Data security breaches and incidents are on a rapid ascendance. One can gauge the increasing likelihood and scope of threats facing companies of all shapes and sizes with a simple glance at the following two charts:
Chart #1 shows that 2016 accounted for seven of the ten
biggest data breaches ever.
Chart #2 shows that the number of breaches within US have jumped 4X from 2005 to 2015.
Not surprisingly, data security is the number one priority for a large majority of companies today.
While end-to-end data security is a vast and multi-dimensional subject, encryption of data within IT systems and software has come to be accepted as one of the critical components of a robust security policy.
So, how does data encryption help?
Managing security threats with data encryption
As recent breaches indicate, the key target for hackers is any and all sensitive data stored by the targeted company. It is critical, therefore, for data storage systems to prevent unauthorized data access under the following scenarios:
DATA EXPOSURE THREAT SCENARIOS
- Decommissioning or replacements of entire storage systems and/or drives.
- Transportation of storage systems from one site to another site.
- Physical theft of the entire storage system and/or drives.
- Sniffing of network between host to persistent storage
So, if the threats are clearly understood and data encryption can prevent against several such threats, why aren’t all customers deploying encryption widely across their environment?
And, how does Datrium Blanket Encryption change that?
Datrium Blanket Encryption: Data Security Without Compromises.
Most storage array and hyper-converged vendors take the easy route to providing encryption capability – by using self-encrypting drives (SEDs). While this improves time to market for the vendor, this hardware-based solution forces customers into five major compromises.
Let’s understand these compromises and how Datrium DVX encryption mitigates them, in detail:
With SEDs, data is encrypted only after it reaches the drives. The transfers from host to host (in HCI) or from host to controllers (in arrays) are unencrypted. This violates threat scenario #4 above and exposes data in case of unauthorized physical access to the network within the data center.
The Datrium difference: DVX encryption is a 100% software-based solution that encrypts data “in-use”, “in-flight”, and “at-rest.” This is an industry-first for a converged data system.
Data is encrypted as soon as it’s ingested in host memory and stays encrypted during all subsequent transfers to the host flash and/or persistent data server (NetShelf).
Some of readers might protest against our claim of the “first” in-flight encryption system citing app-level or hypervisor-level encryption approaches, which also provide an ability to encrypt data in-flight. An example of this would be the newly announced VM encryption feature in vSphere 6.5. So what’s the catch? The keyword is data efficiency. In app or hypervisor-based encryption, the data is randomized before it can be fingerprinted or compressed. Thus, data reduction optimizations whether for storage or data transmissions over the WAN are lost, making this an expensive proposition.
The Datrium difference: Data is first fingerprinted, compressed and then encrypted in the host RAM before being written to the host flash or transmitted to the data server. This provides for a data security solution that is fully data efficient throughout the data lifecycle.
SED-based systems come in restricted capacity points and need to be installed up-front for the solution to be fully secure. This makes enabling security highly inflexible and storage-centric rather than application-centric. Often customers are required to buy new storage systems with SEDs factory-installed, and undertake a time-consuming data migration if they wish to turn on encryption for a certain set of applications.
The Datrium difference: DVX encryption can be turned on/off at any time as desired by the customer. As a 100% software-based solution, customers have full hardware configuration freedom (including Bring Your Own Device (BYOD) economics) and don’t need to make any purchase choices upfront to have the flexibility of encryption at a later time.
Vendors that use SEDs cite minimal performance impact when encryption is turned on as an advantage. The thesis is that since the encryption is performed in the ASIC within the drive, there is no application performance impact. While there is theoretical merit to the argument, it applies when software-based encryption is performed at the storage controllers in storage arrays. Storage controllers are scarce resources that perform all data services optimizations and adding encryption to the mix can lead to major I/O bottle-necking.
Datrium’s Open Convergence architecture, however, takes a completely different approach and avoids the typical performance overheads of software-based encryption.
The Datrium difference: All data services (deduplication, compression, erasure coding, replication, snapshot and encryption) in the DVX scale in performance with hosts. This means that the task of encrypting data is shared equally across all hosts in the cluster eliminating the controller-bound performance problems with software-based storage array approaches. In addition, Datrium leverages the AES-NI instructions set that is built-in inside all modern CPUs to further accelerate the encryption/decryption operations. This server-powered software-based approach virtually eliminates any performance impact of encryption.
Mandatory External Key Management
Most existing solutions require an external key management service in order for encryption to operate. While streamlining key management across heterogeneous systems is an important requirement for large companies, mandating one creates a barrier to encryption for the other vast majority of customers that want to encrypt a targeted storage system.
The Datrium difference: DVX comes with an in-built key management service. Combined with a 100% software solution, customers get a seamless and cost-effective path towards data security. Everything they need to turn on encryption for their data is built-in. The internal key management service is quite feature rich and provides:
- key rotation (support security policy to change keys on a periodic basis)
- lockdown mode (an option that prompts for a passphrase upon a cold reboot before data can be accessed – useful during transportation or in case of full system theft)
- secure erase (wiping data so it can be accessed in case of part replacement/decommissioning).
The Bottom Line
Stop compromising on data security due to cost, flexibility, data efficiency, performance or residual security risks. Datrium DVX offers customers the most secure, efficient and simple data security solution available today. An end-to-end, always-on encryption solution is now a reality. Go deploy it! And, remember the passphrase!