White paper, Sed data-at-rest encryption: optimal solution, Summary and conclusion – QLogic 2500 Series Data-at-Rest Encryption Addresses SAN Security Requirements User Manual

hSG-WP08015

FC0032001-00 rev. B 05/12

5

White PaPer

considered a security risk. With physical security protection for the fabric,
there is still the need to secure the data in the disk subsystem (i.e. on the
hard drive) for when the drive leaves the owner’s control.

For adapters with on-board encryption aSiCs, there are interoperability
challenges with multi-vendor adapters that do not support on-board
encryption. Data encrypted by hardware on adapters can be read only by
the same vendor’s adapter or the proprietary solutions that created them.
For instance, in Figure 3, the blue adapter cannot read data that is encrypted
on the target or authenticate with the key manager or encryption switch.
every key manager handles keys differently, making interoperability a
challenge. Non-encrypting adapters need special modified administration
software to authenticate with key management systems.

Other storage system applications impacted by fabric encryption are data
compression and de-duplication. these two applications can cut storage
costs dramatically, but only when the data is not encrypted. hardware
encryption at the adapter or the switch level makes compression and de-
duplication very difficult or nearly impossible. this type of encryption is not
only unnecessary, it can hurt interoperability in a multi-vendor environment.

there are significant implications to key management with different
vendor’s storage subsystems that use raiD controller encryption. Not all
key management systems are the same. even though they may use the
same encryption algorithms, there are interoperability challenges between
key management systems. Certain encrypted drive subsystems only work
with specific key management systems.

SED Data-at-Rest Encryption: Optimal Solution

Before QLogic started working on security in the SaN, the United States
National Security agency (NSa) addressed the problem of data security and
determined that the best place to perform encryption is in the hard drive,
because that’s where the data resides.

Self-encrypting Drives (SeDs) perform full disk encryption. During a write
operation, clear text enters the drive and, before being written to the disk,
is encrypted using an encryption key embedded within the drive. During a
read operation, the encrypted data on the disk is decrypted before leaving
the drive. the drive requires an authentication key (otherwise known as
a password) from an outside source before the drive will unlock for read/
write operations.

after authentication is completed during power-up, encryption is
transparent to the storage system, which performs its traditional functions
normally. Storage systems are optimized for unencrypted data for data
compression and de-duplication.

Self-encrypting drives, when used with physical security for SaN arrays,
address all the major security risks to data that exist downstream of the
file system.

Key management is simplified in storage subsystems that use SeDs
because the encryption key does not leave the drive. there is no need to
track or manage the encryption key. the data center administrator does not
need to store the encryption key to maintain data recoverability, because
the drive keeps encrypted copies of the encryption key in multiple locations.

Given that SeDs decrease drive retirement costs with little impact to it,
corporations may benefit by incorporating SeDs into their security policy
such that all future hard drive purchases are SeDs when available. iBM

®

and LSi Logic

®

are leading the way building SeDs into solutions. Seagate

®

is rapidly introducing SeDs across its entire portfolio of hard drives, and
hard drive vendors world wide (Fujitsu

®

, hitachi

®

, Samsung, Seagate,

toshiba, and Western Digitial

®

) are participating in the standardization of

SeD management, promising an end to the risk to data breaches when hard
drives leave their owner’s control.

in addition, it is easy to add disk drives with different embedded encryption
algorithms to an existing array. the data center can have a mix of
encryption algorithms in the same array, because the encryption algorithm
is transparent to the system. as drive models change and new encryption
technology is incorporated into hard drives, they can be intermixed with
older drives in storage systems that support encryption without making any
changes specific to the new drives’ higher level of protection.

Summary and Conclusion

administrators of servers and SaN arrays have good reason to want to
encrypt data-at-rest. this paper addresses the reasons and the concerns
that have prevented wide use of data encryption until now. there isn’t a
single comprehensive security approach or a single security technology
that secures data-at-rest. Data encryption options include host-based
software; encryption hardware appliances; and encryption aSiCs that
reside on adapters, switches, raiD controllers, and hard drives. there
are costs, interoperability, performance, and latency issues that must be
considered for each option.

encryption in the hard drive provides simplicity, performance, manageability,
and security relative to other encrypting technologies. For that reason,
many analysts, system manufacturers, and government agencies like NSa
are recommending that encryption for data-at-rest should be done in the
hard drive.

QLogic’s Fibre Channel Adapters provide a secure solution that works
well with SEDs and provides interoperability with other hardware
components in the SAN without the need for adapter-based encryption.