most sensitive data. administrators must rely on
data classification to identify this sensitive data and where it exists. it is
widely acknowledged that data classification fails to identify all instances
of sensitive data. it is difficult, labor intensive, and hard to maintain,
especially when the sensitive information can be copied from a protected
source to an unprotected destination. this situation means that too much
unencrypted sensitive data is written to hard drives; data that will likely
persist on the hard drive long after the drive’s useful life.

encryption in the adapter or Switch

encryption technologies that are downstream of the file system (starting
at the adapter and through the fabric) must provide full disk encryption to
fill the gap where data classification fails to capture sensitive data. these
technologies relieve the data custodian from having to classify the data
when it leaves the control of the data center. Otherwise, the owner would
have to know the data sensitivity level to dispose of the drive, which adds
more work for management. encrypting in the adapter and fabric switch
are possibilities.

adapter or switch encryption requires additional equipment such as
an encryption engine to scramble and descramble the data and a key
manager (hardware appliance or software) to create, manage, and store
the encryption keys.

Data-in-flight moving across the wire at the block level on a SaN is not
normally considered a security risk when physically protected within the
walls of the data center. there are potential risks with FC fabric links
that leave the data center and extend the SaN to remote offices, to other
campuses, or to remote locations for disaster recovery (see Figure 3).
in those cases, security is addressed by using either FC-SP over Fibre
Channel, or routing the FC links over internet Protocol (iP) and protecting
the data with iP security. routers and switches use technologies such as
iPSec to protect and link SaNs over WaNs. to specifically address this type

of security threat, host/adapter based encryption is not required as long as
the switches and routers support iPSec data encryption.

Fibre Channel technology can only reach a distance of about 10km. it
managers need to share, protect, and move data much farther than that
— sometimes across geographic borders. QLogic provides routers and
switches that allow SaN traffic to move over iP, linking SaNs over WaNs.

When iP extends the SaN over the internet or dedicated lines, iPSec security
is used on these remote links to protect valuable data over long distances
and to support data replication, SaN data device sharing, and for backup
and business continuity.

Figure 3 shows how the SaN is extended over an iP WaN and protected
with iPSec to ensure that data-in-flight is secure. Secure Sockets Layer
(SSL) sessions are used for the WaN links (with ephemeral keys) to ensure
that the link remains secure and that keys are not exposed for long periods
of time.

Figure 3. Overview of Security Approaches in and Across SANs

it may seem that encrypting in the fabric to secure the data on the hard
drive is a good long term solution: the data is encrypted not only on the
hard drive, but also as it travels through the fabric.

However, rather

than increasing security, this method actually decreases security by
exposing encryption keys that are rarely changed (long-lived).

there are major challenges to hardware encryption at the switch or on
the adapter. the farther away the encryption key moves from the data, the
more complex the solution becomes. the more complex the encryption,
the greater chance of error. For example, the right key may not be available
to decrypt data when the time comes. this scenario is best explained via
virtualization: the more equipment that is shared means that more entities
must share a given key. therefore, more keys are moving around in the
fabric, and they are more difficult to track. the increased number of keys
presents greater exposure, complexities, and performance issues.

the vast majority of data moving over the wire downstream of the
file system is physically under the owner’s control, and therefore is not