ISBN-13: 978-1537033419

Proceedings of ICDER-2016

Using Encryption to Increase the Security of

Network Storage
Mahesh M N
M.Tech Student (Network and Internet Engineering)
Department of Electronics and Communication Engineering
Sri Jayachamarajendra College of Engineering
Mysuru, India
Mahesh2789mn@gmail.com

Thyagaraja Murthy A
Associate Professor
Department of Electronics and Communication Engineering
Sri Jayachamarajendra College of Engineering
Mysuru, India
trmsjce@gmail.com

Achieving internal and external compliance:

Complying with external entities and laws, such as PCI,
SEC, GLBA, HIPAA,, and SOX
Maintaining internal security policies and access controls

Abstract- IT managers are working hard to ensure the

security and integrity of key organizations data. Corruption of
data can occur due to purposeful attack from many sources,
including black hat hackers, terrorists, company competitors,
and disgruntled employees. Data can also be compromised by
accident, by careless or poorly trained employees. Whether
malicious or accidental, the consequences of a threat exploiting
vulnerability can be devastating to the enterprise. Inadequate
security can result in the disclosure of confidential data to
unauthorized recipients, loss of integrity due to damaged or
deleted data, and loss of access to the data

I.

Securing intellectual property:

Maintaining competitive advantage by securing the most
important business assets
Protecting key data from internal and external attacks
Reducing TCO:
Achieving quick, easy, plug-in deployment
Minimizing costly changes to storage infrastructure
Securing data at rest and data in flight

INTRODUCTION

To reduce the risks of exposing or damaging company data, IT

managers must evaluate all of their data storage security processes.
Organizations that are effectively protecting their data obtain many
benefits, including increased customer trust; reduced losses due to
fraud or theft; maintaining privacy and integrity of data while at
rest or in flight; and the ability to achieve compliance with industry
regulations.

Current technologiessuch as firewalls, Intrusion Prevention

Systems (IPSs), and Virtual Private Networks (VPNs)seek to
secure data assets by protecting the perimeter of the network. LUN
masking and zoning in SAN environments also attempt to address
concerns about security. Unfortunately, these targeted approaches
cannot adequately secure storage if data is still stored in clear text
(that is, data that is transferred or stored without cryptographic
protection). Encrypting data at rest on tape and disk as well as data
in transit significantly mitigates these threats and enables
enterprises to secure data while maintaining current service levels
for operations.

Storage encryption is one of the core features of a storage

security strategy that is rapidly gaining popularity with enterprises
that process and store data. Storage encryption solutions use
encryption technologies to secure data whether it is online, backed
up, or archived, both in transit (data n flight) and on the storage
medium (data at rest). Storage encryption enables enterprises to
cost effectively protect the confidentiality of data stored in their
storage infrastructure networks. By encrypting stored data,
enterprises gain the ability to protect the companys private data
from accidental or malicious intruders, reduce capital
expenditures, and achieve savings in data transport costs.

II.

III.

THREAT MODEL FOR DATA AT REST AND DATA

IN FLIGHT

Over the lifespan of data, nearly all media eventually leave

the owners control, either when it is decommissioned at its end of
life or end of lease or is returned for warranty or repair. Loss of
physical control of storage media includes all media types, such as
removable media such as tape cartridges, disk drives in servers,
and networked storage drives.

THE NEED TO ENCRYPT STORAGE DATA

The advantages of networked data storage technologies

such as network-attached storage (NAS) and storage area networks
(SAN) are well established, but having data on a network creates
significant security risks. Data that resides in a networked storage
environment can be much more vulnerable to unauthorized access,
theft, and misuse than data stored in direct-attached storage (DAS)
appliances. This is because aggregated storage in a SAN is not
designed to compartmentalize the data it contains. As a result of
pooling storage, data that originated in different applications or
company divisions becomes comingled when stored in the
network. Data backups, off-site mirroring, and other data
replication techniques further increase the risk of unauthorized
access to data from people both inside and outside the company
firewall.

Even if the media is decommissioned due to end-of-life or

system failure, the data on that media may still be readable. For
example, data on the vast majority of failed hard drives can still be
read; even drives that were part of a striped array are also at risk.
Disk striping divides a body of data into blocks and spreads the
data blocks across several partitions on several hard disks, but in a
failure, some data remains. The typical stripe size in todays arrays
is large enough to expose hundreds of customer names and social
security numbers. Some companies require data cleansing before
recycling all storage media. However, these methods do not
guarantee the elimination of the data.
These security processes can be ineffective if human
beings misplace or skip any media that need to be sanitized before
recycling. Even if all media are cleansed, overwriting media can
take hours or days, may miss reallocated portions of the media, or
may not work at all under certain failure conditions. There is also
no indication of when the processes are complete. It is clear that
most methods of data cleansing are imperfect. These issues and

With storage networks, a single security breach can threaten

much larger data repositories than isolated storage systems.
Curious or malicious insiders, administrators, partners, hackers,
contractors, and outsourced service providers can all gain access to
data quite easily. IT managers are seeking storage infrastructure
solutions that will help them minimize risks and achieve the
following goals.

www.iaetsd.in

Minimizing the risk of unauthorized access

33

IAETSD 2016

ISBN-13: 978-1537033419

Proceedings of ICDER-2016

the increasing risks of data exposure have rapidly accelerated the

widespread interest in encryption. Encryption can automatically
secure the data when the media leave the owners controlwithout
dependence on humans and costly, time-consuming, and imperfect
processes.

multiple applications require access to encrypted data it is difficult,

if not impossible, to find compatible solutions that use a common
key management infrastructure. Further, it is likely that one or
more of the applications will not natively support its own
encryption mechanism.

CHOOSING AN ENCRYPTION SOLUTION

ENCRYPTION IN THE FILE SYSTEM OR OPERATING

SYSTEM

One of the most effective methods of protecting the

privacy of data is to encrypt it. Encryption is the process of
converting readable clear text into unreadable cipher text, which
can later be decrypted back into the original content. Encryption
technologies can be used to protect an organization's SAN, NAS,
tape, and iSCSI data stores. Storage security technology is based
on an array of encryption algorithms. However, all encryption
algorithms have finite periods of usability. As the existing
encryption algorithms age and processor power increases, todays
algorithms become progressively more vulnerable to breaking.
Earlier encryption algorithms such as DES and 3DES, and hashing
algorithms such as MD5 and SHA-1, are now considered to be
insecure.

Several operating systems provide options for either

turning on encryption in the native file system or adding an
encryption facility on top of the native file system. Traditionally,
additional software may be installed on a server that enables the
user to encrypt and decrypt individual files. Performing selective
encryption may reduce the impact on performance. In addition, as
host processors in devices like laptops became more powerful, full
disk and full file system encryption have been introduced. The
advantage of using selective encryption by file is that it can reduce
the performance impact. However, users may have to be involved
in performing the encryption and decryption as an extra step. By
encrypting all files, users may not see the encryption and
decryption steps, but there is likely to be a performance impact.

Effective encryption solutions should take advantage of the

strongest commercially available algorithms such as AES. It is also
important to consider the complete security of a
systemencryption is only as strong as its weakest link. If data is
encrypted using AES-256, but keys are stored in clear text and left
in an open operating system, it is fairly easy to compromise the
entire system. Because of the changing nature of encryption
standards, it is also important that the encryption solution can be
upgraded to address emerging standards without requiring full
hardware replacement.
No performance impact: The solution should be able to
compress and encrypt data at wire speeds without a
requirement for additional CPU overhead.
Ease of Installation: An effective solution should deploy
seamlessly into the current IT environment. Installation
should require zero downtime and not cause any disruption to
workflow. It should not require any modifications to the
hosts, servers, and applications, and it should not necessitate
forklift upgrades to storage.

Performing encryption in the servers provides the ability to

provision encryption processing where its needed. The downside
is that it will probably be intrusive to the operations of that server.
If encryption is done in software, performance on that server is
significantly affected whenever a nontrivial amount of data must
be encrypted. It may be possible for encryption is to be done in
specialized hardware added to these hosts, but there will be
downtime for each server to be shut down, have the coprocessor
installed, reboot, install the driver software (and perhaps reboot
again), test the applications, and bring it back on line. In large
enterprises with tens, hundreds, or thousands of servers, this could
be extremely invasive to operations. Further, because this
deployment does not happen instantaneously, IT must plan the
rollout very carefully. There will be periods when some servers are
encrypting data and others are unable to access it. Finally, it is
important to find a solution that supports all the host configurations
(both hardware and OS) that the enterprise uses today and will use
in the future.

IV.

ENCRYPTION IN THE DEVICE DRIVER OR NETWORK

INTERFACE:

Strong Key Management: The solution should provide secure

encryption keys and maximize availability when needed.

Data can be encrypted in the network interface, such as a

host bus adapter or network interface card. Some network cards
include dedicated hardware logic for accelerating the
cryptographic functions. The information is protected from the
server through the SAN to the storage. Currently, this type of
solution tends to focus on data in flight versus data at rest, where
there is a possibility of capturing data in flight and performing an
analysis to find the keys and access the data.

Scalability: As the amount of data grows, the solution should

scale cost effectively.
When selecting an encryption solution, it is also important
to make sure that the solution has gone through formal,
independent certification. The standard certification body for
encryption technologies is the National Institute of Standards and
Technology (NIST), which tests and certifies third-party products
against a standard called the Federal Information Processing
Standard (FIPS). Other certifications, most notably the
international Common Criteria standard, are also used to validate
that encryption products have been built properly. Without
independent validation, it is difficult to be sure that the products
perform as promised.
V.

Temporary keys are used and periodically updated. When

solutions focus on data at rest, encryption keys protect data for
much longer periods of time. This requires that the length of the
key and strength of encryption are sized appropriately and that key
management includes the ability to maintain keys for long periods
of time
.
CENTRALIZED ENCRYPTION ON THE NETWORK:

WHERE AND HOW TO IMPLEMENT ENCRYPTION

Network-based encryption offers the benefits of

centralized encryption and key management and enabling
encryption on existing storage devices. The centralized approach to
encryption in the network uses one key vault and management
application to encrypt data for multiple types of heterogeneous
storage (disk and tape). Instead of buying several devices that
enable encryption for a given application, network-based solutions
encrypt data for multiple applications and use the same user
interface to manage encryption policies. Network-based
implementations enable encryption from a centralized location to
existing storage devices.

There are several choices for where and how to implement

encryption. Each method imposes some trade-offs for
performance, complexity, and ease of use. The following sections
examine the pros and cons of each method.
ENCRYPTION IN THE APPLICATION OR DATABASE:
If it is possible to identify specific data that must be
protected, it may be possible to encrypt just the sensitive or
valuable data. For example, a database application could enable
encryption at the column level. The advantage of this type of
approach is that the amount of data being encrypted is minimized
so that the performance impact on the application is potentially
minimized. The challenges of this type of approach include the
ability to properly identify all fields that contain sensitive or
regulated data and ensuring that any changes to the application or
schema take into account whether they should be encrypted.
Because application encryption is specific to a given application, if
www.iaetsd.in

Without upgrading end devices, network-based encryption

can selectively encrypt data to meet the needs of the organization.
For SAN-based disk-based encryption, the user can configure
encryption at the logical unit (LUN) level so that only
specific application data is encrypted on large storage arrays. In
NAS-based encryption of online data on disk, the encryption is

34

IAETSD 2016

ISBN-13: 978-1537033419

Proceedings of ICDER-2016

done at the network-share level. For tape-based encryption, data

encryption keys can be associated to individual tapes or tape pools
to refine the granularity of encryption. Although some initial
deployments added significant latency to the encryption process,
the latest generation of solutions adds a minimal amount of delay to
ensure that backup windows are maintained in tape applications.
With network-based encryption, users have the flexibility and
power to encrypt data on legacy storage devices and to encrypt
only the data than needs to be encrypted.

Users may have to be involved in invoking the encryption

and decryption as an extra step.
If encryption is done in software, performance on that server
is significantly affected whenever a nontrivial amount of
data needs to be encrypted.
Solution must support all host configurations (both hardware
and OS) that the enterprise uses today and will use in the
future.
May affect performance.

ENCRYPTION IN THE STORAGE DEVICE:

C.

Self-encrypting storage devices embed encryption in the

storage device itself, providing full disk encryption so that
fine-grained data classification is not needed and the device can
leave the owners control securely. Neither the encryption key nor
the encrypted text ever leave the device, enhancing security,
greatly simplifying key management, and making the encryption
transparent to the OS, databases, and applications. Because the
encryption key does not leave the device, there is no need to track
or manage the encryption keys. Cryptographic processing within
the device can potentially have no measurable performance impact
on the system, and it allows the encryption to scale linearly
automatically as more storage is added to the system. All data can
be encrypted, with no performance degradation, so there is no need
to classify which data to encrypt. Its easy to quickly and securely
erase the entire device by erasing the encryption key in the device,
without worry that there may be a copy of that encryption key
somewhere outside the device. The key has never left the device
and there is no other copy, so the proof of data destruction is the
execution of that single process.

Considerations:
Will scalability be an issue as data grows?
Is port connectivity, rack space, or power an issue?

The need to re encrypt data is minimized because the

encryption key doesnt need to be changed when an administrator
leaves the job. Encrypting in the device may add cost to that
device, and the implementation schedule may affect the natural
replacement schedule of storage devices. However, this impact
may be offset by the fact that it is being implemented in standard
storage devices and cuts device decommissioning costs and
headaches.

Advantages:
Enables encryption on existing storage devices
Can selectively encrypt only the data than needs to be
encrypted.

Advantages:
Information is protected from the server through the SAN to
the storage.
Challenges:
Current solutions tend to focus on data in flight versus data at
rest where there is a possibility of capturing data in flight and
performing an analysis to find the keys and access the data.
D.

Challenges:
Some early solutions added latency to the encryption
process, but newer solutions add less than a millisecond of
delay to ensure that backup windows are maintained in tape
applications.
E.

Each method of encryption has its advantages and disadvantages.

The following table can help decide which approach is the best
choice for a given deployment:

Storage Devices

Considerations:
Will encryption work across all vendor storage (that is,
heterogeneous) environments?
What kind of key management will be used?

Database or Application

Considerations:
Is all sensitive data in one or two columns in a database?
Will application performances be affected?

Advantages:
Provides full disk encryption.
The device can leave the owners control securely.
Simplifies key management.
No significant performance impact to the system.
Allows encryption to scale linearly automatically as more
storage is added to the system.
No need to classify which data to encrypt.

Advantages:
Minimal performance impact on the application.
Challenges:
Must identify all fields with sensitive or regulated data.
Need to ensure that all changes to application or schema
include whether they should be encrypted.
Difficult to find compatible solutions that use a common key
management infrastructure.
Some applications may not natively support their own
encryption mechanism.
B.

Network

Considerations:
Will interoperability with other SAN devices be an issue?
How many storage devices need to be protected?

DECIDING WHICH ENCRYPTION METHOD TO USE:

A.

Device Driver or Network Interface:

Challenges:
May not work across all vendor storage environments.
May add cost to the device.
Requires forklift upgrade of existing storage devices.

VI.

File System or Operating System

NETAPP ENCRYPTION SOLUTIONS

Enterprises can now secure sensitive data across the entire

organization and manage stored data through NetApps
enterprise-wide foundation of control. NetApp storage security
systems deliver nondisruptive, comprehensive protection for
sensitive data across the enterprise, for both data at rest and data in
flight. NetApp storage solutions enable enterprises to protect
intellectual property and confidential information, more easily
comply with industry and government regulations, and preserve
company reputation by avoiding publicized loss of data.

Considerations:
Will it be uniform across all environments and operating
systems?
Will performance be affected or disrupted?
Advantages:
Provides the ability to provision encryption processing
where it is needed.
May allow selective encryption.
Challenges:

www.iaetsd.in

35

IAETSD 2016

ISBN-13: 978-1537033419

Proceedings of ICDER-2016

NETAPP DATAFORT

NetApp DataFort is flexible enough to allow creation of custom

administrator roles by combining multiple roles into an
administrator that suits a companys unique needs. To provide an
irrefutable audit trail for encrypted data access and administrator
activity, secure audit logging is available for all NetApp storage
security appliances. Each log message can be cryptographically
signed. Attempts to modify the signature or the logs themselves
can be easily verified for integrity and authenticity.

NetApp DataFort systems combine secure access controls,

authentication, storage hardwarebased encryption, and secure
logging to protect stored data. NetApp DataFort appliances provide
protection for the following environments:

E-Series DataFort appliances: NAS stores and iSCSI

storage
FC-Series DataFort appliances: FC SAN and tape storage
mediums
S-Series DataFort appliances: SCSI tape environments

BROCADE ENCRYPTION
NetApp and Brocade have developed a joint fabric-based
data encryption approach that delivers nondisruptive encryption
and provides a centralized point of management for storage
security and key management. The joint solution helps to enable a
whole new level of encryption performance by giving customers
the ability to quickly and easily encrypt corporate data for
increased security and compliance with simplified policy
management. Additionally, the incorporation of NetApp
technology enables NetApp customers to operate the Brocade
Encryption Switch in NetApp DataFort compatibility mode,
serving as a next-generation NetApp DataFort security appliance.

NetApp DataFort storage security appliances enable

enterprises to secure networked storage by locking down stored
data with strong encryption and by routing access for all secured
data through secure hardware. The appliances are designed to
maximize security without affecting network performance or user
workflows. As a result, storage administrators can confidently and
quickly encrypt all sensitive data,

The joint encryption solutions are available on the Brocade

Encryption Switch, a high-performance, 32-port, auto-sensing
8Gbit/sec Fiber Channel switch, and the Brocade FS8-18
Encryption Blade, which provides the same plug-in storage
security services in a 16-port blade for use in the Brocade DCX
Backbone.
Benefits of the joint NetApp and Brocade solution include

Figure 1) NetApp DataFort storage encryption

With NetApp DataFort appliances, storage and security
administrators have the ability to:
Compartmentalize data in centralized storage devices to
provide an additional layer of protection for secure data.

Encrypt and secure data on storage devices and in transit.

Protect backup media, mirrored servers, and disaster
recovery sites.

Comply with security and privacy regulations.

Protect sensitive stored data from unauthorized access with
secure access controls, authentication, storage encryptions,
and secure logging.
Generate customizable logs to track relevant events to record
a history of administrative actions and identify who is trying
to intrude into the network.
Fend off security breaches by using AES 256-bit encryption
and a true random number generator to create strong keys
that never leave the secure hardware of NetApp DataFort.

VII.

CONCLUSION

Networked storage speeds access to informationbut it

can also leave data vulnerable. Firewalls and intrusion-prevention
systems can secure assets at the perimeter, but data at the storage
core can still be exposed to both internal and external attacks. IT
organizations are working hard to ensure the security of the
companys valuable data assets, complying with regulatory
mandates, meeting industry standards for data confidentiality, and
ensuring data security from any and all threats. Enterprises that
effectively protect key data experience many benefits, including
increased customer trust, reduced losses due to fraud or theft, and
the ability to comply with industry regulations. NetApp and
Brocade provide industry-leading storage encryption and key
management capabilities that enable enterprises to achieve security
throughout the entire lifecycle of regulated and sensitive data
without disrupting applications, clients, servers, or user workflow.
VIII. ACKNOWLEDGEMENT

Figure 2) NetApp DataFort customer example.

I am extremely thankful to my guide Mr. Thyagaraja

Murthy A, Associate Professor, Dept. of ECE, SJCE, Mysuru for
their valuable guidance, constant assistance, support, endurance
and constructive suggestions for the completion of this work.

All NetApp security appliances support creation of

administrators with granular, customizable roles. Each
administrator role is allowed only a subset of duties, so that
responsibilities are distributed among multiple individuals.

www.iaetsd.in

No performance impact: Users realize unparalleled

encryption processing speeds (up to 96Gbit/sec), which
means that they can encrypt without the traditional
performance penalty.
Ease of installation: The solution plugs in to networks that
support all heterogeneous servers (including virtual
machines) in data center fabrics. Implementation is easy,
with nonintrusive deployment into the SAN switching
fabric.
Strong, centralized key management: Protects against
electronic and physical attacks. Customers can deploy
maximum security through tamper-proof hardware
enclosures, key signing, role-based administration, and
quorum control with the NetApp Lifetime Key
Management solution.
Enterprise-class scalability: IT can scale storage
enterprise-wide and on demand, enabling pay as you
grow for quick implementation of data security.
Minimized operating costs: Low power requirements
minimize operating costs as enterprises scale up, lowering
the total cost of ownership necessary to encrypt massive
amounts of data.

36

IAETSD 2016