Managing operational risk by protecting valuable digital assets has become increasingly critical in modern enterprise information technology (IT) environments. In addition to achieving compliance with regulatory mandates and meeting industry standards for data confidentiality, IT organizations must also protect against potential litigation and liability following a reported breach.
In the context of data center fabric security, operators of Storage Area Networks (SANs) have desired fabric-based encryption services to secure data assets either selectively or on a comprehensive basis.
Most sensitive corporate data is stored in the data center, and the vast majority of data from critical applications resides in a SAN, enabling organizations to employ the intelligence of the storage fabric as a centralized framework in which to deploy, manage, and scale fabric-based data security solutions.
The storage fabric enables centralized management to support various aspects of the data center, from server environments and workstations to edge computing and backup environments, providing a place to standardize and consolidate a holistic data-at-rest security strategy. Organizations can also implement data-at-rest encryption in other parts of the data center, helping to protect data throughout the enterprise.
Most current industry solutions include either host-based software encryption, device-embedded encryption, or edge encryption, all of which provide isolated services to specific applications but typically cannot scale across extended enterprise storage environments.
Some solutions have provided centralized encryption services that employ key repositories such as provided by several vendors. These key repositories can be considered specialized secure databases of the encryption keys used by the SAN for encrypting data at rest on the media controlled by the SAN. Each key stored by the key repository is associated with a key identifier that can be used to obtain the key from the key repository. The key identifier is typically generated/chosen either by the key repository or by the encryption device/software externally to the key repository.
Generally SANs are formed so that redundant paths are available from the host devices to the storage devices. Host bus adaptors (HBAs) generally have two ports for this purpose. Thus, packets can exit either port and reach the storage device through either of two paths. This is referred to multipath I/O. However, when encryption capabilities are added to the SAN this multipath I/O can complicate encryption setup and management. Even though both paths will end up at the same logical unit (LUN) in the same storage unit, two different paths are used and different worldwide names (WWNs) are present at each end of each path. This creates problems when using encryption because encryption keys are associated with the WWNS of the ports. If not properly coordinated, data loss can occur because of mismatched keys or even encryption policies.
One purpose of a SAN is to allow multiple hosts to access the same storage unit and LUN. When encryption is provided for the LUN, this is a further source of possible errors. As above, different WWNs will be present at least at the host end, so the potential for different encryption policies or keys is present, much as in the multipath I/O case mentioned above.
It would be desirable to provide tools to simplify management of encrypted LUNs so that the chance of data corruption is minimized.