Data Security in the Spotlight
Recent news headlines about loss of sensitive data and looming deadlines for compliance with stringent regulations have raised security concerns about data at rest in the data center storage environment. These concerns include theft of disk drives, loss of backup tapes during transport, and security breaches from inside the firewalls. Pervasive adoption of storage and network consolidation in data centers has helped reduce capital and operating expenses, but it has also increased the risk of exposing many terabytes of clear text information (Figure 1).
Figure 1. Securing Data at Rest: A Requirement, Not an Option
Further security risks arise from replication of data to remote sites and transportation of storage media offsite for compliance, outsourcing, and disaster recovery programs. With every copy of data, organizations create additional access points, increasing the risk of security breaches.
Research on security breaches indicates that many organizations spend more than US$90 per lost customer record, for credit reporting services, notification costs, and legal expenses. If encryption technology were used to help protect the data at rest, the cost of handling these breaches would decrease dramatically, to an estimated US$6 per customer record.
In response to these trends, high-profile security breaches, and identity theft, governments across the globe have enacted strict security regulations such as the Health Insurance Portability and Accountability Act (HIPAA), Sarbanes-Oxley, Basel II, the European Privacy Directive, and California state law Senate Bill 1386. These regulations mandate the privacy and integrity of sensitive customer and corporate data and require countermeasures against internal and external threats.
To address these security concerns and government regulations on safeguarding data at rest, an encryption solution is needed that transparently encrypts data inside the storage environment without slowing or disrupting business critical applications.
Integrating Encryption of Data at Rest
Many performance-critical computer system functions, such as encryption of data on the link and at rest, can benefit from being deployed and managed as part of a computer network. Benefits include high availability, scalable performance with low latency, and simplified load balancing through network traffic management. Recognizing these benefits, Cisco® developed the Cisco MDS 9000 family of intelligent directors and fabric switches to provide an open, standards-based platform for hosting intelligent fabric applications and services.
As a platform, the Cisco MDS 9000 family switches provide all essential features required to deliver secure, highly available, enterprise-class Fibre Channel storage area network (SAN) fabric services. Cisco is integrating encryption for data at rest as a transparent fabric service to take full advantage of this platform. Cisco Storage Media Encryption (SME) will be a heterogeneous, standards-based encryption solution for data at rest with comprehensive built-in key-management features. Cisco SME will be managed with Cisco Fabric Manager and a command-line interface (CLI) for unified SAN management and security provisioning.
Cisco is committed to development and use of protocol and technology standards. Cisco actively participates in International Committee for Information Technology Standards (INCITS) T10 and T11 committees, Electrical and Electronics Engineers (IEEE) standards such as P1619, and industry initiatives relating to encryption-key management. These and other standards are being used by Cisco SME to deliver a robust solution based on industry standards.
In addition to standards, Cisco is actively working with strategic partners to integrate Cisco SME within the data center software ecosystem. Through API-level integration, Cisco SME will accommodate enterprise-class key management for exceptionally secure and reliable corporationwide solutions that lower operating expenses.
Innovative Cisco Solution
Customers seeking heterogeneous encryption of data at rest have chosen Fibre Channel SAN-based solutions to preserve their investment in existing storage devices, achieve high throughput, and simplify management. Deployment of SAN-based solutions has been challenging, because existing solutions are added on to rather than deeply integrated into the network as part of a mainstream, industry-leading SAN switch.
Figure 2. Secure, Integrated Encryption of Data at Rest
The Cisco SME solution is a comprehensive network-integrated encryption service with complete key management that works transparently with existing and new SANs (Figure 2). The innovative Cisco network-integrated solution has numerous advantages over competitive solutions available today:
• Cisco SME installation and provisioning are both simple and nondisruptive. Unlike other solutions, Cisco SME does not require rewiring or SAN reconfiguration.
• Encryption engines are integrated on Fibre Channel switching modules, eliminating the need to purchase and manage extra switch ports, cables, and appliances.
• Traffic from any virtual SAN (VSAN) can be encrypted using Cisco SME, enabling flexible, automated load balancing across multiple SANs.
• No additional software is required for provisioning, key, and user role management; it is integrated into Cisco Fabric Manager, reducing operating expenses.
• The multipurpose hardware used by Cisco SME can be shared or used for other network services or applications, providing solid investment protection.
Simplified Deployment
The Cisco SME solution is fully integrated into the industry-leading Cisco MDS 9000 family switches, greatly simplifying installation and day-to-day operations. To deploy this feature on SAN fabrics containing Cisco MDS 9500 Series Multilayer Directors and MDS 9200 Series Multilayer Fabric Switches, customers simply need to insert modules that include encryption engines, verify that the software with Cisco SME support is installed, and enable the feature with a license.
Using standard Cisco MDS 9000 software features, such as role-based access control (RBAC) and the Cisco Fabric Manager, customers can immediately secure access and start provisioning encryption services using Cisco SME. Deployment time is greatly reduced compared to other SAN-based solutions, because SAN fabric rewiring and reconfiguration are not required, eliminating associated network disruption and downtime.
Available in 2007
Network-based encryption technology is a core area where Cisco continues to innovate. Cisco plans for the Cisco SME feature set and interoperability matrix to expand rapidly over the next year to facilitate widespread deployment. Support for encryption of heterogeneous tape drives and virtual tape libraries will be included in the initial release of Cisco SME. First shipments to Cisco customers are planned for the third quarter of calendar year 2007. Encryption of disk data is planned for the second release.
To learn more about Cisco storage solutions for the data center, visit http://www.cisco.com/go/datacenter.