Storage Soup

Jan 2 2014   11:19AM GMT

The truth about encryption

Randy Kerns Randy Kerns Profile: Randy Kerns

When talking to IT professionals about encryption, I often notice a lack of understanding about information security. It often comes as a surprise that encryption inside of a disk storage system only protects data when someone steals the disk drives out of the system and removes them from the data center.

The main motivation for IT to encrypt data is to meet regulatory requirements. Information such as protected healthcare data (think of patient medical records) must be encrypted because of laws or internal policies. This leads to using storage systems that encrypt the data on the devices in case someone steals the disks and has the skills and perseverance to put the data back together from the different pieces in a RAID group and storage pool.

Without company or regulatory requirements, I do not see wide-scale use of encryption. But if you are looking to encrypt, there are several issues to address.

When encrypting in the disk system, using self-encrypting drives is easy, there is no apparent performance hit and the extra cost is minor. Storage systems that encrypt in the controller are believed to have a performance impact because they use controller processor cycles. In truth, the performance impact varies greatly depending on the implementation.

Another concern regarding encryption within a storage system is the management of keys used to encrypt and decrypt data. Key management within a storage system is transparent to the IT administration. However, exporting keys to an external key manager adds complexity and bureaucracy. The extra complexity is not worth the bother considering how unlikely it is that a disk drive will be stolen from a storage system inside of a data center.

From an information management perspective, encrypting data in the storage system may give a false sense of information protection. The limited scope of the protection may not be clear when someone claims that their data is encrypted. The reality is that the information should be secured at the application level (encryption as part of the application access/creation). The access and identity control are the most important parts. Encrypting data in disk systems is no protection for someone using the application or getting unauthorized access through a server connected to a storage system

(Randy Kerns is Senior Strategist at Evaluator Group, an IT analyst firm).

 Comment on this Post

 
There was an error processing your information. Please try again later.
Thanks. We'll let you know when a new response is added.
Send me notifications when other members comment.

REGISTER or login:

Forgot Password?
By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Forgot Password

No problem! Submit your e-mail address below. We'll send you an e-mail containing your password.

Your password has been sent to: