By Zeb Ahmed, CLOUD, XaaS & BCDR Leader – IBM:
In Wikipedia’s words, Encryption is the process of encoding messages or information in such a way that only authorized parties can read it.
On a daily basis, I meet customers from various verticals. Whether it is healthcare, financial, government, technology or any other public/privately held entity, they all have specific data security requirements. More importantly, the thought of moving to a public cloud brings its own set of challenges around data security. In fact, data security is the biggest hurdle when making the move from a traditional on premise data center to a public cloud.
One of the ways to protect your data is by Encryption. There are a few ways to encrypt data and they all have their pros and cons. Hopefully, by the end of this blog you will have a better understanding of the options available to you and how to choose one that meets your data security requirements.
Data “At Rest” Encryption
At Rest Encryption refers to data encryption of data that is not moving. This data is usually stored on hardware such as local disk, SAN, NAS or other portable storage devices. Regardless of how the data gets there, as long as it remains on that device and is not transferred or transmitted over a network, it is considered “At Rest” data.
There are different methodologies to encrypt At Rest data. Let’s look at the few most common ones:
Disk Encryption – This is a method where all the data on a particular physical disk is encrypted. This can be done by using SED (self-encrypting disk) or using a third party solutions from vendors like Vormetric, SafeNet, PrimeFactors and more. However, in a public cloud environment your data will most likely be hosted on a multitenant SAN infrastructure so key management and public cloud vendor’s ability to offer dedicated local or SAN spindles becomes critical. Moreover, keep in mind that using this encryption methodology does not protect data when it leaves the disk. This method may also be more expensive and may add management overhead. On the other hand, Disk Encryption solution are mostly operating system agnostic, allowing for more flexibility.
File Level Encryption – File level Encryption is usually implemented by running a third party application within the operating system to encrypt files and folders. In many cases, these solutions create a virtual or a logical disk where all the files and folders residing in it are encrypted. Tools like VeraCrypt (TrueCrypt’s successor), BitLocker, 7-Zip are a few examples of file encryption software. These are very easing to implement and support all major operating systems i.e. Windows, Linux and Mac OS.
Data “In Flight” Encryption
Encrypting data-in-flight involves encrypting the data stream at one point and decrypting it at another point. For example, if you replicate data across two data centers and want to ensure confidentiality of this exchange, you would use data-in-flight encryption to encrypt the data stream as it leaves the primary data center then decrypt it at the other end of the cable at the secondary data center. Since the data exchange is very brief, the keys used to encrypt the frames or packets are no longer needed after the data is decrypted at the other end so they are discarded – no need to manage these keys. Most common protocols used for in flight data encryption are IPsec VPN and TLS/SSL.
There you have it!! Hopefully by now you have a good understanding of the most commonly encryption options available to you. Just keep in mind that more often than not, At Rest and In Flight encryption is implemented in conjunction and complement each other. When choosing the right methodology, it is critical to understand the used case, application and compliance requirements. You would also want to make sure that the software or the technology you chose adheres to the highest level of encryption standards i.e. 3DES, RSA, AES, Blowfish etc. Happy Crypting!!!
Zeb Ahmed is a Senior Manager Product Management for IBM with responsibility for overseeing and managing the Backup and Disaster Recovery portfolio and partner eceosystem for IBM Cloud.