Seagate 15K.2 Self-Encrypting Drives for Servers, NAS, and SAN Arrays - Page 14

Self-Encrypting Drives for Servers, NAS and SAN Arrays As a result, self-encrypting storage is expected to be available across all end points, including such diverse devices as: • Servers, SANs, NAS arrays (virtualized or not), RAIDs, JBODs or individual drives • Tape drives • Solid state disks • Desktop drives • Notebook drives • Portable drives Less Need to Re-Encrypt Separation of authentication and encryption keys provides several management benefits for drive owners. Because the encryption key itself is encrypted and doesn't leave the drive, the data center administrator doesn't need to change the encryption key periodically, the way a user may periodically change his/her password for security reasons. That eliminates the chore of decrypting and re-encrypting the data, a highly resourceintensive process. The authentication key can be changed as often as desired, such as when an administrator leaves the company, without requiring re-encryption. When storage administrators depart or new operators arrive, their rights to access the storage device can be incorporated without affecting the encrypted data. By contrast, controller- and fabric-based encryption move data encryption keys between the key manager for safe storage and the point of encryption, and they require key escrow. Their data encryption keys are no more secure than their authentication keys, and thus should be periodically re-keyed, which requires reencryption of data-a huge performance drain. Data-in-Motion Secured Physically or with Session Encryption The vast majority of data in motion moving over the wire downstream of the file system, whether moving over Ethernet on the NAS or at the block level on a SAN, is physically under the IT storage administrator's control, and therefore is not considered a security risk. For data in-motion over the wire downstream of the file system that is not physically under the IT storage administrator's control, the most widely accepted and established practice for encrypting data transmitted over the wire is to use an ephemeral session encryption key. A single transmission can be encrypted by a session key that will be discarded immediately after the transmission-any subsequent transmission will be protected by a new, different session key. These very short-duration keys minimize data vulnerability, unlike the long-lived keys used to encrypt data stored on a hard drive. Here are three scenarios of session encryption that may be used: Scenario One There are potential risks with Fibre Channel fabric links that leave the data center and extend the SAN to remote offices, other campuses or to remote locations for disaster recovery. In those cases, security is addressed by using FC links over Internet Protocol (IP) and protecting the data with IP security. Scenario Two Routers and switches use technologies such as IPSec to protect and link SANs over WANs. To specifically address this type of security threat, host/adapter-based encryption is not required as long as the switches and routers support IPSec data encryption. Fibre Channel technology can only reach a distance of about 10km, but IT managers need to share, protect and move data much farther than that-sometimes across geographic borders. QLogic provides routers and switches that enable SAN traffic to move over IP, linking SANs over WANs. 14