The Challenge of Data Security in Today's Data Center
Recent news headlines about loss of sensitive data and looming deadlines for compliance with stringent regulations have raised security concerns about data at rest in the data center storage environment. These concerns include theft of disk drives, loss of backup tapes during transport, and security breaches from inside firewalls. Pervasive adoption of storage and network consolidation in data centers has helped reduce capital and operating expenses, but it has also increased the risk of exposing many terabytes of clear-text information (Figure 1).
Figure 1. Securing Data at Rest: A Requirement, Not an Option
Further security risks arise from replication of data to remote sites and transportation of storage media offsite for compliance, outsourcing, and disaster-recovery programs. With every copy of data, organizations create additional access points, increasing the risk of security breaches.
Research on security breaches indicates that many organizations spend more than US$90 per lost customer record for credit-reporting services, notification costs, and legal expenses. If encryption technology were used to help protect the data at rest, the cost of handling these breaches would decrease dramatically, to an estimated US$6 per customer record.
In response to these trends, high-profile security breaches, and identity theft, governments around the world have enacted strict security regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Basel II, European Privacy Directive, and California Senate Bill 1386. These regulations mandate the privacy and integrity of sensitive customer and corporate data and require countermeasures to protect against internal and external threats.
To address these security concerns and government regulations related to safeguarding of data at rest, an encryption solution is needed that transparently encrypts data inside the storage environment without slowing or disrupting business-critical applications.
Innovative Cisco Solution: Integrating Encryption of Data at Rest
Many performance-critical computer system functions, such as encryption of data on the link and at rest, can benefit from being deployed and managed as part of a computer network. Benefits include high availability, scalable performance with low latency, and simplified load balancing through network traffic management. Recognizing these benefits, Cisco developed the Cisco® MDS 9000 Family of intelligent directors and fabric switches to provide an open, standards-based platform for hosting intelligent fabric applications and services.
The Cisco MDS 9000 Family provides all the essential features needed to deliver secure, highly available, enterprise-class Fibre Channel SAN fabric services. Cisco is integrating encryption of data at rest as a transparent fabric service to take full advantage of this platform. Cisco Storage Media Encryption (SME) is a heterogeneous, standards-based encryption solution for data at rest, with comprehensive built-in key-management features. Cisco SME is managed through Cisco Fabric Manager and a command-line interface (CLI) for unified SAN management and security provisioning.
Cisco is committed to development and use of protocol and technology standards. Cisco actively participates in International Committee for Information Technology Standards (INCITS) T10 and T11 committees, IEEE standards such as P1619, and industry initiatives related to encryption-key management such as the Key Management Interoperability Protocol (KMIP). These and other standards are being used by Cisco SME to deliver a robust solution based on industry standards.
Cisco is also actively working with strategic partners to integrate Cisco SME into the data center software ecosystem. Through API-level integration, Cisco SME accommodates enterprise-class key management for exceptionally secure and reliable corporationwide solutions that reduce operating expenses.
Benefits of the Cisco Solution
Customers seeking heterogeneous encryption of data at rest have chosen Fibre Channel SAN-based solutions to preserve their investment in existing storage devices, achieve high throughput, and simplify management. Deployment of SAN-based solutions has been challenging because existing solutions are added on to, rather than deeply integrated into, the network as part of a mainstream, industry-leading SAN switch.
The Cisco SME solution is a comprehensive network-integrated encryption service with complete key management that works transparently with existing and new SANs (Figure 2).
Figure 2. Secure, Integrated Encryption of Data at Rest
The innovative Cisco network-integrated solution has numerous advantages over competitive solutions available today:
• Cisco SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, Cisco SME does not require rewiring or SAN reconfiguration.
• Encryption engines are integrated into Fibre Channel switching modules, eliminating the need to purchase and manage additional switch ports, cables, and appliances.
• Traffic from any virtual SAN (VSAN) can be encrypted using Cisco SME, enabling flexible, automated load balancing across multiple SANs.
• No additional software is required for provisioning, key, or user-role management; the management functions are integrated into Cisco Fabric Manager, reducing operating expenses.
• The multipurpose hardware used by Cisco SME can be shared or used by other network services or applications, providing solid investment protection.
Simplified Deployment
The Cisco SME solution is fully integrated into the industry-leading Cisco MDS 9000 Family switches, greatly simplifying installation and day-to-day operations. To deploy this feature on SAN fabrics containing Cisco MDS 9500 Series Multilayer Directors and MDS 9200 Series Multilayer Fabric Switches, customers simply need to insert modules that include encryption engines, verify that the software with Cisco SME support is installed, and enable the feature with a license.
Using standard Cisco MDS 9000 Family software features, such as role-based access control (RBAC) and Cisco Fabric Manager, customers can immediately secure access and start provisioning encryption services using Cisco SME. Deployment time is greatly reduced compared to the time needed for other SAN-based solutions, because SAN fabric rewiring and reconfiguration are not required, eliminating associated network disruption and downtime.
Available Since 2007
Network-based encryption technology is a core area in which Cisco continues to innovate. Cisco SME has been available since 2007 and has been widely deployed in customer data centers. Cisco continues to evolve the Cisco SME feature set and interoperability matrix. Cisco SME supports encryption of heterogeneous tape drives and virtual tape libraries, advanced key management solutions, and scalable platforms. Encryption of disk data is planned for the second phase.
For More Information
To learn more about Cisco storage solutions for the data center, visit http://www.cisco.com/go/datacenter.