by Trey Davis
Remember that scene in the movie Fight Club where the gang is causing all sorts of random mayhem? Ok, perhaps that’s a vast majority of the movie (I mean, come on, it’s called “Project Mayhem,” after all), but there’s one scene in particular that I always get a kick out of.
Being a “child of the 80s” (and into the 90s), growing up I often enjoyed regular trips to Blockbuster where it was always so exciting to not only rent a video game or two for the weekend, but there was always this feeling of joy when a movie had just gotten released on video. On VHS. Cassette tape. Magnetic tape. Where we were not only constantly reminded, “Be Kind, Please Rewind” (and often charged a fee if we didn’t remember to fully rewind our rentals before returning them), but also of the effect of what could happen to a cassette tape if anything magnetized was brought near it.
I still chuckle at the sight of a VCR or VHS tape and can’t help but to think of how much technology has changed. The same applies to our data. Even today, we steer clear of magnets near our hard-drives, and in many cases, still send data to tape for long-term retention purposes and recovery in the event of a disaster.
In the ever-changing landscape of how data is created, managed, and stored, there remains a constant – security. More specifically, data encryption.
High-Profile Security Breaches
We are experiencing a rash of recent high-profile security breaches that began with the Target incident (that affected nearly 70 million consumers), and has seemingly snowballed since – with similar incidents being reported by EBay (145 million), JP Morgan Chase (76 million), Home Depot (56 million) and most recently Anthem (80 million, of which I am one of those personally affected). The discussion surrounding data security is becoming an increasingly scalding “hot topic” as we enter 2015, and is poised to remain so as not only data becomes more and more an integral part of our everyday lives, but as such high-profile security breaches continue to make the daily headlines.
The reason I mention these recent incidents is because there is often a misnomer in regards to the difference between “security” and “encryption.” While these recent events fall into the category of security breaches, mostly involving back-end networking infrastructure or clever ruse of an “inside job,” it’s extremely important to correlate where the encryption comes into play and how it may have (or in some cases, have not) impacted the level of these high-profile breaches.
Encryption vs. Security
With the focus on recent high-profile breaches, an increased emphasis has been placed on what circumstances allowed such incidents to happen in the first place. When an individual is determined to gain unauthorized access to an environment with the intent to steal sensitive data, they are often able to do so by exploitation of known holes in software or a lack-luster level of network security. While many solutions are available for environments to detect unauthorized access (i.e. intrusion prevention), additional steps can (and should) be taken to protect sensitive data, both in the event of a security breach and even the absence thereof.
The actual encryption of data adds a layer of protection to an environment where even if a breach occurs, the data may still be inaccessible by unauthorized parties due to the inability to circumvent the encryption mechanism that is being leveraged.
How difficult it can be to circumvent data that is encrypted is based solely on the method that is implemented for a specific use-case.
Types of Encryption
The types of data encryption that are used can vary based on the specific use case. Whether the requirement calls for encryption of a single file or an email, a user’s laptop hard drive, an entire storage array within a datacenter, or the data while it’s being transmitted from “point A” to “point B” over a network. The following high-level breakdown of the differing types of encryption that a customer can use may range from a single method that meets all of their needs and satisfies specific requirements or a varying combination of the different methods.
File Level Encryption
One of the more easily implemented and most common types of encryption, file-level encryption, can be achieved by the use of built-in features of many applications that are in use today. This includes the use of a password that is applied to a specific file by a user to prevent unauthorized access from unintended parties.
As seen in most environments with high use of applications such as the Microsoft Office suite, PDF files, compressed package files (such as ZIP, RAR and TAR), a user simply provides a password that restricts access to the file until it is opened by the intended party who also has the password. Being the simplest form of encryption, it is also the less secure, in that passwords can easily be cracked by a variety of freely-available methods. Furthermore, a certain level of risk is involved where a situation could arise when a password is lost, forgotten or intercepted.
Disk Level Encryption
Typically seen in instances such as a single user’s computer, or items such as USB keys and external portable hard drives, disk level encryption takes file-level a step further and eliminates the requirement for user-initiated processes to protect data that is stored on the device. This is often found with solution offerings such as Microsoft BitLocker, File Vault and TrueCrypt.
Disk-level encryption is a great method of protecting data in the event of accidental loss or intentional theft since this encryption method often times operates at a much lower level to prevent access to data. By requiring the use of a password, pass-phase, pin number or pattern when a computer is initially powered on, or a device such as a USB key or portable hard drive is connected, access to that particular volume or partition of data is strictly prohibited until access is granted.
This method of encryption is becoming more widely adopted throughout many organizations, regardless of size, due to the seemingly transparent nature of how the encryption process functions behind the scenes. The user doesn’t have to worry about changing their daily habits of how they perform tasks to ensure the process is working and IT staff can usually sleep a little better at night even when that call comes in that a laptop has been lost or stolen.
While disk-level encryption may seem like a more practical approach to securing data, it can also be used in conjunction with file-level encryption methods for an added layer of protection. Often times this combination of encryption methodologies can be more than sufficient to meet the needs of some organizations and personal use-cases.
Enterprise Disk Encryption
More complex and large-scale encryption of data at the enterprise level is currently the method that is trending with the quickest rate of adoption. Referred to in many instances as “data at rest” encryption, it has become one of the most secure, financially viable options for many IT organizations to implement when weighing the costs and risk vs. reward.
Enterprise level disk encryption is accomplished by leveraging a storage solution from a manufacturer that offers disks within their platforms that are individually encrypted, and are most often times managed with either native tools that are built into the platform OS, or an external physical or virtual appliance that acts as the management interface for the individual encrypted drives that are in the storage array itself. This “key manager” approach assists in removing the complexity of managing tons of individual encryption keys that would exist in a given environment.
More and more storage manufacturers, such as NetApp (with their SafeNet KeySecure solution), are adopting the offerings of full disk encryption options and are even making the move to set it as the standard for new platforms being released as part of their product portfolios. Many of these types of offerings also extend to the encryption of data when sent to backup devices, such as tape libraries, for long-term data archival. Currently with NetApp, for example, you can leverage the NSE (NetApp Storage Encryption) option for disks in an array and front-end with the SafeNet KeySecure solution to manage the encryption keys across all media. In the NetApp E-Series platform, NSE disks are also an option and can be managed via native features within the SANtricity OS.
While being the most rapidly adopted type of encryption solution, there are caveats that can sometimes lead IT organizations to shy away from a particular solution. For example, while data is protected from unauthorized access if a drive is removed from an array, a breach is attempted and data is wiped, or the like, data can still be accessed from within, meaning that if you have console access to a storage array or computer access inside of the environment, data can still be compromised. This is usually prevented, however, with additional external measures having already been deployed to prevent unauthorized computer, network and physical building access. The biggest benefit with large-scale “data at rest” encryption solutions is the ability to encrypt larger amounts of data, which may span multiple datacenters, and to very quickly meet the needs of strict guidelines (set by either internal company policy or regulatory requirements). A “data at rest” encryption solution is becoming one of the questions customers ask as they explore the prospect of doing business with an organization that houses sensitive data.
Even when the use of an enterprise level disk encryption solution is implemented, use of file-level and individual disk-level encryption methods are still available for use and in these cases, often seen as mandatory, further aiding in the enterprise’s ability to achieve greater levels of data security.
With a similar nickname to that of enterprise disk level encryption, network based data encryption is more commonly referred to as “data in flight” encryption. When examining encryption methods such as enterprise-level disk encryption at the storage array, a key missing component is usually found when data is replicated from one point to another, such as from a production datacenter to a site for disaster recovery/business continuity purposes. While the data is encrypted at each end when it’s “at rest” via the employed solution on the storage array, while the data itself is being replicated over a network link (either LAN or WAN), the risk of data exposure still exists.
To combat this risk of data exposure, “data in flight” encryption mechanisms can be utilized to protect the data while it is in transit from its source to its destination. This method of encryption is being offered by the larger network and SAN switching industry leaders, such as Cisco and Brocade, where data traffic can be encrypted across an entire fabric (at the switch layer itself) or by a physical appliance that “wraps” the data with an encryption key as it leaves its source, transmits to its destination, and then is decrypted as it is written to disk. Alternatively, storage adapter manufacturers such as Emulex and QLogic, offer solutions that encrypt data as it traverses an individual host-bus adapter (HBA), even when in use locally within a datacenter.
Additionally, there are specific solutions for NAS-based Ethernet storage environments such as the SafeNet StorageSecure solution provided by NetApp. Similar to that of the SafeNet KeySecure solution for “data at rest” encryption, a physical appliance is implemented to encrypt data over both 1 Gb and 10 Gb Ethernet networks, or, if an existing SafeNet appliance is already deployed in the environment, SafeNet StorageSecure will seamlessly integrate with the solution to act as a cohesive architecture to encrypt both “data at rest” and “data in flight.”
As with enterprise-level disk based encryption solutions, the use of a consistent key manager-type appliance is vital to the operation of the encryption mechanism. Many organizations will often look at deploying a combination of both a proven enterprise-level disk-based encryption solution and a similarly proven network encryption solution for “data at rest,” resulting in a very robust and rock-solid foundation for the ultimate data encryption foundation.
Ultimately, at the end of the day, and with the ever-changing landscape of technology, habits around how we use data, and the malicious means by which data can be intercepted and used against us, there is never a complete, 100% confirmed way to protect against unauthorized access. The goal should always be to evaluate what options are available to you as an organization and pick the solution, or combination of solutions, that is the best fit. Factors that could play into this decision may include the up-front capital expenditure to implement the solution, the operational expenditure to manage the solution, and to what level of risk your organization is willing to accept in regards to data being compromised.
To further fuel the emerging trend of encryption adoption, many larger organizations, such as law firms, financial institutions and healthcare providers, are being driven by and in some cases, even required to prove that their data is encrypted before a customer will do business with them. As the IT landscape continues to evolve and the business market becomes more and more competitive, data encryption is set to rapidly emerge from the shadows, breaking away from it’s classification as an industry buzzword, and become the de-facto standard of how data is protected in every IT environment, regardless of size or complexity.
The cost we used to incur for not rewinding a VHS tape when we returned it to the local video store might have seemed like a nuisance and perhaps even petty in the grand scheme of things, but the cost that companies are incurring when data is comprised is definitely no laughing matter.
Bookmark iVision.com for future posts that will dive deeper into the various, underlying algorithms and mechanisms that make encryption work, as well as some of the emerging trends that are poised to disrupt the entire encryption landscape.