Data breaches are increasing in number and complexity year over year, bringing security to the forefront of the storage market. To date, the biggest problem with storage encryption wasn’t encryption itself – DataFort, now SafeNet StorageSecure, has been providing storage encryption for years. Now that NetApp and SafeNet have collaborated to develop StorageSecure, it is possible to encrypt NAS storage at the CIFS or NFS level.
In reality, the biggest problem with encrypting storage is managing the encryption keys, especially with the recent explosion of data. New technologies make enterprise key management a simple, cost-effective solution you can layer over top of your existing storage architecture.
For all you storage admins who are new to security, here’s a high level overview of key management, why it’s important for storage, and how you can use it to increase visibility, maintain control, and achieve compliance.
What is Key Management?
Key management provides the secure generation of encryption keys, the ability to prevent unauthorized access, ensures the availability of the keys, create and enforce policies during the life of the key, and securely destroy the key (and its associated data) at the end of the life of that data to ensure data is properly destroyed.
Steps in the Key Management Lifecycle
- Key Generation. It’s important to use specialized hardware, not software, to generate your keys.
- Access Management. Keys are used to authenticate and authorize access to specific data in accordance with policy or regulatory requirements.
- Availability Assurance. As data is backed up and replicated, keys need to be available from division to division and site to site so the key is accessible wherever the data is located.
- Policy Management. During the life of the data, keys will need to be rotated periodically to keep the data secure. Some of these policies are standard practice, and others are required for regulatory compliance.
- Secure Destruction. At the end of the data’s life, the key needs to be securely destroyed, effectively destroying the data as well.
Key Management for Storage
For storage applications maintaining availability of keys can be very challenging when you take into consideration all the points at which that data is stored and accessed. As all storage admins know, sensitive data can be stored in multiple locations, usually at the primary datacenter and then also a disaster recovery site. Key material needs to be available at these locations as well, so that even if a datacenter is destroyed or the key manager is lost, you don’t lose your keys and with them the ability to access the data.
Access to data in storage environments needs to be strictly controlled. Encryption keys are used to maintain and augment encryption mechanisms at the storage location itself to restrict data even more than the standard system requirements.
And, finally, the destruction of data at the end of its life is very important, especially for financial, HR, healthcare, or other sensitive information that is subject to industry or government regulations. A good key management system allows you to prove compliance throughout the life of the key, and also at the end by securely deleting the key and all data associated with that encryption key. At the natural end of life life of data, you can simply delete the key and effectively destroy the data. The ability to destroy keys and their data is also very important in case of a security breach, or for the military and intelligence communities. In case of a tactical emergency, data stored on an airplane or submarine can be instantly destroyed simply by deleting the encryption key, preventing that information from falling into the wrong hands.
The biggest differentiator between key management for the storage world and other use cases is that we are often required to keep data for a very long time. Healthcare information, for example, may need to be stored securely for the entire life of the patient. In this case, we are looking at decades of securing that data and managing those keys. As a result, we will always have a great number of encrypted data objects, so an effective key management solution must be able to scale to support a great number of keys.
The Future of Storage and Key Management: KMIP
Until recently, one of the biggest issues with encryption in storage has been that, each encryption vendor had their own proprietary key management solution, so that managing encryption keys for an organization’s array of storage security products was an expensive and time-consuming, if not impossible, job.
In 2010, an international consortium of industry leaders, including SafeNet, NetApp, VMware and others, released a cross-platform standard called the OASIS Key Management Interoperability Protocol (KMIP). Now, any product adhering to the KMIP standard for key management can be managed by a single enterprise key management solution, providing better data security and reducing expenditures for managing multiple products.
SafeNet KeySecure is the industry’s first high-assurance, KMIP standards-based enterprise key management solution, and was developed from NetApp’s Lifetime Key Manager (LKM). Using KeySecure, you can to centrally protect, manage, and control data, keys, and policies across a wide range of heterogeneous storage systems, including Quantum Tape, NetApp Storage Encryption (NSE), legacy NetApp/ Decru DataFort, and the new SafeNet StorageSecure. As technology grows and changes, KeySecure will continue to support any storage system built on KMIP protocol.
Regardless of which key management solution you choose, using KMIP standards-based key management will allow you to easily manage keys across multiple storage platforms throughout the entire life of your data, giving you control of your encrypted storage.
If you’re looking for more information on StorageSecure, KeySecure or any other SafeNet encryption technologies, stop by the SafeNet booth 1901 at VMworld next week for a demo. Mike Wong and I will be presenting on Monday and Wednesday in the SafeNet booth on the importance of encrypted storage. You can also download our free whitepapers:
And you can always read more on the SafeNet Data Protection Blog: www.data-protection.safenet-inc.com.