The Importance of Securing Data
Securing information in the data center is critically important to storage customers. A company’s data is one of its most valuable assets and must be protected from theft, loss or simply disposal or repurposing of the media. A security plan must provide for protection of data throughout all aspects of the storage ecosystem. Each point in the storage infrastructure provides unique threat models that must be dealt with using best-in-class methodologies. Some examples of these “security domains” would be: data-in-flight, data-at-rest, authentication of devices and users, key management and end-to-end-data integrity.
Data-at-rest is the security domain receiving the most press lately. It’s especially critical to protect data-at-rest -- data stored on a hard drive or other storage device. Eventually every hard drive in a data center leaves the premises. It may be stolen or lost; it may be sent back to the vendor for servicing; it may be repurposed; it may be sent back due to end of lease or it may be disposed of simply because it’s outdated. Most hard drives that leave the data center are operable and readable. In fact, studies have shown that 90 percent of failed drives actually have some amount of readable data. Even data striped across multiple drives in a RAID array is vulnerable, because the segment size typically used in arrays is big enough to contain, for example, hundreds of names and social security numbers in a single segment.
Some data centers hire professional services to dispose of decommissioned hard drives. However, the drives are still vulnerable, and the information on a hard drive that’s sent offsite for secure disposal is as vulnerable as unsecured tape data leaving the data center. If only one drive is stolen or lost, a company may be forced to pay millions of dollars in remedies for the compromised data.
Many states have laws requiring a company to publicly disclose the loss or theft of hard drives that contain customer information. Such disclosures can be costly in terms of money, negative publicity and lost customer confidence.
By contrast, most US states as well as the EU provide safe harbors for the loss of encrypted data. If a drive containing sensitive data is lost or stolen, and a reasonable attempt has been made to encrypt the data, the safe harbor laws in most cases do not require the company to disclose the loss.
Advantages of Self Encrypting Drives
For the data-at-rest security domain, you must consider the specific threat models that will be encountered, and then choose the best methodology to protect against those threats. For the data-at-rest case, there are several kinds of potential threats, which primarily deal with the drives leaving the users control.
We believe the best solution for protecting data-at-rest is to use standardized self-encrypting hard drives that automatically encrypt everything written to them. This is a better solution than using a traditional hard drive and encrypting data upstream from the drive. In this case, when the drive leaves the environment, the attacker can read ciphertext at will, and use it as a hint to crack the data encryption keys. Self encrypting drives prevent this method of attack, by not allowing any access to data until the drive is authenticated. Ciphertext is never exposed in a self encrypting drive, and the only way to get at it would be through the use of destructive methods such as a spin stand.
Another advantage of using self encrypting drives is that there is no performance impact. The drives built in encryption engines operate at full interface speeds, and are very scalable since, as you add drives to a system, you add more encryption engines that all operate in parallel.
When encrypting data-at-rest, one of the biggest issues is data classification: determining what data needs to be encrypted and what data does not. This is especially true when the encryption methodology has performance impacts. With the huge amounts of data that we are talking about, it is a mind boggling task to sort through the terabytes of information. In addition, how can you be sure that you found everything and got it encrypted? With self-encrypting drives, the drive automatically encrypts all data written to it, so that no one needs to spend valuable time deciding which information to encrypt and, quite possibly, forgetting to encrypt some critical data.
Once authenticated, self encrypting drives appear exactly the same as non-encrypting drives to the storage infrastructure. No changes are required to the applications. This is in contrast with encrypting data upstream, which can impact storage system value add operations downstream such as data de-duplication, or compression. The issue is that encrypted data cannot be de-duplicated since the storage encryption confidentiality ciphers also encrypt based on location information. In other words, two identical pieces of data stored at two different logical block addresses do not encrypt the same so they will not be de-duplicated. In the case of compression, the encryption process randomizes the data and impacts the compression ratios.
Interoperability is also a major consideration. The encryption cipher is now tied to a disk drive rather than the application, OS or storage controller. Drives with different encryption algorithms can easily be added to an existing storage array, because the encryption algorithm is transparent to the system. Drives with newer encryption technology can be combined seamlessly with older self encrypting drives in storage systems that support encryption.
Data encryption keys on self-encrypting drives are secure because each drive holds only an encrypted version of the encryption key, and not the key itself. Hard drive manufacturers assume that an attacker could have complete knowledge of the drive’s design and construction and the location of any secrets on it. Therefore, no clear text secrets are stored anywhere on the drive, and potential hackers who know the drive’s design cannot use this information to “crack” the encrypted data on the drive. In fact, with self-encrypting drives, there is no reason to ever escrow the data encryption key. This also guarantees that the data encryption key has never been compromised since it has never left the drive. Since the key has never left the drive, the drive can be securely erased by simply deleting its encrypted form of the data encryption key. This is in sharp contrast with methodologies that encrypt data upstream, where data encryption keys must be escrowed. This then brings into question whether it can be assured that the key has never been compromised. If it has been compromised, and someone has the key from the escrow, the data on that traditional drive could be recovered.
Self-Encrypting Drive Operation Basics
The usage model for a self-encrypting drive is pretty straight forward. An authentication key from an outside source is required to unlock the drive for read/write operations. This authentication key will typically come from either an enterprise key management server, or a local key management system, by way of the storage controller. After authentication is completed during power-up, encryption is transparent to the storage system, which can then perform its usual functions in a normal fashion.
When a write is performed on a self encrypting drive, clear text enters the drive and, before being written to the disk, is encrypted with the encryption key embedded within the drive. When a read is performed, the encrypted data is decrypted before leaving the drive.
Self encrypting drives are a standards-based solution, and all drive vendors are participating in the Trusted Computing Group (TCG) standard for secure drive commands, which assures interoperability. We fully expect that in the future, all drives will eventually be self-encrypting.
Action Item: Secure data storage is a real-world problem for enterprises. Encryption on the hard drive, combined with robust key management and a state-of-the-art storage system to house the drives, provides superior performance, manageability and security. This is a significant leap forward to improve security and management in the world’s data centers.
To find out more about securing data-at-rest, investigate the white papers, videos, podcasts, and other resources at www.fdesecurityleaders.com.
Footnotes: To find out more about securing data-at-rest, investigate the white papers, videos, podcasts, and other resources at Full Disk Encryption.