Tony Pearson is a Master Inventor and Senior IT Architect for the IBM Storage product line at the
IBM Executive Briefing Center in Tucson Arizona, and featured contributor
to IBM's developerWorks. In 2016, Tony celebrates his 30th year anniversary with IBM Storage. He is
author of the Inside System Storage series of books. This blog is for the open exchange of ideas relating to storage and storage networking hardware, software and services.
(Short URL for this blog: ibm.co/Pearson )
My books are available on Lulu.com! Order your copies today!
Safe Harbor Statement: The information on IBM products is intended to outline IBM's general product direction and it should not be relied on in making a purchasing decision. The information on the new products is for informational purposes only and may not be incorporated into any contract. The information on IBM products is not a commitment, promise, or legal obligation to deliver any material, code, or functionality. The development, release, and timing of any features or functionality described for IBM products remains at IBM's sole discretion.
Tony Pearson is a an active participant in local, regional, and industry-specific interests, and does not receive any special payments to mention them on this blog.
Tony Pearson receives part of the revenue proceeds from sales of books he has authored listed in the side panel.
Tony Pearson is not a medical doctor, and this blog does not reference any IBM product or service that is intended for use in the diagnosis, treatment, cure, prevention or monitoring of a disease or medical condition, unless otherwise specified on individual posts.
I had attended this conference the past four years, but sadly will not be attending the one this year. If you are attending this conference for the first time, perhaps a quick look at my blog posts from last year will help you get oriented:
For the past three decades, IBM has offered security solutions to protect against unauthorized access. Let's take a look at three different approaches available today for the encryption of data.
Approach 1: Server-based
Server-based encryption has been around for a while. This can be implemented in the operating system itself, such as z/OS on the System z mainframe platform, or with an applicaiton, such as IBM Tivoli Storage Manager for backup and archive.
While this has the advantage that you can selectively encrypt individual files, data sets, or columns in databases, it has several drawbacks. First, you consume server resources to perform the encryption. Secondly, as I mention in the video above, if you only encrypt selected data, the data you forget to, or choose not to, encrypt may result in data exposure. Third, you have to manage your encryption keys on a server-by-server basis. Fourth, you need encryption capability in the operating system or application. And fifth, encrypting the data first will undermine any storage or network compression capability down-line.
Approach 2: Network-based
Network-based solutions perform the encryption between the server and the storage device. Last year, when I was in Auckland, New Zealand, I covered the IBM SAN32B-E4 switch in my presentation [Understanding IBM's Storage Encryption Options]. This switch receives data from the server, encrypts it, and sends it on down to the storage device.
This has several advantages over the server-based approach. First, we offload the server resources to the switch. Second, you can encrypt all the files on the volume. You can select which volumes get encrypted, so there is still the risk that you encrypt only some volumes, and not others, and accidently expose your data. Third, the SAN32B-E4 can centralized the encryption key management to the IBM Tivoli Key Lifecycle Manager (TKLM). This is also operating system and application agnostic. However, network-based encryption has the same problem of undermining any storage device compression capability, and often has a limit on the amount of data bandwidth it can process. The SAN32B-E4 can handle 48 GB/sec, with a turbo-mode option to double this to 96 GB/sec.
Approach 3: Device-based
Device-based solutions perform the encryption at the storage device itself. Back in 2006, IBM was the first to introduce this method on its [TS1120 tape drive]. Later, it was offered on Linear Tape Open (LTO-4) drives. IBM was also first to introduce Full Disk Encryption (FDE) on its IBM System Storage DS8000. See my blog post [1Q09 Disk Announcements] for details.
As with the network-based approach, the device-based method offloads server resources, allows you to encrypt all the files on each volume, can centrally manage all of your keys with TKLM, and is agnostic to operating system and application used. The device can compress the data first, then encrypt, resulting in fewer tape cartridges or less disk capacity consumed. IBM's device-based approach scales nicely. IBM has an encryption chip is placed in each tape drive or disk drive. No matter how many drives you have, you will have all the encryption horsepower you need to scale up.
Not all device-based solutions use an encryption chip per drive. Some of our competitors encrypt in the controller instead, which operates much like the network-based approach. As more and more disk drives are added to your storage system, the controller may get overwhelmed to perform the encryption.
The need for security grows every year. Enterprise Systems are Security-ready to protect your most mission critical application data.
Earlier this year, IBM mandated that every employee provided a laptop had to implement Full-Disk Encryption for their primary hard drive, and any other drive, internal or external, that contained sensitive information. An exception was granted to anyone who NEVER took their laptop out of the IBM building. At IBM Tucson, we have five buildings, so if you are in the habit of taking your laptop from one building to another, then encryption is required!
The need to secure the information on your laptop has existed ever since laptops were given to employees. In my blog post [Biggest Mistakes of 2006], I wrote the following:
"Laptops made the news this year in a variety of ways. #1 was exploding batteries, and #6 were the stolen laptops that exposed private personal information. Someone I know was listed in one of these stolen databases, so this last one hits close to home. Security is becoming a bigger issue now, and IBM was the first to deliver device-based encryption with the TS1120 enterprise tape drive."
Not surprisingly, IBM laptops are tracked and monitored. In my blog post [Using ILM to Save Trees], I wrote the following:
"Some assets might be declared a 'necessary evil' like laptops, but are tracked to the n'th degree to ensure they are not lost, stolen or taken out of the building. Other assets are declared "strategically important" but are readily discarded, or at least allowed to [walk out the door each evening]."
Unfortunately, dual-boot environments won't cut it for Full-Disk Encryption. For Windows users, IBM has chosen Pretty Good Privacy [PGP]. For Linux users, IBM has chosen Linux Unified Key Setup [LUKS]. PGP doesn't work with Linux, and LUKS doesn't work with Windows.
For those of us who may need access to both Operating Systems, we have to choose. Select one as the primary OS, and run the other as a guest virtual machine. I opted for Red Hat Enterprise Linux 6 as my primary, with LUKS encryption, and Linux KVM to run Windows as the guest.
I am not alone. While I chose the Linux method voluntarily, IBM has decided that 70,000 employees must also set up their systems this way, switching them from Windows to Linux by year end, but allowing them to run Windows as a KVM guest image if needed.
Let's take a look at the pros and cons:
LUKS allows for up to 8 passphrases, so you can give one to your boss, one to your admin assistant, and in the event they leave the company, you can disable their passphrase without impacting anyone else or having to memorize a new one. PGP on Windows supports only a single passphrase.
Linux is a rock-solid operating system. I found that Windows as a KVM guest runs better than running it natively in a dual-boot configuration.
Linux is more secure against viruses. Most viruses run only on Windows operating systems. The Windows guest is well isolated from the Linux operating system files. Recovering from an infected or corrupted Windows guest is merely re-cloning a new "raw" image file.
Linux has a vibrant community of support. I am very impressed that anytime I need help, I can find answers or assistance quickly from other Linux users. Linux is also supported by our help desk, although in my experience, not as well as the community offers.
Employees that work with multiple clients can have a separate Windows guest for each one, preventing any cross-contamination between systems.
Linux is different from Windows, and some learning curve may be required. Not everyone is happy with this change.
(I often joke that the only people who are comfortable with change are babies with soiled diapers and prisoners on death row!)
Implementation is a full re-install of Linux, followed by a fresh install of Windows.
Not all software required for our jobs at IBM runs on Linux, so a Windows guest VM is a necessity. If you thought Windows ran slowly on a fully-encrypted disk, imagine how much slower it runs as a VM guest with limited memory resources.
In theory, I could have tried the Windows/PGP method for a few weeks, then gone through the entire process to switch over to Linux/LUKS, and then draw my comparisons that way. Instead, I just chose the Linux/LUKS method, and am happy with my decision.
Today is my birthday. Another year around the sun.
Actually, there are several other famous people who have December 18 as their birthday as well. Rather than focusing on myself, I thought I would share the love with the others who share the same day. Here are a few of my favorite celebrities:
[Kari] is famous for her role on the TV show Mythbusters. While she still looks like she's in her twenties, I was surprised to learn that we are less than a decade apart in age! The show is credited with helping young students get excited for Science, Technology, Engineering and Math (STEM) topics.
Most recently, I watched her in the series covering [Punkin Chunkin], an annual contest where teams of engineers design machines to throw pumpkins the furthest across a large field. Some are able to propel the pumpkin over half a mile in distance!
[Steven] is famous for directing some of my favorite movies, including Close Encounters of the Third Kind, Jurassic Park, and Raiders of the Lost Ark and the rest of the Indiana Jones series. He won academy awards for his films Schindler's List and Saving Private Ryan.
[Christina] is singer/songwriter, and one of the judges on the TV show The Voice. I especially enjoyed her performance of her song "Reflection" in the Disney animated film Mulan.
[Ray] is famous for acting in a variety of movies, everything from a mobster in Goodfellas, to a baseball player in Field of Dreams. I immediately recognized his voice as one the characters in my favorite video game, Grand Theft Auto.
"Stone Cold" Steve Austin
While I am not a big fan of wrestling, I prefer to think of [Steve] in his roles in various action movies, including The Condemned, The Stranger, and The Expendables.
[Katie] is an actress in movies like Abandon and Batman Begins, but is more famous for having married, and then later divorced, Tom Cruise.
[Brad] is famous for acting in a variety of movies, including Seven, 12 Monkeys, and The Curious Case of Benjamin Button. For those who still don't fully understand "big data" analytics, I highly recommend the movie Moneyball, in which Brad plays the General Manager Billy Beane of the Oakland A's baseball team, during their wildly successful 2002 season.
While I have never met of these celebrities in person, I wish them all a happy birthday today!
Today is the last day of 2012, so it is only fitting to end the year looking forward to the future!
While I have been accused of being a historian, I consider myself a bit of a futurist. Since 2006, I have been blogging about the future of technology, including Cloud, Big Data, and the explosion of information. As a consultant for the IBM Executive Briefing Center, I present to clients IBM's future plans, strategies, and product roadmaps.
(Fellow blogger Mark Twomey on his Storagezilla blog has a humorous post titled [Stuff your Predictions], expressing his disdain for articles this time of year that predict what the next 12 months will bring. Don't worry, this is not one of those posts!)
What exactly is a futurist? Biologists study biology. Techologists study technology. But a person can't simply time-travel to the future, read the newspaper, make observations, take notes, and then go back in time to share his findings.
Here seem to be the key differences between Historians vs. Futurists:
There is only one past.
There are many possible futures.
Only six percent of humanity are alive today, so historians must study history through the writings, tools, and remains of those that have passed on.
Futurists study the past and the present, looking for patterns and trends.
Search for insight.
Search for foresight.
Framework to explain what happened and why.
Framework to express what is possible, probable, and perhaps even preferable.
A common framework for both is the concept of the various "Ages" that humanity has been through:
Around 200,000 years ago, in the middle of what archaeologists refer to as the [Paleolithic Era], man walked upright and used tools made of stone to hunt and gather food. Humans were nomadic and travelled in tribes to follow the herds of animals as they migrated season to season. The History Channel had a great eight-hour series called [Mankind: The Story of All of Us] that started here, and worked all the way up to modern times.
About 10,000 years ago, humans got tired of chasing after their meals, and settled down, growing their food instead. Grains like wheat, rice, and corn became staples of most diets around the world. Civilization evolved, and people traded what they grew or made in exchange for items they needed or wanted.
About 300 years ago, humans developed machines to help do things, and even to help build other machines. While farmers harnessed oxen to plow fields, and horses to speed up travel and communication, these were all based on muscle power.
Machines like the steam engine were powered by coal, petroleum, or natural gas. Today, one gallon of gasoline can do the work of 600 man-hours of human muscle power, or [move a ton of freight 400 miles].
Cities grew up with skyscrapers of steel, connected by trains, planes and automobiles. Communications with the telegraph, telephone, radio and television replaced sending message on horseback.
The forces that drove humanity to the Industrial age clashed with the culture and identity established during the Agricultural age. I highly recommend futurist Thomas Friedman's book [The Lexus and the Olive Tree] that covers these conflicts.
When exactly did the Information age begin? Did it start with Guttenberg's muscle-powered [Printing Press] in the year 1450, or the first punched card in 1725?
Futurist [Alvin Toffler] published his book The Third Wave in 1980. He coined the phrase "Third Wave" to describe the transition from the Industrial age to the Information age.
While IBM mainframes were processing information in the 1950's, many people associate the Information Age with the IBM Personal Computer (1981) or the World Wide Web (1991). Over 100 years ago, IBM started out in the Industrial age, with business machines like meat scales and cheese slicers. IBM led the charge into the Information Age, and continues that leadership today.
In any case, value went from atoms to bits. Computers and mobile devices transfer bits of data, information and ideas, from nearly anyplace on the planet to another, in seconds.
Ideas and content are now king, rather than land, buildings, machines and raw materials of the Industrial age. In 1975, less than 20 percent of a business assets were intangible. By 2005, over 80 percent is.
While the Industrial age was dominated by left-brain thinking, the Information Age requires the creativity of right-brain thinking. I highly recommend Daniel Pink's book, [A Whole New Mind] that covers this in detail.
"The future is already here -- it's just not very evenly distributed!" -- William Gibson (1993)
The problem with looking back through history as a series of "Ages" is that they really didn't start and end on specific days. The Agricultural age didn't end on a particular Sunday evening, with the Industrial age starting up the following Monday morning.
There are still people on the planet today in the Stone age. On my last visit to Kenya, I met a nomadic tribe that still lives this way. Huts were temporarily constructed from sticks and mud, and abandoned when it was time to move on.
A short-sighted charity built a one-room school house for them, hoping to convince the tribe that staying in one place for education was more important than hunting and gathering food in a nomadic lifestyle. Some stayed and starved.
In the United States, about 2 percent of Americans grow food for the rest of us, with enough left over to make ethanol and give food aid to other countries.
Sadly, the Standard American Diet continues to be foods mostly processed from wheat, rice and corn, even though our human genetic make-up has not yet evolved from a "Paleolithic" mix of [meats, nuts and berries].
There are still people on the planet today in the Industrial age. American schools are still geared to teach children for Industrial age jobs, but still take "summer vacation" to work in the fields of the Agricultural age? Seth Godin's book [Stop Stealing Dreams] is a great read on what we should do about this.