Managing operational risk by protecting valuable digital assets has become increasingly critical in modern enterprise information technology (IT) environments. In addition to achieving compliance with regulatory mandates and meeting industry standards for data confidentiality, IT organizations must also protect against potential litigation and liability following a reported breach.
In the context of data center fabric security, operators of Storage Area Networks (SANs) have desired fabric-based encryption services to secure data assets either selectively or on a comprehensive basis.
Most sensitive corporate data is stored in the data center, and the vast majority of data from critical applications resides in a SAN, enabling organizations to employ the intelligence of the storage fabric as a centralized framework in which to deploy, manage, and scale fabric-based data security solutions.
The storage fabric enables centralized management to support various aspects of the data center, from server environments and workstations to edge computing and backup environments, providing a place to standardize and consolidate a holistic data-at-rest security strategy. Organizations can also implement data-at-rest encryption in other parts of the data center, helping to protect data throughout the enterprise.
Most current industry solutions include either host-based software encryption, device-embedded encryption, or edge encryption, all of which provide isolated services to specific applications but typically cannot scale across extended enterprise storage environments.
Some solutions have provided centralized encryption services that employ key repositories such as provided by several vendors. These key repositories can be considered specialized secure databases of the encryption keys used by the SAN for encrypting data at rest on the media controlled by the SAN. Each key stored by the key repository is associated with a key identifier (keyID) that can be used to obtain the key from the key repository.
In addition, operators of SANs have a need from time to time to move customer data from one logical unit (LUN) to another. If the data being moved is encrypted, operators have desired a way of keeping track of the keyID corresponding to that LUN, without the expense and performance impacts of an external database associating keyIDs with LUNs, which would increase I/O costs and also increase risks of data inconsistencies should the bookkeeping necessary to keep the external database accurate fail.