The sweeping avalanche of information protection related regulations, requirements, industry standards, and increasingly sophisticated security threats may become burdensome even for a thriving business. IBM FlashSystem A9000 and A9000R efficiently relieve this burden by offering data-at-rest encryption – at no additional cost.
The encryption process is non-destructive. It applies to the data that is already stored on the system, and encrypts the SSDs and the MicroLatency modules without data rewrite.
Once encrypted, your data on the storage system is reliably protected against unauthorized access, use, disclosure, disruption, modification, perusal, inspection, recording, or destruction. Even if the SSDs or MicroLatency modules are stolen or improperly discarded, no intruder will be able to breach the encrypted data.
You can choose between an external key manager-based implementation and a local key-based encryption implementation. With the external key management, keys are stored separately from the data, thereby presenting a secured and well-defined interface for key services.
In IBM FlashSystem A9000 and A9000R, the external key management scheme uses external Key Management Interoperability Protocol (KMIP) compliant servers, such as IBM Security Key Lifecycle Manager (SKLM) or Gemalto SafeNet KeySecure server.
IBM FlashSystem A9000 or A9000R communicates with the IBM SKLM server through a Key Management Interoperability Protocol (KMIP) over Secure Sockets Layer (SSL) protocol. The physical connection is through an Internet Protocol (IP) network, as shown below:
Starting with version 12.1.0, FlashSystem A9000 and A9000R can also manage the keys internally, and support concurrent conversion from SKLM external key management to internal key management.
The internal, server-less encryption key management, obviates the purchase, deployment, or management of a dedicated, independent key management server, because the encryption key is generated and stored within the storage system. This significantly simplifies deployment of data-at-rest and drastically reduces the cost and complexity of managing keys. However, before embarking on the internal key management scheme, make sure that it is adequate for your data security requirements. You also need to consider the fact that the reverse operation of changing from local key to an external key server, first erases any data already on disk.
The concept of data-at-rest encryption on IBM FlashSystem A9000 and A9000R is presented in greater depth and detail on IBM Knowledge Center. You can also find there instructions on how to physically relocate encrypted systems.
If this brief introduction has convinced you that implementing data-at-rest encryption should not be delayed any further, refer to this IBM Redpaper publication for more detailed instructions.