Data Protection: Encryption
Data-at-rest encryption solutions come in different flavors and approaches: at the infrastructure level (e.g., assorted types of bulk encryption) or at the application level (e.g., database cell encryption or tokenization); and there are hardware approaches or software approaches.
VCE Vblock® Systems focus on infrastructure-level encryption solutions for storage Data-at-rest requirements. An encryption solution can be purchased with select Vblock Systems as a hardware-based option, or encryption can be added post-purchase through the use of software.
A complete storage encryption solution, at a minimum, consists of three components: a key manager issuing and maintaining cryptographic keys, an administration interface for operational management, and an encryptor performing the actual encryption of data. Depending on the offering, these elements may be hardware or software. When choosing a cryptosystem for a converged infrastructure environment, there are two important considerations:
- Level of granularity: balancing granularity/flexibility and potential complexity.
- Industry certification requirements, such as FIPS 140-2 (relevant to both the key manager and the encryptor).
On top of “mechanics of encryption” differentiators, the management models, key allocation, upstream and downstream integrations, and the level of effort for ongoing administration also impact technical product selection. Based on feedback from customers, VCE has identified a number of use cases as being of particular interest. These use cases should not be viewed as exclusive; it is not uncommon for two or more to apply to any customer.
- Compliance: Motivated by statutory or industry compliance requirements, such as PCI, HIPAA, FISMA, and the EU Data Protection Directive.
- Control over media: Motivated by concerns about others gaining control over media, such as hard drives in transit or failed-but-not-destroyed drives. Also sometimes referred to as “crypto-shred.”
- Multi-tenancy / multiple-trust zones: End customers, business units, or layers in complex applications sharing an infrastructure sometimes require a high degree of assurance regarding the separation of data.
- Protection from espionage: Motivated by concerns about well-resourced entities hunting specific data, perhaps the company’s own intellectual property, or perhaps client data. Encryption is likely to be one component among an array of controls protecting the information.
VCE™ Select Program includes products from investor companies: EMC, RSA, VMware and Cisco. Products here include:
- EMC Data at Rest Encryption (DARE) VCE resells EMC DARE encryption solution. DARE is an array controller/hardware-based encryption solution for Symmetrix VMAX arrays. The advantage of this solution lies in the simplicity of encrypting the entire array through the use of one master key-encrypting key (KEK); thus it is easy to implement, providing line-rate performance and no impact to ongoing operational management.
VCE Technology Alliance Partner (TAP) Program extends the VCE security portfolio and offers a compatible partner-solution catalog via Vblock Ready certification. Partners here include:
- AFORE CloudLink Secure VSA® provides encryption for Data-at-rest and Data-in-motion in multi-tenant, virtualized infrastructures. CloudLink Secure VSA is integrated with RSA DPM (Data Protection Manager) and has been included in the EMC Select resale program.
- SafeNet ProtectV® provides agent-based encryption for Data-at-rest in virtualized infrastructures. ProtectV works in conjunction with KeySecure virtual or physical key management appliances. Its KeySecure physical key appliance provides the high degree of compliance certification required by certain environments.
- Trend Micro SecureCloud™ provides agent-based encryption for Data-at-rest in multi-tenant, virtualized infrastructures. SecureCloud uses a Software-as-a-Service (Saas) management model and includes endpoint security-related policies to validate the protections applied to the host.
- Vormetric® Data Security provides agent-based encryption for Data-at-rest in multi-tenant, virtualized and physical infrastructures. Data Security could be configured to provide granular access control suitable for certain distributed management environments.