Enterprise encryption technologies – Part 1



 
 

Lately I have been working more and more in the cloud as a security architect, and my current focus has been on encryption and key management technologies. What is interesting is that there isn’t a lot of difference between the encryption technologies we use in the cloud and the encryption technologies we use in an enterprise. The biggest difference I’ve seen has to do with key management, but that is a topic I’ll save for a later blog post.

Enterprise Encryption Diagram

Several years ago, when IBM System Storage Tape Encryption solution was released on the TS1120 Tape Drives, I found myself in Tucson, Arizona working with the ITSO to write an IBM Redbook on the topic. I had just moved to a new position in IBM, and my new manager said that was the first thing he wanted me to do.

Redbooks Thought Leaders

From left to right: Babette Haeusser, project lead; Arthur Colvig and myself, Redbooks authors

Since then, I’ve found myself working more and more with encryption technologies, from those first drives to the encrypting LTO drives to IBM Encryption Facility and the IBM DS8000, and even Brocade Encryption Switch. I’ve learned through implementing these technologies at many Fortune 500 companies that there are many ways to implement encryption technologies for confidentiality.

Here is a categorization of encryption technologies:

  • Storage-level encryption
  • Agent-based encryption
  • Application-level encryption
  • File system encryption

In this blog series, I will expound on each of these categories and how they fit into an enterprise encryption strategy. I’ll also talk about the differences in security between these types of encryption categories, along with how they may apply to the cloud. Key to these blogs will be key management, which is really the crux of an encryption strategy.

Here is a quick overview of the areas I’ll cover:

Storage-level encryption

Storage-level encryption is any type of encryption at the storage area network (SAN) level. If you encrypt your whole SAN, it would fall into this category. I would also group tape encryption here, such as the LTO6 Drives or IBM TS1140 Tape Drives. This type of encryption typically has a negligible performance impact and requires specialty hardware.

Agent-based encryption

Agent-based encryption requires a special piece of software on every system that needs to encrypt and decrypt data. In this category, performance of operations against clear text will be faster than that against ciphered data. In addition, data encryption policies and keys will need to be managed for each system. IBM Infosphere Data Encryption falls into this category.

Application-level encryption

This type of data protection is a little bit different than the previous two in that the application itself will encrypt the data. IBM FileNet P8 falls into this category. Here FileNet controls access to data objects and encrypts those objects. Each object is encrypted with a unique encryption key that is stored in database. This type of encryption is fairly common for object storage. Nirvanix would be an example of a cloud object store that can be configured with similar encryption.

File system encryption

This type of encryption is typically part of an operating system. Examples would be Windows Encrypting File System (EFS), AIX EFS and Linux using eCryptFS and/or dm-crypt. A directory or a partition is configured with an encryption key derived from a passphrase, and then data stored in that area is encrypted. This also means that each system must be configured for encryption and each system must have encryption keys managed on that system.

In the next post I’ll expand on products and architectures as well as key management of the storage-layer encryption. Please stay tuned.


Jonathan Barney is currently the lead security architect for public storage cloud(IBM GTS Offering) and SmartCloud Archive(BCRS cloud) at IBM. He has worked with SCE and SCE+ to some capacity. He also has experience with IBM CCRA. You can reach Jonathan on Twitter: @idle_j

Redbooks Thought Leader

 
 
Category: Product #: Regular price:$ (Sale ends ) Available from: Condition: Good ! Order now!
Reviewed by on. Rating:

Smarter Computing Analyst Paper - HurwitzTo effectively compete in today’s changing world, it is essential that companies leverage innovative technology to differentiate from competitors. Learn how you can do that and more in the Smarter Computing Analyst Paper from Hurwitz and Associates.

Subscribe to the Smarter Computing Blog

Recent Posts

New research: IT infrastructure requires more than leading technology

Jacqueline Woods

The results are in, again! On the heels of “The IT infrastructure conversation” study launched in July, I’m delighted to announce our final study in a two-part series from the IBM Institute for Business Value (IBV), “Continuing the IT infrastructure conversation: Why building a strong foundation requires more than technology.”

Continue reading

The partnership continues: SAP HANA on IBM Power Systems with SAP Ramp-Up

Terri Virnig

IBM and SAP’s long-standing partnership has evolved through the years. And now, based on strong customer interest, we’re excited about SAP’s introduction of the SAP Ramp-Up program, an early adoption program that extends early customer access to SAP HANA on IBM Power Systems.

Continue reading

Leave a Reply

Your email address will not be published. Required fields are marked *

* Copy This Password *

* Type Or Paste Password Here *

You may use these HTML tags and attributes: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <strike> <strong>