Demartek Comments on Emulex HBA Encryption Strategy
13 November 2009
Emulex’s strategic direction is to help IT shops provide additional data protection and privacy by encrypting data at the source - in the host server. There has been plenty of news about data breaches and literally millions of data records at risk, and some of the laws requiring public disclosure of data breaches. More recently, some states within the USA have passed laws requiring encryption for transmission or storage of personally identifiable information outside of a secure system. CIOs can no longer debate about whether to encrypt. Encryption is no longer an option, but a requirement.
Emulex has announced their direction to provide 8-Gb/s Fibre Channel HBAs that protect data in-flight and at rest using offloaded AES 256-bit encryption. Emulex is partnering with RSA and IBM to include important key-management technology. Emulex also plans to provide support for virtual machines with this encrypting HBA. An important consideration is the defensible proof of encryption for FIPS 140-2 and numerous industry-specific and general regulations.
This product strategy re-surfaces the age-old question about where to encrypt, for which there are many possible answers. The real question is “what is your secure zone?” If your entire data center is the secure zone and you don’t send any data offsite, and you can prove it, then maybe this solution is not for you. However, if your secure zone in some cases is narrowed down to a server, then considering a solution that encrypts in the host server is one worth examining.
Some of the storage best practices as outlined in the SNIA Storage Security Best Current Practices include the following:
- Secure Sensitive Data on Removable Media
- Secure Sensitive Data Transferred Between Data Centers
- Secure Sensitive Data in 3rd-party Data Centers
- Implement the in-flight and at-rest encryption mechanisms such that they provide end-to-end protections
One way to implement encryption that meets these criteria is with an HBA that performs the encryption before the data leaves the host server. If the data is encrypted before it leaves the host server, then the secure zone can be defined as the host server, without regard to the security status of devices that are physically separate from the host server.
We will discuss this topic more in the future, so stay tuned.