Organizations have many options for securing data at rest, including authentication controls, logical separation, physical security, and encryption of information. Although each option has advantages and disadvantages, when extremely large amounts of data are involved, encryption can provide the most workable solution. Encryption of data, as is well known, involves converting data to an unintelligible form called ciphertext, which cannot be read unless a key is used to decrypt the data (in some types of encryption the same key also is used to encrypt the data). Encryption also can be an important way to protect data at rest in other situations, including the electronic and physical movement of data for backup, data recovery, and/or maintenance. In addition, encryption helps to limit exposure to security breaches, so even if someone is able to access the storage media, the data is still protected to prevent unauthorized access to sensitive information on the storage media.
The best place to implement encryption in a computer system, especially a networked or enterprise computer system, can vary depending on the use case and/or the customer. For example, in an enterprise-level computer system, encryption can be provided at the application level, the host or operating system level, within the network, and/or at the level where the physical device resides.
Encrypting at the application level allows for a significant amount of control over the encryption process, because application users can dictate how to classify information, who can access it, and when. In addition, application level encryption allows for granular, specific information to be secured as it leaves the application. However, encrypting at the application level has several disadvantages. For example, one disadvantage of application based encryption is that it requires modification of the application, which can be costly, time consuming, and difficult to implement, especially if lots of legacy data that needs to be encrypted is involved.
Another disadvantage is that application-based encryption does not take into account the impact of the encryption it provides on replicated data (especially backed up or mirrored data, data stored for disaster recovery purposes, etc.). This makes some use cases of replication more difficult. For example, data that is written by one application and encrypted cannot be used by another application without the first application also decrypting the data or providing a consistent encryption/key management interface for applications to share data. Also, for Disaster Recovery, an application may have to be configured to use the same key(s) on both sites, resulting in an extra management step
Network-based encryption may be appropriate when network or storage level threats are a concern to the organization, and network-based encryption offloads the cost of encryption from the host. Here, a network appliance can be used to present an unencrypted side and an encrypted side to the network. Network-based encryption also presents challenges when coupled with storage-based functionality such as replication. In particular, network-level encryption doesn't take into account its impact on replicated data. Any locally replicated information in storage (e.g., a mirror or clone) does not have visibility into the network device management and the keys, and the network device does not have visibility into the replication process. Key management can become more complex and require more manual intervention, as well as coordination between the security and storage domains, which is time consuming and more expensive.
Encryption done where the physical device resides, such as encryption on intelligent arrays, includes encryption of storage media such as arrays, disks, or tapes, which protects sensitive information residing on the storage media. Data written to the physical device is encrypted and stored as such and is decrypted when read from the device. Encryption done where the physical device resides is application and host independent and can be transport-independent, as well. This type of encryption can be advantageous when theft of the storage media is a concern. However, because data is decrypted immediately off the storage media when accessed, security breaches can occur throughout the network, on the host and at the application. Keys can be acquired at the disk or tape level.
Organizations have sometimes been reluctant to deploy encryption of data at rest for various reasons. Some reasons include the complexity of managing many keys, the need to add extra steps to existing processes for data storage (which can be difficult and time consuming, especially if existing management scripts for replication need to be modified), the expense, the time, and (for some implementations), the need to add one or more appliances to a network. Other issues with deployment of encryption include management complexity (the cost and complexity associated with deploying and managing multiple encryption technologies and key manager); scalability across an enterprise (many “point' solutions for encryption do not scale across application types or infrastructure elements) and disruption to service levels (installing encryption technologies and appliances may require a network outage and/or reconfiguration).
Encrypting in the host below the applications (or encrypting in the network or encrypting on the array) is simpler to deploy than techniques such as application level encryption, because applications don't have to be modified and the same encryption deployment can benefit multiple applications. Other advantages include that implementation can be immediate and non-disruptive, requiring no application or hardware modifications. Host-based encryption involves encrypting information on host-based systems, and host-based encryption can be used to encrypt data on the host, before the data is sent to the storage systems. Host-based encryption can be done in software using host processing resources and encryption keys stored in host memory. Alternatively, the host can be configured to offload encryption to specialized hardware. For example, a host bus adaptor (HBA) resident on the host can dedicate encryption to a particular transport connection from the host, such as Fibre Channel.
With host-based encryption, encryption can be performed at the file level for all applications running on a host. In some instances, implementations of host-based encryption can be implemented to encrypt any data leaving the host as files, blocks, or objects. For example, a host-based implementation operating on a logical unit, at the block level can be implemented by providing the encryption as part of an operating system (OS) independent input/output (I/O) filter system with I/O filter driver, such as is done with the EMC POWERPATH ENCRYPTION with RSA product, available from EMC Corporation of Hopkinton, Mass.
If the encryption is implemented using an OS independent I/O filter system (including, an I/O filter driver) running on a host, as is described for at least some embodiments herein, the host-based encryption can support multiple operating systems running on enterprise servers or across a domain. Another advantage is that this type of host-based encryption can be storage and array independent, for example, to support legacy storage systems without requiring new hardware. Still another advantage is that host-based encryption can support multiple applications and multiple arrays.