«
»

Emulex Helps Data Protection and Privacy Through Encryption

Posted by Dennis Martin in Wikibon on November 13, 2009


Emulex’s strategic direction is to help IT shops provide additional data protection and privacy by encrypting data at the source – in the host server. There has been plenty of news about data breaches and literally millions of data records at risk, and some of the laws requiring public disclosure of data breaches. More recently, some states within the USA have passed laws requiring encryption for transmission or storage of personally identifiable information outside of a secure system. CIOs can no longer debate about whether to encrypt. Encryption is no longer an option, but a requirement.

Emulex has announced their direction to provide 8-Gb/s Fibre Channel HBAs that protect data in-flight and at rest using offloaded AES 256-bit encryption. Emulex is partnering with RSA and IBM to include important key-management technology. Emulex also plans to provide support for virtual machines with this encrypting HBA. An important consideration is the defensible proof of encryption for FIPS 140-2 and numerous industry-specific and general regulations.

This product strategy re-surfaces the age-old question about where to encrypt, for which there are many possible answers. The real question is “what is your secure zone?” If your entire data center is the secure zone and you don’t send any data offsite, and you can prove it, then maybe this solution is not for you. However, if your secure zone in some cases is narrowed down to a server, then considering a solution that encrypts in the host server is one worth examining.

Some of the storage best practices as outlined in the SNIA Storage Security Best Current Practices include the following:

  • Secure Sensitive Data on Removable Media
  • Secure Sensitive Data Transferred Between Data Centers
  • Secure Sensitive Data in 3rd-party Data Centers
  • Implement the in-flight and at-rest encryption mechanisms such that they provide end-to-end protections

One way to implement encryption that meets these criteria is with an HBA that performs the encryption before the data leaves the host server. If the data is encrypted before it leaves the host server, then the secure zone can be defined as the host server, without regard to the security status of devices that are physically separate from the host server.

We will discuss this topic more in the future, so stay tuned.

, , , , ,

This entry was posted on November 13, 2009, 5:31 pm and is filed under Wikibon. You can follow any responses to this entry through RSS 2.0. You can leave a response, or trackback from your own site.

  • mversace

    Would be nice to do a deep dive into HBA encryption and put together an end-to-end encryption scenario using a hypothetical application running in a private cloud on a set of vBlock. We could look at encryption using:

    - SED
    - channel encryption
    - data tokenization at the database level
    - SSL to get data to the end user
    - whole disk encryption for data at rest on the desktop.

    Issues to consider
    - overall application performance
    - key management
    - where's the white space
    - alternative scenarios using a data-centric model for encryption.

    Mike

  • mversace

    Would be nice to do a deep dive into HBA encryption and put together an end-to-end encryption scenario using a hypothetical application running in a private cloud on a set of vBlock. We could look at encryption using:

    - SED
    - channel encryption
    - data tokenization at the database level
    - SSL to get data to the end user
    - whole disk encryption for data at rest on the desktop.

    Issues to consider
    - overall application performance
    - key management
    - where's the white space
    - alternative scenarios using a data-centric model for encryption.

    Mike