White
Paper
Meeting Enterprise Encryption
Requirements
By Jon Oltsik, Senior Principal Analyst
April 2014
This ESG White Paper was commissioned by HDS
and is distributed under license from ESG.
Contents
Executive Summary ... 3
The Case for Data Encryption ... 3
Enterprise Organizations Are Increasing Their Use of Encryption ... 4
Large Organizations Need an Enterprise Encryption Strategy ... 5
Which Encryption Technology? ... 6
Encryption Options ... 6
HDS Offering Balances Operational and Technical Requirements ... 8
The Bigger Truth ... 9
All trademark names are property of their respective companies. Information contained in this publication has been obtained by sources The Enterprise Strategy Group (ESG) considers to be reliable but is not warranted by ESG. This publication may contain opinions of ESG, which are subject to change from time to time. This publication is copyrighted by The Enterprise Strategy Group, Inc. Any reproduction or redistribution of this publication, in whole or in part, whether in hard-copy format, electronically, or otherwise to persons not authorized to receive it, without the express consent of The Enterprise Strategy Group, Inc., is in violation of U.S. copyright law and will be subject to an action for civil damages and, if applicable, criminal prosecution. Should you have any questions, please contact ESG Client Relations at 508.482.0188.
Executive Summary
Data-at-rest encryption used to be the purview of niche security vendors serving government, military, and
intelligence customers. More recently however, data-at-rest encryption technology has become more mainstream, driven by new threats, regulatory compliance, and a perpetual series of publicly disclosed security breaches. Over the past few years, many large organizations have deployed assorted encryption technologies, but these firms are really just getting started in this area with their data security controls. This white paper concludes that:
Tactical encryption creates a number of challenges. Well-intended security professionals who deployed
encryption technologies on a case-by-case basis now face an unexpected challenge managing and operating an assortment of tools and technologies. This adds cost, complexity, and security risks.
Large organizations need an enterprise encryption strategy and architecture. To overcome encryption
chaos, CISOs need an encryption architecture composed of a central management portal for policy management, strong key management, and distributed policy enforcement across technologies.
Technology choices can be confusing. Cryptographic operations can be performed up and down the
technology stack at the application, file system, database, network, or storage level. What’s more, each of these encryption offerings has different characteristics in terms of security protection, performance impact, cost, deployment, and flexibility. This wide array of technology options tends to perplex many security professionals and delays planning and projects for strategic encryption solutions.
CISOs must balance enterprise and technology requirements. The trick here is aligning business, IT
operations, and security requirements to find the best encryption fit.
The Case for Data Encryption
When it comes to corporate data, ESG believes: 1) Total data capacity grows substantially each year and 2) A large percentage (50% or more at some enterprise organizations) of corporate data is either private or sensitive in nature.
This high percentage of confidential data places an increasing burden on IT, storage, and security staff. Growing volumes of confidential data demands special security controls and technology safeguards because:
Targeted attacks are aimed at confidential data. Unlike some of the more general exploits in the past,
today’s targeted attacks and advanced persistent threats (APTs) are aimed at stealing valuable information like social security numbers, bank accounts, and intellectual property (IP). In fact, these kinds of
sophisticated attacks have become more widespread targeting media outlets (i.e., The New York Times and Wall Street Journal), eCommerce sites (i.e., LivingSocial, etc.), and retailers (i.e., Neiman-Marcus, Target, etc.). These threats grow more sophisticated and often use multiple attack techniques such as social engineering, spear phishing, polymorphic malware, and proprietary encryption algorithms for cloaking data as it is exfiltrated.
Regulations mandate data privacy and security. As of this writing, 46 states, the District of Columbia,
Guam, Puerto Rico, and the Virgin Islands have enacted legislation requiring private or government entities to notify individuals of security breaches involving personally identifiable information (PII). Aside from state privacy laws, organizations may also have data privacy requirements based upon U.S. Federal regulations (i.e., HIPAA/HITECH, FISMA, etc.) or industry mandates (i.e., PCI DSS). In Europe, the e-Privacy directive 2002/58/EC specifies that the providers of communications services falling under the scope of the Directive should notify breaches to the corresponding national authorities. They also have to notify subscribers or customers likely to be adversely affected by a breach, which can be an identity theft, reputation loss, etc. Together with the notification, the provider is also asked to submit a list of the proposed measures that will be used to counter the breach.
Publicly disclosed data breaches are an everyday event. According to the Privacy Rights Clearinghouse,
preponderance of data breaches is also illustrated in some recent ESG research. In a recent survey of 315 security professionals working at enterprise organizations (i.e., 1,000 employees or more), 49% said that their organization had suffered at least one security incident over the past 24 months related to a successful malware attack alone. It is likely that this percentage would increase precipitously if it also accounted for insider attacks, stolen laptops/mobile devices, and lost backup tapes (see Figure 1).1
Figure 1. Security Breaches Related to Successful Malware Attacks over the Past 24 Months
Source: Enterprise Strategy Group, 2014.
Organizations of all sizes are concerned because the costs associated with publicly disclosed data breaches (i.e., contacting customers, offering credit protection, customer service calls, postage, etc.) can be extremely high. ESG estimates a cost of between $30 and $150 per individual, so a breach of 1 million personal records could carry a cumulative cost of $30 to $150 million. These expenses don’t capture other indirect costs such as corporate embarrassment, brand damage, share price reduction, and future civil litigation.
Enterprise Organizations Are Increasing Their Use of Encryption
Security best practices call for “defense in depth” where all security controls complement one another, providing better protection than any individual safeguard. Over the past few years, many organizations have added data encryption as part of their layered defense for protecting data confidentiality and integrity. According to ESG research, 69% of organizations use encryption technology today while another 9% plan to do so within the next 12 months (see Figure 2).2
1 Source: ESG Research Report, Advanced Malware Detection and Protection Trends, September 2013. 2 Source: ESG Research, Insider Threats Survey, September 2013.
Yes, 49%
No, 47%
Don't know, 4%
Has your organization suffered a successful malware attack in the last 24 months? (Percent of respondents, N=315)
Figure 2. Use of Encryption Technologies
Source: Enterprise Strategy Group, 2014.
Large Organizations Need an Enterprise Encryption Strategy
When it comes to data encryption, many enterprise organizations have deployed technology or have projects planned in numerous areas across the enterprise. For example, many firms already encrypt laptop hard drives and backup tapes, and may even dabble with file encryption for sensitive files, folders, and directories. Yes, these initiatives enhance data security, but they tend to be implemented in a haphazard manner with no central
management or oversight. This model requires numerous encryption/key management administrators to learn and operate various tools, which complicates and adds cost to security operations. It also poses a security risk: If a key management server is breached or corrupted, sensitive data could become useless gibberish instantly.
Many IT professionals recognize the limitations and risks associated with this tactical approach but they aren’t quite sure about their requirements for a more strategic enterprise encryption architecture. ESG certainly understands this conundrum. After all, encryption was really a niche technology in the past, used mostly by military, intelligence, and law government organizations. Driven by security and compliance requirements however, encryption
technology has become far more common over the last few years and this trend will only continue. It’s time to recognize what’s happening here: This recent transition changes the role of encryption at large organizations. To address enterprise encryption needs, IT and security teams need a strategic plan that includes:
Central key management. As encryption penetration increases, the security group will want a way to
control all key management policies, administration, and reporting from one location. Large organizations will also need the ability to federate these responsibilities to specific business units or geographical locations while maintaining central oversight for encryption management across the entire enterprise network.
Enterprise-class key management. In the current environment, it is not unusual for each encryption
technology to have its own key management system “baked in,” and this leads to a few obvious problems. First, some key managers offer more functionality than others, so enterprise key management policies must be tailored to the lowest common denominator. Second, security staff is forced to learn and operate different key managers for different tools. Finally, it is difficult to have central oversight for key
Currently use, 69% Plan to use in the next
12 months, 9% Interested in using, 12% No plans for or interest in using, 6% Don't know/Not applicable, 4%
Does your organization use or plan to use data encryption technologies to detect/prevent security attacks? (Percent of respondents, N=707)
management processes like backup, archiving, and destruction. As encryption becomes ubiquitous, CISOs will need to adopt an enterprise-class key management system that centralizes cryptographic key lifecycle management. The best systems will support industry standards such as the Key Management
Interoperability Protocol (KMIP) developed and promoted by the Organization for the Advancement of Structured Information Standards (OASIS).
Flexible deployment options. With encryption deployed throughout the enterprise, IT and security groups
will need options that support different business use cases, applications, locations, and performance requirements. In the past, these diverse needs forced organizations to choose data management and storage technologies first and then treat encryption as a product feature. Unfortunately, this approach led to the current state of tactical encryption anarchy. To alleviate this chaos, security professionals need common encryption services that align with all types of use cases across a wide variety of technologies. It’s also important to consider business continuity/disaster recovery (BC/DR) requirements as part of any data encryption project to make sure that data can be encrypted/decrypted appropriately for BC/DR activities like data mirroring, failover, and restoration.
Secure administration and logging. Encryption and key management administration should be delegated to
a tiger team with specific skills and authority. This requires systems with strong privileged account security and role-based access controls. Furthermore, any and all tasks performed by this group should be logged and reviewed regularly.
Standard support. Vendors should pledge their support and participate in the development of leading key
management standards. At the very least, vendors should be committed to the promising new Key
Management Interoperability Protocol (KMIP) profiles developed and promoted by the Organization for the Advancement of Structured Information Standards (OASIS).
Key management experience and implementation skills. Building a key management infrastructure is a
rather esoteric set of skills. Make sure to work with a vendor that can help design and deploy an architecture that meets today’s immediate tape encryption needs and scale for future requirements.
Which Encryption Technology?
The enterprise encryption management requirements outlined should help enterprise organizations create coherent RFIs/RFPs that help separate tactical products from true enterprise-class encryption solutions. Beyond enterprise requirements however, many IT professionals also remain confused about encryption technology choices. Where should cryptographic operations occur? What are the advantages and disadvantages to each option? What are the performance implications associated with each selection? What about key management and central administration?
Encryption Options
It’s easy to see why security professionals are confused because there are numerous encryption possibilities across the entire technology “stack” including:
Application-layer encryption. This option is the most thorough but also the most difficult. Application-layer
encryption actually encrypts/decrypts data as part of application processing and thus hides the data from all other technical components (i.e., operating system, file system/database, storage, etc.). Furthermore, application-layer encryption provides flexibility and granularity for limiting encryption to a subset of highly sensitive data only. Application-layer encryption is very thorough but it is also the most difficult of all options because it requires that applications be modified to include cryptographic libraries. This can be cumbersome, especially since most application developers lack the right skills for this task. Application-layer encryption also poses some key management challenges and can create an operations nightmare as key management functions are deployed on an application-by-application basis. Finally, application-layer applications require system processor cycles, so it may degrade application performance.
File system encryption. Encrypted file systems may be supported by operating-systems vendors or require
third-party software. While not as granular as application-layer encryption, file system encryption can support specific file encryption or encryption of the entire file system. Once again, cryptographic operations are done using system CPUs, so there can be an impact on performance. File-system encryption may require software installation on all servers and vendor offerings vary in terms of central key management support.
Database encryption. Major RDBMS vendors support native database encryption while third parties offer
common encryption software for heterogeneous databases. Database encryption can be difficult to implement requiring new code, scripts, or stored procedures. Database encryption offers some granularity with column or even object-level encryption, but database encryption uses precious CPU cycles and can impact performance, which is a real concern regarding highly tuned transactional database systems. Once again, key management is mixed. Most vendors store the keys locally by default, while some provide integration into third-party key management systems.
Storage network-based encryption. Cryptographic operations functions can reside within storage fabrics,
typically on dedicated appliances or storage switches/directors. In this model, cleartext network traffic is encrypted as it flows through the network from the host to storage arrays. Since storage network-based encryption is transparent to all connected hosts, it is relatively easy to deploy, but it can add costs and require the implementation of numerous high-performance encryption devices. Key management is a mixed bag once again. Some storage-based encryption devices include basic key management while others support enterprise-class functionality or integration with third-party key management systems.
Array-based encryption. Many storage arrays now include controller-based cryptographic processors for
data-at-rest encryption. This model is highly scalable, does not require any host or storage network
modifications, and can support different types of media including solid-state disks and standard hard drives. Array-based encryption can provide granularity in terms of encryption options at the LUN and drive level. Like other options, key management is usually provided as a native service, but some vendors do offer integration with third-party key management servers. Array-based encryption may offer a valuable differentiator because it can provide cryptographic erasure for secure data deletion/disk replacement.
Self-encrypting drive solutions. In this model, encryption is performed by storage arrays but the actual
cryptographic processing takes place on the hard drives rather than the storage controller. Self-encrypting drives are based upon the Opal industry standard from the Trusted Computing Group (TCG) and there is very little performance impact in this model. While self-encrypting drives hold a lot of promise for the future, not all enterprise storage vendors support them today, limiting user choices. Finally, key
management of self-encrypting drives doesn’t really fit a standard key management model (since the keys never leave the drives), so it can be difficult to implement. Drive-based encryption can also provide cryptographic erasure for secure data deletion/disk replacement.
CISOs should consider each of these options carefully to ensure that they align with their objectives, organizations, skills, and budget considerations (see Table 1).
Table 1. Assessing Encryption Options
Encryption
technology
location
Implementation
effort
Performance
implications
Central key
management
support
Data confidentiality and integrity
protection
Application-layer Very difficult Can be severe Usually not
In application, OS, file system/database, network, and storage
File system Difficult Medium Usually offered In file-OS, network and storage but not in application or server
Database Difficult Medium to
severe Usually not
In database, network, and storage but not in application, or OS
Storage
network Not very difficult
Medium to
light Usually offered
In storage network and storage but not in application, OS, or file system/database Storage
array Not difficult Light Usually offered
In storage but not in application, OS, file system/database or network.
Hard drive
Not usually difficult but may involve steps for FIPS-140 mode
Light
Usually offered, but can be difficult
In storage but not in application, OS, file system/database, or network.
Source: Enterprise Strategy Group, 2014.
HDS Offering Balances Operational and Technical Requirements
As described in this white paper, storage professionals must balance their encryption technology criteria across two vectors: enterprise requirements and technology characteristics. This can be a difficult matrix to navigate since technology choices and feature sets can be extremely diverse.
Given the wide assortment of considerations in play, HDS’s encryption offerings may stand out because it provides data encryption services that can meet enterprise security, operational, and technical requirements. This is because HDS encryption offers:
Support for central key management across its product line. HDS offers encryption technology on all of the
storage arrays included in its Virtual Storage Platform (VSP) for scale-up and scale-out needs. Furthermore, all key management activities can be centrally configured, managed, and monitored, providing centralized control and distributed policy enforcement. HDS accommodates the need for privileged account
management and role-based access control as well. HDS provides an integrated key management system in its encryption controller but also supports third-party key management integration via KMIP for
centralization. Keys can be applied to individual hard disks for granularity and management ease while also offering cryptographic erasure for secure data deletion/disk replacement.
Common support for different storage types. HDS controller-based encryption is media agnostic,
supporting flash memory, SSD, and standard hard drives. This lets users mix and match media while supporting encryption requirements.
In aggregate, HDS storage encryption can help enterprise organizations address their operational, technology, and security needs. As such, storage professionals would be well served by discussing encryption options with HDS and assessing how its storage security offerings can help meet their strategic business, IT, and security requirements.
The Bigger Truth
Data-at-rest encryption is no longer optional: Regulatory compliance, new threats, and security best practices are driving widespread deployment of encryption across the enterprise. As data-at-rest encryption becomes pervasive, large organizations need to develop an encryption strategy or face challenges associated with multiple
technologies, product-by-product management, costly operations, and security vulnerabilities.
Creating an enterprise data encryption strategy can be a confusing potpourri of choices. To avoid getting bogged down, CISOs must focus their efforts on two areas:
1. Enterprise security, operations, and architectural requirements
2. Encryption technologies that support security needs while offering ease of operations and scale
While some confusion will remain, concentrating on these two areas will winnow the list down to real enterprise vendors. Of the remaining candidates, HDS is one of the few companies with an encryption portfolio capable of meeting business, IT, and security requirements.
