SAN Encyprtion Technology - Part I
There seems to be a perception in the storage arena that IT Security is for all facets other than storage. However, if you have been monitoring the SAN product announcements in the storage space (which I know you are) you have seen the end-to-end security offerings in the SAN are now available. Sure there are several ways to accomplish security in the Storage Arena (Disk Subsystem based, SAN Based, Host based).
Ever wonder what is going on under the covers of the SAN security offerings? What does SAN based security offering do and what are the components? Let’s dig into the SAN security offerings from a standards perspective.
Keep in mind I am not going to cover all IT security offerings such as LTPA, OpenPGP, GOST, SEED, or even Elliptical Curve Crypto, just what you will encounter in the SAN based offerings. Neither will we cover how security impacts your compliance needs or how to devise security domains or help identify threat levels for your data. We are going to focus on securing enterprise data while keeping it available for use (no time to cover how encryption will impact RTO & RPO values). This topic will also be limited to the Fibre channel SAN and not cover FICON environments.
Let’s lay the security foundation by understanding the important terms.
Industry Standard Security Terms: A.K.A the Security Alphabet Soup!
AES = Advanced Encryption Standard (IEEE 1619, 1619.3) Available in 128-, 192- & 256-bit key lengths
AES-256-XTS for Disk
AES-256-GCM for Tape
CC EAL-3 = Common Criteria Evaluation Assurance Level 3
CHAP = Challenge-Handshake Authentication Protocol RFC 1334 & 1994 – 3-way handshake using MD-5 hash
In our instance it will be used by iSCSI (or should be used)
FIPS = Published based on 128-bit
MD-5 = RFC 1321 (128-bit one way hash, never sent over the link), typically found in SMB v1.0 type environments
PKCS = Public Key Crypto Stands (RFC 2898)
PKI = Public Key Infrastructure (A.K.A x.509 PKI (Public Key Infrastructure))
PKIX = PKI CA / Registration Agent
RPKI = Resource Public Key Infrastructure (RFC 5280) expect to see this in ISP offerings (huge environments)
IKE = Internet Key Encryption (RFC 2408-2410)
IKEv2 (RFC 4306, RFC4595)
KMIP (Key Mgr Inter Operability Protocol) which is part of OASIS offering and way to get to IEEE P1619.3
Other Terms to be familiar with:
DAR = Data at Rest
DIF = Data in Flight
RPO = Recovery Point Objective
RTO = Recovery Time Objective
The key to all IT security offerings rests in proper Key Management (you do NOT want to have to manually manage keys and worry about key lifecycles, key retention, etc).
The central role of a key manager offering is to manage security keys across all device types across your enterprise (just think about all the keys in / around the VPN). Key Managers also present the ability to work with Certificate Authority (CA) all while being easy to utilize. Do not overlook the need for Role Based Access Control (RBAC) and auditing capabilities (who polices the police)?
Here are just a few products (listed in no certain order) IBM Tivoli Key Lifecycle Manager (TKLM), RSA RKM, HP Storageworks Key Mgr (HKM), NetApp Lifetime Key Mgt (LKM).
KMIP is seen as one way to replace the hodgepodge of different encryption-key management products out there. Put another way it solves BIG issue within Enterprise security realm.
Key Size (128, 256 are the most common while 512, 1024 bit are offered with not a lot of adoption (as I have seen). Keep in mind that cracking the 256 bit code takes 2128 more computational power than the 128-bit version
Key Choice – select the version that makes the most sense for your environment (keep in mind delay for creating the key and unpacking the data) is a 8-10% performance hit acceptable? What are the acceptable guidelines for your enterprise?
Symmetric or Asymmetric keys
The Symmetric key is used for both read and writes for SAN encryption. Symmetric key encryption algorithms are significantly faster than asymmetric encryption algorithms, which makes symmetric encryption an ideal candidate for encrypting large amounts of data. Speed and short key length are advantages of symmetric encryption.
While Asymmetric keys are require two pairs for encrypting and decrypting data a typical usage is for VPN type of enterprise offerings and the king of the Asymmetric offering is RSA.
I have learned over the years that hardware is the way to go with security due to the load that software places on CPU’s. Having a dedicated component to tackle that one job ensures that all other processes are handled in a timely manner and not creating another issue.
I also like SAN encryption due to the flexibility it brings to an enterprise security offering (all data passes thru the SAN)
Another aspect of security to keep in mind is data classification. You might ask why? Do you really want or need all your data encrypted? What is the corporate directive state?
I have to leave our security discussion at this point let’s call this Part I, keep watching this space for Part II (How to roll out SAN Encryption)