As an IT organization, how confident are you that your organization’s data is secure and protected? From a protection perspective, it’s generally expected to have RAID protection, redundant copies and backups, disaster recovery plans, etc. All essential good practices. But how secured are you from unauthorized access to data? Even when the data is at rest and believed to be secured within your trusted enterprise storage system?
It’s becoming an increasingly important topic as infrastructure teams look at their security requirements across the lifecycle of their storage systems. Operational and process questions related to security are starting to come coming up. What happens to the data when a drive is replaced? What happens when data is migrated, and a system is repurposed? What happens at the time of a refresh when a system decommissioned? And what is being done to prevent potential security breaches, such as if a drive is accidentally lost or even worse, stolen?
Because of these growing concerns, many organizations are looking at how their security requirements are changing. Some of these changes are being mandated by government and industry regulations. Many are also the result of internal mandates being driven by the security teams. As a result, data at rest encryption is now playing an increasingly important part of an overall storage strategy. It’s expected that within the next few years, most if not all, data at rest will be encrypted. Which is why every user we talk with considers encryption to be a “check the box” required feature for storage going forward.
VMAX D@RE – How’s It Work?
VMAX provides secured, array based data at rest encryption via “D@RE”. VMAX D@RE encrypts all user data on the array at the drive level. In addition to encrypting the data, every encryption process requires a key manager to control the keys that are needed to decrypt and access the data. Admins like that VMAX D@RE includes an embedded key manager, meaning there is no worrying about managing encryption keys – it’s all automated, or #symmple. The science of how it works is really cool. Unique keys are securely generated via the embedded RSA encryption key management technology that supports AES-256 encryption. This type of encryption means it addresses serious regulatory requirements, such as being validated to be FIPS-140-2 compliant.
The drive access paths and encryption keys are stored in an encrypted lockbox and can only be operated (opened/used/restored) on the array on which it was generated. The keys are transferred from the Key Manager to the drive controller at boot time (and as necessary during operation, e.g., a new drive is inserted) in an encrypted form.
Every drive has its own unique encryption key and all drives within the VMAX are encrypted, including vault drives. When data is replicated, drives at the primary site will have different encryption keys to those at the secondary site – so they are independent making it easy to set up encryption at both primary and secondary sites. This is key because if the data was encrypted before it was replicated, it can’t be compressed, resulting in a potentially huge impact to network bandwidth.
With VMAX SRDF, the director handles the compression and hands it off to the network switch. The switch can then encrypt and decrypt the data in flight between the source and target system. The VMAX director then un-compresses the data and writes it to the array. Since it’s all done in hardware, there’s no overhead, just optimize bandwidth efficiency while securing data in flight.
If drives are removed from the array (ie drive sparing), their keys are instantly destroyed as part of the replacement process. If an array is retired the admin can permanently delete all copies of keys on that array making the data is indecipherable, and help address requirements around secure erasure of the system.
VMAX DARE – Why’s It Different?
VMAX Array based encryption has three key advantages over other encryption alternatives.
No compromise: D@RE preserves all data services, including replication and more importantly, compression. Alternatives that encrypt at the array level then compress at the drive level cannot combine the two capabilities. It’s because encrypted data does not compress (since it’s all unique), forcing users to compromise functionality and choose one or the other, but not both.
Performance: D@RE is faster than host or app based encryption without the use of hardware based accelerators. Since D@RE is hardware based at the array level, there is zero performance impact to the app, server or storage. In addition, data erasures are instant, since the only the encryption keys needs to be deleted to make the data inaccessible. That’s a key advantage, especially when an entire system, with 100’s of TB’s of data, is being replaced.
No fail destruction: And finally, it works even on badly failed drives. That’s important because when your drive fails, it can fail badly enough that it can’t be overwritten to remove private information. With drive level encryption, even though the failed drive might be “unreadable”, not being able to destroy the data securely still violates many security processes. With D@RE, you can simply destroy the key from all locations and you’ve crypto-shredded or effectively made the data on the drive unreadable.
VMAX D@RE – Why is it Important?
VMAX D@RE provides best in class technology to address security requirements for data at rest without compromise. It supports use cases such as drive replacements, array replacements, and encryption key life cycle management, and more importantly helps the storage and security teams sleep better at night. All without compromising functionality, impacting performance or adding complexity.
Technologies like VMAX D@RE provide a critical building block for building a secure, modernized data center. As part of a Modern Data Center, it helps organizations drive better efficiency, gain more business agility and lay the foundation for new applications and analytics tools that will enable companies to compete in the modern digital economy.