Managing operational risk by protecting valuable digital assets has become increasingly critical in modern enterprise information technology (IT) environments. In addition to achieving compliance with regulatory mandates and meeting industry standards for data confidentiality, IT organizations must also protect against potential litigation and liability following a reported breach.
In the context of data center fabric security, operators of Storage Area Networks (SANs) have desired fabric-based encryption services to secure data assets either selectively or on a comprehensive basis.
Most sensitive corporate data is stored in the data center, and the vast majority of data from critical applications resides in a SAN, enabling organizations to employ the intelligence of the storage fabric as a centralized framework in which to deploy, manage, and scale fabric-based data security solutions.
The storage fabric enables centralized management to support various aspects of the data center, from server environments and workstations to edge computing and backup environments, providing a place to standardize and consolidate a holistic data-at-rest security strategy. Organizations can also implement data-at-rest encryption in other parts of the data center, helping to protect data throughout the enterprise.
Most current industry solutions include either host-based software encryption, device-embedded encryption, or edge encryption, all of which provide isolated services to specific applications but typically cannot scale across extended enterprise storage environments.
Some solutions have provided centralized encryption services that employ key repositories such as provided by several vendors. These key repositories can be considered specialized secure databases of the encryption keys used by the SAN for encrypting data at rest on the media controlled by the SAN. Each key stored by the key repository is associated with a key identifier that can be used to obtain the key from the key repository. The key identifier is typically randomly chosen by software external to the key repository. But performance and manageability of systems that employ key repositories has been less than desired, in part because of a need to maintain tables that associate encryption key identifiers with the media that is to be encrypted or decrypted.
In addition to performance impact of the lookup times required to first lookup the key identifier in the lookup tables, additional management costs are associated with this technique. In SANs with multiple clusters of equipment, these lookup tables are typically stored in each cluster of the SAN, and require careful management to maintain consistency of the information stored therein. Furthermore, data at rest encryption often employs rekeying techniques to avoid stale keys. In such systems, there may be a need to be able to determine previous key generations, but because the key identifiers are randomly selected, determining previous generation key identifiers is typically not straightforward.