Storage-Level Encryption: Today's Challenge
Many of today’s privacy mandates require protecting data at rest, and storage-level encryption is one important way to accomplish this. Storage media are particularly vulnerable to loss and theft. Backing up data to tape, for example, is a time-honored and cost-effective way to preserve valuable information, but tapes can be lost, stolen, or misplaced, and the use of third-party offsite facilities increases the risk. The same can be true for disk drives and even solid-state disks where hardware is frequently sent off site for repair or redeployment. Failure to effectively wipe or destroy data beforehand increases the risk of exposure. Given these risks, encryption of stored data is an effective means of protecting information—and a company's reputation. Storage-level encryption ensures that if storage media are lost or stolen, their data is worthless to thieves, so companies avoid having to make embarrassing data breach disclosures. This type of protection is beneficial whether or not the data in question is covered under privacy laws or other industry mandates such as PCI DSS. Some experts argue that all storage systems should be encrypted by default, just in case. Off-site archiving firms and couriers are even starting to turn away unencrypted tapes or charge a premium to cover their increased risk. Even so, many companies do not encrypt storage media. They worry that encryption will slow their backup processes or make it impossible to access the data in the future if encryption keys are lost.
For years, storage encryption required the use of dedicated storage appliances that increased complexity and could impact performance. But with such clear business benefits, the storage industry has responded; today, embedded encryption capabilities are built into many storage devices or are available as configuration options. But with greater use of these capabilities comes a corresponding challenge—managing encryption keys across a heterogeneous population of devices. Organizations need to manage keys throughout their life cycles, both to protect keys from unauthorized use and to ensure that those keys are guaranteed to be available to legitimate users when needed. As organizations deploy storage devices from a range of vendors, attention rapidly turns from the encryption process itself to the challenge of efficiently managing the keys across those systems.
Risks Associated with Storage Level Encryption
- Attackers can steal tapes, disks, or other storage media, resulting in the need for costly and embarrassing disclosures that can seriously damage the organization.
- Organizations that rely on the encryption capabilities of storage devices may find it hard to keep key management under control—and loss of keys can be disastrous to business continuity.
- Without a strategic approach to managing keys, organizations can accumulate multiple, incompatible and inconsistent key management systems, each responsible for different storage encryption capabilities, adding complexity and cost to compliance reporting.
- Key management systems become a natural “honey pot” for attackers; they need to support strong security controls and if possible, physical hardening as well.
- Key management standards are evolving rapidly, driving new requirements that may need to be addressed across the enterprise. Organizations that want to stay ahead of the curve should think beyond their storage requirements to consider how enterprise key management can deliver greater harmonization, efficiency, and cost savings.
Storage-Level Encryption: Thales e-Security Solutions
Products and services from Thales e-Security enable you to deploy high assurance storage-level encryption solutions with confidence by adding effective centralized key management to the encryption capabilities embedded in modern storage devices. keyAuthority is a proven, standards-based, hardened key management platform that enables organizations to automate and centralize administration of encryption keys across classes of encrypting storage devices such as tape libraries, disk arrays, and SAN switches from leading storage vendors. keyAuthority streamlines routine key management operations and auditing tasks, dramatically reducing operational costs, complexity, and risk of human error. With keyAuthority, organizations can take control of their storage encryption keys, guard against theft or misuse, and most importantly be confident that archived keys will always be available—removing the fear that encryption keys might be lost and that stored data would be left unreadable, forever.
- Implement effective storage encryption solutions quickly with a single, consistent key management infrastructure that is pre-qualified to work with storage devices from leading vendors.
- Effectively safeguard and automate the management of storage encryption keys across their lifecycle—ensuring that keys are available when needed.
- Establish high availability and scalability though real-time replication and capacity that scales to millions of keys and thousands of storage devices.
- Reduce the risk of insider attacks by enforcing separation of duties between storage administrators and security officers.
- Simplify compliance reporting obligations and forensic requests through sophisticated and secure auditing capabilities.
- Satisfy external mandates and establish tangible security benchmarks through the use of FIPS 140-2 level 3 certified products.
- Comply with emerging key management standards to establish a vendor-neutral approach that can grow with your organization.